Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:18
Behavioral task
behavioral1
Sample
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe
-
Size
1.3MB
-
MD5
bda66baae95d4dc4410098f8767b46a2
-
SHA1
54004cb81ec61e5c4b563ec0ce67b4d22672b319
-
SHA256
48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f
-
SHA512
5ebca40bb05d12c0f7ae6d991a84878acf8272fef98015993fad4469e81b6cf6043f8846f6d62bdf00fe9c455a84e3c85a24b8cad65572bef916b44a73bb2ef9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2672 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2672 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000600000001945c-10.dat dcrat behavioral1/memory/2808-13-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/1752-157-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/2964-216-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/1184-276-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/2180-336-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2632-396-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat behavioral1/memory/1584-457-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2464-517-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1516-577-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/2120-637-0x0000000000120000-0x0000000000230000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2724 powershell.exe 3044 powershell.exe 2884 powershell.exe 2628 powershell.exe 2580 powershell.exe 1620 powershell.exe 1756 powershell.exe 1868 powershell.exe 3012 powershell.exe 2140 powershell.exe 3020 powershell.exe 1528 powershell.exe 1596 powershell.exe 2620 powershell.exe 2604 powershell.exe 636 powershell.exe 2588 powershell.exe 2300 powershell.exe 2732 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2808 DllCommonsvc.exe 1752 Idle.exe 2964 Idle.exe 1184 Idle.exe 2180 Idle.exe 2632 Idle.exe 1584 Idle.exe 2464 Idle.exe 1516 Idle.exe 2120 Idle.exe 2824 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2684 cmd.exe 2684 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 20 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 17 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Common Files\Services\System.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Services\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Common Files\Services\explorer.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Services\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\Documents\cmd.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\Documents\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\winlogon.exe DllCommonsvc.exe File created C:\Windows\Panther\actionqueue\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\dllhost.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\5940a34987c991 DllCommonsvc.exe File created C:\Windows\it-IT\sppsvc.exe DllCommonsvc.exe File created C:\Windows\it-IT\0a1fd5f707cd16 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2152 schtasks.exe 1280 schtasks.exe 2464 schtasks.exe 1580 schtasks.exe 1568 schtasks.exe 2144 schtasks.exe 2268 schtasks.exe 1056 schtasks.exe 3008 schtasks.exe 2292 schtasks.exe 1288 schtasks.exe 1468 schtasks.exe 1160 schtasks.exe 1380 schtasks.exe 2540 schtasks.exe 1092 schtasks.exe 2112 schtasks.exe 2284 schtasks.exe 980 schtasks.exe 2948 schtasks.exe 1996 schtasks.exe 2236 schtasks.exe 348 schtasks.exe 2776 schtasks.exe 2404 schtasks.exe 2312 schtasks.exe 3000 schtasks.exe 324 schtasks.exe 2760 schtasks.exe 2768 schtasks.exe 1884 schtasks.exe 2648 schtasks.exe 1252 schtasks.exe 2100 schtasks.exe 2832 schtasks.exe 3024 schtasks.exe 2588 schtasks.exe 1364 schtasks.exe 1464 schtasks.exe 884 schtasks.exe 1744 