Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:54
Behavioral task
behavioral1
Sample
JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe
-
Size
1.3MB
-
MD5
f3446523af2a49e5621b1a06770918ca
-
SHA1
f6ddbdd63d112210ee5862d100ae43ed2dfc5a22
-
SHA256
5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53
-
SHA512
9e6cbc5de8863a8823c16166ae49f229168c1ba65e429addb6b629c58721aaf34ae3a1343724b7bab7d83856f6f2f92e9e7a17009d9c2c29d6c91dfcb5d36574
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2340 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2340 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016d25-12.dat dcrat behavioral1/memory/2108-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/964-52-0x0000000001150000-0x0000000001260000-memory.dmp dcrat behavioral1/memory/2884-479-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/1772-539-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/1852-659-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/944-719-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/2716-779-0x0000000001180000-0x0000000001290000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3004 powershell.exe 1116 powershell.exe 1528 powershell.exe 2980 powershell.exe 2064 powershell.exe 1012 powershell.exe 272 powershell.exe 1600 powershell.exe 480 powershell.exe 1684 powershell.exe 2120 powershell.exe 1276 powershell.exe 2276 powershell.exe 552 powershell.exe 744 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2108 DllCommonsvc.exe 964 taskhost.exe 2796 taskhost.exe 2136 taskhost.exe 1960 taskhost.exe 1740 taskhost.exe 340 taskhost.exe 2884 taskhost.exe 1772 taskhost.exe 2804 taskhost.exe 1852 taskhost.exe 944 taskhost.exe 2716 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2568 cmd.exe 2568 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 32 raw.githubusercontent.com 35 raw.githubusercontent.com 39 raw.githubusercontent.com 12 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 19 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\lsass.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\Offline\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\27d1bcfc3c54e0 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 2240 schtasks.exe 1876 schtasks.exe 2788 schtasks.exe 2132 schtasks.exe 2492 schtasks.exe 2660 schtasks.exe 1940 schtasks.exe 2004 schtasks.exe 2608 schtasks.exe 776 schtasks.exe 2180 schtasks.exe 2816 schtasks.exe 2560 schtasks.exe 1592 schtasks.exe 2320 schtasks.exe 2236 schtasks.exe 2280 schtasks.exe 1284 schtasks.exe 340 schtasks.exe 800 schtasks.exe 1264 schtasks.exe 1620 schtasks.exe 1720 schtasks.exe 1896 schtasks.exe 2728 schtasks.exe 1700 schtasks.exe 2412 schtasks.exe 1060 schtasks.exe 1724 schtasks.exe 2620 schtasks.exe 2496 schtasks.exe 2400 schtasks.exe 2472 schtasks.exe 1320 schtasks.exe 2384 schtasks.exe 2024 schtasks.exe 344 schtasks.exe 872 schtasks.exe 1712 schtasks.exe 2624 schtasks.exe 2708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2108 DllCommonsvc.exe 2108 DllCommonsvc.exe 2108 DllCommonsvc.exe 2108 DllCommonsvc.exe 2108 DllCommonsvc.exe 1684 powershell.exe 552 powershell.exe 2120 powershell.exe 2980 powershell.exe 1528 powershell.exe 3004 powershell.exe 1276 powershell.exe 2064 powershell.exe 1600 powershell.exe 1116 powershell.exe 744 powershell.exe 1012 powershell.exe 480 powershell.exe 272 powershell.exe 2276 powershell.exe 964 taskhost.exe 2796 taskhost.exe 2136 taskhost.exe 1960 taskhost.exe 1740 taskhost.exe 340 taskhost.exe 2884 taskhost.exe 1772 taskhost.exe 2804 taskhost.exe 1852 taskhost.exe 944 taskhost.exe 2716 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2108 DllCommonsvc.exe Token: SeDebugPrivilege 964 taskhost.