schtasks.exe 2720 schtasks.exe 2680 schtasks.exe 1516 schtasks.exe 880 schtasks.exe 3040 schtasks.exe 2108 schtasks.exe 320 schtasks.exe 2128 schtasks.exe 1140 schtasks.exe 2888 schtasks.exe 3068 schtasks.exe 2340 schtasks.exe 2668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2808 DllCommonsvc.exe 2808 DllCommonsvc.exe 2808 DllCommonsvc.exe 2724 powershell.exe 1596 powershell.exe 636 powershell.exe 2300 powershell.exe 2732 powershell.exe 2580 powershell.exe 3012 powershell.exe 2884 powershell.exe 1528 powershell.exe 2620 powershell.exe 2140 powershell.exe 1868 powershell.exe 2588 powershell.exe 2628 powershell.exe 1756 powershell.exe 3020 powershell.exe 2604 powershell.exe 1620 powershell.exe 3044 powershell.exe 1752 Idle.exe 2964 Idle.exe 1184 Idle.exe 2180 Idle.exe 2632 Idle.exe 1584 Idle.exe 2464 Idle.exe 1516 Idle.exe 2120 Idle.exe 2824 Idle.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2808 DllCommonsvc.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 1752 Idle.exe Token: SeDebugPrivilege 2964 Idle.exe Token: SeDebugPrivilege 1184 Idle.exe Token: SeDebugPrivilege 2180 Idle.exe Token: SeDebugPrivilege 2632 Idle.exe Token: SeDebugPrivilege 1584 Idle.exe Token: SeDebugPrivilege 2464 Idle.exe Token: SeDebugPrivilege 1516 Idle.exe Token: SeDebugPrivilege 2120 Idle.exe Token: SeDebugPrivilege 2824 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2704 2740 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 30 PID 2740 wrote to memory of 2704 2740 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 30 PID 2740 wrote to memory of 2704 2740 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 30 PID 2740 wrote to memory of 2704 2740 JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe 30 PID 2704 wrote to memory of 2684 2704 WScript.exe 31 PID 2704 wrote to memory of 2684 2704 WScript.exe 31 PID 2704 wrote to memory of 2684 2704 WScript.exe 31 PID 2704 wrote to memory of 2684 2704 WScript.exe 31 PID 2684 wrote to memory of 2808 2684 cmd.exe 33 PID 2684 wrote to memory of 2808 2684 cmd.exe 33 PID 2684 wrote to memory of 2808 2684 cmd.exe 33 PID 2684 wrote to memory of 2808 2684 cmd.exe 33 PID 2808 wrote to memory of 2580 2808 DllCommonsvc.exe 89 PID 2808 wrote to memory of 2580 2808 DllCommonsvc.exe 89 PID 2808 wrote to memory of 2580 2808 DllCommonsvc.exe 89 PID 2808 wrote to memory of 2732 2808 DllCommonsvc.exe 90 PID 2808 wrote to memory of 2732 2808 DllCommonsvc.exe 90 PID 2808 wrote to memory of 2732 2808 DllCommonsvc.exe 90 PID 2808 wrote to memory of 2724 2808 DllCommonsvc.exe 91 PID 2808 wrote to memory of 2724 2808 DllCommonsvc.exe 91 PID 2808 wrote to memory of 2724 2808 DllCommonsvc.exe 91 PID 2808 wrote to memory of 2604 2808 DllCommonsvc.exe 92 PID 2808 wrote to memory of 2604 2808 DllCommonsvc.exe 92 PID 2808 wrote to memory of 2604 2808 DllCommonsvc.exe 92 PID 2808 wrote to memory of 2620 2808 DllCommonsvc.exe 93 PID 2808 wrote to memory of 2620 2808 DllCommonsvc.exe 93 PID 2808 wrote to memory of 2620 2808 DllCommonsvc.exe 93 PID 2808 wrote to memory of 3012 2808 DllCommonsvc.exe 94 PID 2808 wrote to memory of 3012 2808 DllCommonsvc.exe 94 PID 2808 wrote to memory of 3012 2808 DllCommonsvc.exe 94 PID 2808 wrote to memory of 2140 2808 DllCommonsvc.exe 95 PID 2808 wrote to memory of 2140 2808 DllCommonsvc.exe 95 PID 2808 wrote to memory of 2140 2808 DllCommonsvc.exe 95 PID 2808 wrote to memory of 3020 2808 DllCommonsvc.exe 96 PID 2808 wrote to memory of 3020 2808 DllCommonsvc.exe 96 PID 2808 wrote to memory of 3020 2808 DllCommonsvc.exe 96 PID 2808 wrote to memory of 636 2808 DllCommonsvc.exe 97 PID 2808 wrote to memory of 636 2808 DllCommonsvc.exe 97 PID 2808 wrote to