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 480 powershell.exe Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2796 taskhost.exe Token: SeDebugPrivilege 2136 taskhost.exe Token: SeDebugPrivilege 1960 taskhost.exe Token: SeDebugPrivilege 1740 taskhost.exe Token: SeDebugPrivilege 340 taskhost.exe Token: SeDebugPrivilege 2884 taskhost.exe Token: SeDebugPrivilege 1772 taskhost.exe Token: SeDebugPrivilege 2804 taskhost.exe Token: SeDebugPrivilege 1852 taskhost.exe Token: SeDebugPrivilege 944 taskhost.exe Token: SeDebugPrivilege 2716 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2300 2900 JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe 28 PID 2900 wrote to memory of 2300 2900 JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe 28 PID 2900 wrote to memory of 2300 2900 JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe 28 PID 2900 wrote to memory of 2300 2900 JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe 28 PID 2300 wrote to memory of 2568 2300 WScript.exe 29 PID 2300 wrote to memory of 2568 2300 WScript.exe 29 PID 2300 wrote to memory of 2568 2300 WScript.exe 29 PID 2300 wrote to memory of 2568 2300 WScript.exe 29 PID 2568 wrote to memory of 2108 2568 cmd.exe 31 PID 2568 wrote to memory of 2108 2568 cmd.exe 31 PID 2568 wrote to memory of 2108 2568 cmd.exe 31 PID 2568 wrote to memory of 2108 2568 cmd.exe 31 PID 2108 wrote to memory of 1276 2108 DllCommonsvc.exe 75 PID 2108 wrote to memory of 1276 2108 DllCommonsvc.exe 75 PID 2108 wrote to memory of 1276 2108 DllCommonsvc.exe 75 PID 2108 wrote to memory of 3004 2108 DllCommonsvc.exe 76 PID 2108 wrote to memory of 3004 2108 DllCommonsvc.exe 76 PID 2108 wrote to memory of 3004 2108 DllCommonsvc.exe 76 PID 2108 wrote to memory of 2064 2108 DllCommonsvc.exe 77 PID 2108 wrote to memory of 2064 2108 DllCommonsvc.exe 77 PID 2108 wrote to memory of 2064 2108 DllCommonsvc.exe 77 PID 2108 wrote to memory of 1116 2108 DllCommonsvc.exe 78 PID 2108 wrote to memory of 1116 2108 DllCommonsvc.exe 78 PID 2108 wrote to memory of 1116 2108 DllCommonsvc.exe 78 PID 2108 wrote to memory of 744 2108 DllCommonsvc.exe 79 PID 2108 wrote to memory of 744 2108 DllCommonsvc.exe 79 PID 2108 wrote to memory of 744 2108 DllCommonsvc.exe 79 PID 2108 wrote to memory of 1528 2108 DllCommonsvc.exe 80 PID 2108 wrote to memory of 1528 2108 DllCommonsvc.exe 80 PID 2108 wrote to memory of 1528 2108 DllCommonsvc.exe 80 PID 2108 wrote to memory of 1012 2108 DllCommonsvc.exe 81 PID 2108 wrote to memory of 1012 2108 DllCommonsvc.exe 81 PID 2108 wrote to memory of 1012 2108 DllCommonsvc.exe 81 PID 2108 wrote to memory of 2276 2108 DllCommonsvc.exe 82 PID 2108 wrote to memory of 2276 2108 DllCommonsvc.exe 82 PID 2108 wrote to memory of 2276 2108 DllCommonsvc.exe 82 PID 2108 wrote to memory of 552 2108 DllCommonsvc.exe 83 PID 2108 wrote to memory of 552 2108 DllCommonsvc.exe 83 PID 2108 wrote to memory of 552 2108 DllCommonsvc.exe 83 PID 2108 wrote to memory of 1600 2108 DllCommonsvc.exe 84 PID 2108 wrote to memory of 1600 2108 DllCommonsvc.exe 84 PID 2108 wrote to memory of 1600 2108 DllCommonsvc.exe 84 PID 2108 wrote to memory of 480 2108 DllCommonsvc.exe 85 PID 2108 wrote to memory of 480 2108 DllCommonsvc.exe 85 PID 2108 wrote to memory of 480 2108 DllCommonsvc.exe 85 PID 2108 wrote to memory of 272 2108 DllCommonsvc.exe 86 PID 2108 wrote to memory of 272 2108 DllCommonsvc.exe 86 PID 2108 wrote to memory of 272 2108 DllCommonsvc.exe 86 PID 2108 wrote to memory of 1684 2108 DllCommonsvc.exe 87 PID 2108 wrote to memory of 1684 2108 DllCommonsvc.exe 87 PID 2108 wrote to memory of 1684 2108 DllCommonsvc.exe 87 PID 2108 wrote to memory of 2980 2108 DllCommonsvc.exe 88 PID 2108 wrote to memory of 2980 2108 DllCommonsvc.exe 88 PID 2108 wrote to memory of 2980 2108 DllCommonsvc.exe 88 PID 2108 wrote to memory of 2120 2108 DllCommonsvc.exe 89 PID 2108 wrote to memory of 2120 2108 DllCommonsvc.exe 89 PID 2108 wrote to memory of 2120 2108 DllCommonsvc.exe 89 PID 2108 wrote to memory of 964 2108 DllCommonsvc.exe 98 PID 2108 wrote to memory of 964 2108 DllCommonsvc.exe 98 PID 2108 wrote to memory of 964 2108 DllCommonsvc.exe 98 PID 964 wrote to memory of 1984 964 taskhost.exe 108 PID 964 wrote to memory of 1984 964 taskhost.exe 108 PID 964 wrote to memory of 1984 964 taskhost.exe 108 PID 1984 wrote to memory of 1636 1984 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5876aba5e9c60fa1a356c1663808c5cc08559f1f227f8bb63943e8d6bf558a53.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1636
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"8⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2008
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"10⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2788
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"12⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:832
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"14⤵PID:1836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1604
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"16⤵PID:2492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1944
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"18⤵PID:2652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1744
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"20⤵PID:1524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1988
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"22⤵PID:1304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2184
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"24⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1956
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"26⤵PID:752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1288
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fde1bc7472c8af568a31a180e3f26f8d
SHA19bb287e03e0b70a7c1d8765e9e17e4e6c51a0163
SHA256e3bb2775262c3681fb91056f4ef82f460cc07a43ba2c026a9051d5e58b1bad09
SHA51293733e0d13ccd0134e1742051ed88bbb042a680ee40c1e0680eea30ad43160d68fc847360d9f9290e7686a98975b11c75fd425cdece697fa31126f588608e4fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ebc62374ee4606314a89f472dd603db
SHA1a2b772d3402a5e1e8f208897ed0393417c6885fc
SHA256df578e74b5a0d973765fc0ce6fba39e103b9085735b3c168ef37a939ebf83f01