memory of 636 2808 DllCommonsvc.exe 97 PID 2808 wrote to memory of 1528 2808 DllCommonsvc.exe 98 PID 2808 wrote to memory of 1528 2808 DllCommonsvc.exe 98 PID 2808 wrote to memory of 1528 2808 DllCommonsvc.exe 98 PID 2808 wrote to memory of 3044 2808 DllCommonsvc.exe 99 PID 2808 wrote to memory of 3044 2808 DllCommonsvc.exe 99 PID 2808 wrote to memory of 3044 2808 DllCommonsvc.exe 99 PID 2808 wrote to memory of 1868 2808 DllCommonsvc.exe 100 PID 2808 wrote to memory of 1868 2808 DllCommonsvc.exe 100 PID 2808 wrote to memory of 1868 2808 DllCommonsvc.exe 100 PID 2808 wrote to memory of 2884 2808 DllCommonsvc.exe 101 PID 2808 wrote to memory of 2884 2808 DllCommonsvc.exe 101 PID 2808 wrote to memory of 2884 2808 DllCommonsvc.exe 101 PID 2808 wrote to memory of 1596 2808 DllCommonsvc.exe 102 PID 2808 wrote to memory of 1596 2808 DllCommonsvc.exe 102 PID 2808 wrote to memory of 1596 2808 DllCommonsvc.exe 102 PID 2808 wrote to memory of 2628 2808 DllCommonsvc.exe 103 PID 2808 wrote to memory of 2628 2808 DllCommonsvc.exe 103 PID 2808 wrote to memory of 2628 2808 DllCommonsvc.exe 103 PID 2808 wrote to memory of 2588 2808 DllCommonsvc.exe 104 PID 2808 wrote to memory of 2588 2808 DllCommonsvc.exe 104 PID 2808 wrote to memory of 2588 2808 DllCommonsvc.exe 104 PID 2808 wrote to memory of 2300 2808 DllCommonsvc.exe 105 PID 2808 wrote to memory of 2300 2808 DllCommonsvc.exe 105 PID 2808 wrote to memory of 2300 2808 DllCommonsvc.exe 105 PID 2808 wrote to memory of 1620 2808 DllCommonsvc.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48f718cf5f316687100bdda656ae7509bd181269ba7a16ce0919ffae7206fd3f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Documents\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B6AGbm0k8O.bat"5⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2368
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"7⤵PID:912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1288
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"9⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2404
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"11⤵PID:2280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1264
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"13⤵PID:1252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1516
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"15⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1868
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"17⤵PID:1264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:924
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"19⤵PID:1380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1524
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"21⤵PID:836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2980
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"23⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2520
-
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"25⤵PID:2412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\Documents\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Documents\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Documents\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e2a9bcf519e4396e59e5367aa9805e3
SHA18bcdc4625685f788d64213c096c5d8756d9db8a3
SHA256c0851b3cbdedc148bc0905ab10adff989588bb5676e2184c6d746930d91b3e8f
SHA512292a6d225c8ca490d6ff59289610b009f7df11dbeb389734e5a528aedda40d6c2f6bbb2aa8589de8d56cb0f527f429c10c7c28589a2ad806b5b931ff9fc2a0bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547299992af1d42891186448ce26162b0
SHA12a4169d62ee0dfb9e8e82b629934e94a932c8b2e
SHA25613b97688940c91512e7a00f5a615a40ca3e0865aebe3902c925a3d18f9f6c50d