SHA5125591174ccf948d90498226a5110bfa0b05aba57d117ee0903c7a0823f895778f6c6e4587aa087ba24600df5632a33ccdbcb8b29e858ec27abdca593e5cf18a14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD550abc29b6623409a13beffd12a0ec034
SHA172e4002ae472437882da13e39a072c824fa6eb4e
SHA256d4812d37ee95334413fb5e5c7cc24597a35b1db64c3c13d814e3ef7123f5ca18
SHA5127b9c1895ccc78cdb15d3edfe163f7419002c7a73d0a1d2a07f2ed8c281ca11ac57139e53862e87d916d1a4635675ab8e3e0d3ea204a15468e1a4fd6d3d5cbd86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57bc7588c085e386c6bb13d4cb13eeffe
SHA13875981396283f68cfb2cab909cb6429f6bdea40
SHA256b239ffc8c179387d9da778e1929b4eff9fc8b01de04ed37aaa7a678b249298e6
SHA512b738d4ed7f85b27c9b2e68a6931e01c68edb0f9b7eca93fe16300183c4d1d92aa0a8bb44478358daa35379a6cedefffcd8147d64caf81eaa910a296d144d73a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adc01c8729b0df5ed1cb03170d9726a9
SHA129a15c6ad8503fc41b2e110c16a75730395b1f0e
SHA25685355fddcf75254ff49f80c2508376388665d7a256e1ae5603d4d0ed4dc0ea4e
SHA5123223fef5163b83abb54e9fc5b3e8dfc43d57aa5dc68e862fbec3d546d2376ddc23f349e0b6ce58dab039055fe0a4e44364af8f77bd7a9014425cf37e1b277084
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a74f984d01f879664991d5a7d99c8cb
SHA1bedf5e0c3ef68861e1caf0750bddf2e1ae92bf99
SHA2562286f143d8f671219204ced959107e4f90a4f215a3b872a21f8d10f60d8ed41a
SHA51299ba486237de7aa20ef392652f2100908e41370b47af599611ca345b103a8107f86e964e20ae528151580b7150911495ebfa4aa0a0fe7ef32ba0c43ec38544d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530174531d52c3b09101dad2c4aa19cd7
SHA1637bc2fba02284c8838af2eb266615eee5d6e268
SHA256b4cb9804dfcdaa9c1fb581c8b96c760724ba2ba83f081179715d49b14a011464
SHA512cd93ad0cd0e116a3f9a2d8924f9af69ed06b64388571771624a5da368b9c4f2a30611ada8715a6ce3b862ccf1a2b828664ff3b7c865b4c8cfab75ad71f49947d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51554e265694c585d28a5f93b188b1996
SHA1228b9610366e227f57930ea318378de72fe376b7
SHA2564764c0f9d6f0fcbd58ab9a4bf8506d90720910ce6da88ac9ad3145f7e5361ca5
SHA512a675443fc3017a154ce6a526ed4a264150ac5afdf20a9e4fe62f43a9709986103eb98201f0e0b9bedcd057c562abef07166ad786a1982554ff10a393eaa223c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546017fcb1a51951ce6a93e44c6cca1ce
SHA15ba69ea3b27fa1e2a3feee2945aa57a33344cb46
SHA256483e1a2a3f4ff2454c20be4a5c826d56de84f600d43e5520c273053b20273a63
SHA51210472bd0c76dfdc4bb1ab0ee0bab1f218667724ba3897595d49c245c3565bb683abe050a5c5a04723250fc56f0c851d4f0369493e0eb9f2d4d6549a6f896dc78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53457a3de038520ab8e6a29e9f4ef5e5c
SHA1deb6ad043464ca5da61666490081187f3115186c
SHA25699b17547b5eef967da6893f3115abba2ff7905f34380c36c10180ac752d02acc
SHA512658ea2648fd0e451a2a340061dae45d3a414f1196cb570b108b9de66715c3e3aec184b606381819c73aa2bfd388a06c401c0a8f909d8624a0afa495f60bce129
-
Filesize
195B
MD5052736281b419900fddc217b6b0673dd
SHA1b735b6c3c0b9c2ebf427a04bad11efe45901a4d8
SHA256524fa20f1944e4806851e4cfc7cf6d2affa22db742790bc51e277ce79dcd96c1
SHA5122978369de9c5512246b1d9f4c083377b2bf6e538c685308dd0299009249b627c589947d5a666405531155318cc5a3bf06e540e139ed1314f222bdcdd9f0c3e80
-
Filesize
195B
MD58a92c5528c181cc122f61ae6f590c068
SHA12e113289b5c10f769ce9cdf6fca4070881bc3cf4
SHA25611e58533a98133124bb71ab2539ed7d9215a4d452b348d699a69c322f281343a
SHA51215f5d3bcc3151edc5fd11878ed29e2e4d725dbe2d1c580ddfe928ce0f0b53787850277a2b15534421df66b3a7094743c45d0d68c4457f04528c1b2c585e446ad
-
Filesize
195B
MD597a510467b3e01a9c250c93f2f1f012b
SHA17605e23c333097fa6b7b7c0c7d2c1ccabc92b7b5
SHA256fca246de1f93bcc4325d0290e01ee61c913e1b1c382ecea5d93ecf2c3838286e
SHA512292202ce203b1579c3398206d95f4ad6e53f439e8656727601ff9d52d37a8852cffe5dcb13efea35366c228a0769c25ef722e5adc16a65eb0c9a4238d2998b9b
-
Filesize
195B
MD537fd270fd472f772e55679418d14d6d5
SHA13e1d85c598058b5f1b0547fcaa68974b6598b9b1
SHA25664d13525a44a29b4233e8d9bfc4ff85832353788194684e80a1e7b5963e135fc
SHA512ba64d6dd75b75651cb32fde2d9e13a5c2171a7850edcdededd3e3bb975b94c8c64818f69b71497f0a62fad5bb103de85abee5074682ed457436ddca293476aac
-
Filesize
195B
MD5c4ab2162e245b357371dde590df7c2cb
SHA13a3a3593f197bd25700169bf4c83b9d2f1c7038c
SHA256ceee8945353f6b7df946732e2da2beb1d86895a8943a25ea1924f7c3c91f7305
SHA512a456e0c356ccb88698c322160bc96c8d263b52b4d56b35fd3c149498a49b9ef8ec33de6a5e12d31ad313899a63eb7aba39e22ef7201c41e6d66ecd8eecf0a35a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD54c13b4953acf3b9fbb8bdc3670687afd
SHA172b17ef87b0e6ec6ed22983e0a9337a7d73cb161
SHA2568c51455a33b9fdd0ef0714f9a97214238aeb82a587e9a8d9925b5039313e6493
SHA512874aec9a9f0499846ef34976d91d4804f0d46dd967135f44970bcfb74769faee1732c606bf397e7f6b3a3c1f80d6d0c2381dde1a9b9c30649be741a58035da7b
-
Filesize
195B
MD50b9603414364f421a84f1d5142d6d966
SHA1b35474f09bdf9afdbb1c6acec4070e425ce11cf7
SHA256775ea5a50fa0c10ff341746fc8ddcb4e8a59749688350b9aed0f6978c5392bb2
SHA51233aa22327cf27930c16406265a4ac73c9773919ddebc2f14121818b1819d096b10ed0ad742608728966a86398febdd03983fb0d8e39d82c89acf77fdf00d8ecb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD5912a8949626f5b57883fd07f9598743b
SHA131e06a0cbf3a5dedc5430ad4db13596df4a9d35c
SHA256052809f190bfe381dbd8c9f357d04ec4add052588a03249d21ae66ed39a1c6a1
SHA51263d7c1d337af5cfcac0d0551ab313bb65277d9879bd9af3a7e5f9ed80ddb5a43f5466621366fbddc39fa1ee8d58834e046ee0ea18e67028227e71cfddb2b2557
-
Filesize
195B
MD526b01b2d469efacfe25c2398138944c2
SHA15d879798d949444c715b515f9b6b914b69b5b8a7
SHA256683deefee41b211137bac34264f274935aee1393d0e384284ead2216115f14f8
SHA512eb4b7de9861a44c018f03986f801c0d65f177b631b63b9886681ca1694b7f31ff1962ea85d4c917d30db91637c3bf0dbbf43f2196fd9a021fdbe2c4ab4223345
-
Filesize
195B
MD52d0635dd6503b0e796dd987b499e7d72
SHA16b4a6af678c1c2a7c5464a0a601f5e9c90a397d1
SHA2565bec373a0d666b9a45221bf28af02945fd096c32d92b2e4936724757fade133c
SHA512543f788c4809b81bd6ecaa29af5a178b5552320a46583c38753d0e0aab48b849cb107b8daab1d6cab909184db30581cbbe8a49a822a0ce13705c309b50b984a0
-
Filesize
195B
MD5fd1d91e4a229e99b06ce46a2a5165537
SHA14407b7687d2a9968300d2b0a2550b94171f21844
SHA25618f38249427e09106924f197ab08a3fd2f9c66315b04a236f2df5f1fecc53da2
SHA5125009df4b1dc0e0825cfa7019c7380014b19df0af4ee8380cf48b00279b40cd405811b4f163e5dc11653fa5a2bc618e71df223fd161c4d2bd42e934e292d6627d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a71ca6a81616ca081e15211c85670cc7
SHA133c2287633970c496a165aac45b6c754da2d1853
SHA256017ba4f02e14d6d554ce280b0729edbe29d87ab070017155579121ac6354c272
SHA5120586d185cf32ac4c49bfaf5eb6589f70beadc4d796ef6dfd9f7b8a9670f3e9eda2b8bea394be29ffc935b738723a98faed16e4b02d45daedb75ad5766358aecd
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478