SHA512c073501d7824a1b7a1c9d6087ab83bf47777b71175e102a9e5949832cfa63c0ae3520584758d575120ffe118d0b38a7ffaad5125c40147a4ebbb26a128067174
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b099d4bd64dd30a5a28510f38d4946c9
SHA13f573c3147371c5543028aeeefa832fbb98fc27a
SHA256cb7a06b159de084ebdef9f0facc1064146138cbf5e944659b31f633f5c2e0143
SHA512e1f914cb515d9470981ec5dc2a344b1ae5eebbf122bc2da478b4f333c88120034cc58870d837b2d1ea882f392ead7540c4e6abbd8337f183a8a7474a09153c2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f78eedc52321321beaf50ca88107b7ab
SHA1eb39d417c25bf5bddab977e28ff3e9f6bb1e15dc
SHA256b55565a0c96dac15179a271e4141c2c17c5dda0dcf185a7ae079a5be14188764
SHA512e4ffc0ee05e1acb6073ba5ba070a1ff68978c19aca5ae971bd33b89cf8bb0132c9299c01639123f4dc2866fc85a0508763256c45b253b760ea997210f966d860
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5219985cae19ec13c85342b4110bae9fd
SHA145b57509d99f498d561c7d3c669531a86bd86fb0
SHA256edddb3d95a5b5fa73ac7ff6a1eb65f8ace370dfe42332ddc3d25a7ee70639333
SHA512b004b85f08d1edb283471909c72881c274fa74a3d44f4ca8c28c1d69cd9d498f0957fc75206eef165d5e8ea8b0469840243ccd89e8763476700f8a52ae304cf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54e9d134180c12d3e300e75df0e25be9d
SHA1efb10f2b553e107e420bcb00ce472203b62d82c1
SHA256947e5d6f3092bfdb34bf77d37398f68265a3979299902610113df81678e01a19
SHA5127c5484369071178dd3823b49ffb82ae09ab0e2220c456125dfffddabbcadad6ec97228e985fa9ece6a07c831f2eca5bfec31f2e91e5afbf65261947df00534b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df2a90f8110017fc5f6cedd4d12baba9
SHA170daf939c9e28ae93cb27f02758a5ba661756783
SHA256391b32ecb883cc1323a6692894aed7ec2eefa9821130871377c28e40ec8f09c7
SHA512c141afbc59faa0bc7f6cb6c334ad7c55e71082ee09f6aba1f02515843d1f13e7c7866d1a82b63bd193043f565063ad20a7328c167c21f15db67def0a9b4031b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528e56eb11429f5ae1204e508c98d5863
SHA18e9c22902bbe51273e6fe39367059ad060293974
SHA256b08f9f7b4fb2c9e4fe4b518ec6a4c5cba67c03463cdd09ca16e073c8614c8c33
SHA512cef9a72b430e0d73b8b24048f32d8cc42a253044fd6715d2eb472c722bdb8afe691df24238ba3a912ad3ec196aaf2e30671717bb2da75127fc0277b4a485f2f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56db263095e8ef37e365f79241b5344cb
SHA153d27b8915b687a685f707f13b4171f3c7ac6df9
SHA2562c035206eb3f4c887d26aed8fae185487effa038ffbea8404ec5bb8f8c4af109
SHA51232dc8f3e6ad4a7905f2f20edcbba7b61cda42198b874de2f538b1b2d68d43c36ca45b4d2556d44a89ebe92be70c60f71e86eb6b3b7d5d5668af49b0115d021d1
-
Filesize
222B
MD55c502be849c561a43d7e2e21964bbb65
SHA1718b3c433605f288a9eb7bded9663166d92aad9e
SHA2565dec422fc76e542b6d87b2ce05554af318282d8c002ebeedc93dbd16f30b7164
SHA512a91998a684572ab7b5e8c015145d0e1c82022a2a7ab39402e571c7cf22f56d75298e1a1e97bc8e7c19b219bcfe70bb891d885374cce4564702d2589a34cd2fcc
-
Filesize
222B
MD5337e9773a9eb164152e87750214b4329
SHA1bf7b430163bb403dca4535810779b2f3a40bb9bb
SHA2568890eee4ef539a5506817b7e6e76a58c12fbcac53deb2eca41821adec4645f87
SHA51277fb0b029821fca3c56b779ce894622402292497b2a404aa5a6a1c3056dc136375c70ec9510d832b964c8143595bba13271cacf7c7baba2a603b447f732f11c4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD5fcd3584f909598fa8ce2da7871b0a21b
SHA193e4197eb84ed845137481f9e240168ad6e1d40f
SHA256b1475ed750b46a856d5ce4f1dadf188f9c94080c5b5fd04288d5161c10f82ef0
SHA512743e879e0aaf74d46be1e54cde75f4141ec3c21b165452b015d469e1445b9f2245e15208aac10e833f4f5b75da1649ee7a6cbb75e629a55d72d1fa3dbb278d23
-
Filesize
222B
MD526070fa01493b49ce07386e40e675145
SHA10c886bee71bfa78b7a1fa8e755f64a08b23b217f
SHA25697d896d5d92fd80efaf95fb8e3e4104fe6b8e41341a3f496abf63e0d7b95dc7b
SHA512d0d6b641e4992036efa1bc5e61d7fdf1e8f3eade36b99c2ed3d34fd2cc127ea4a391724d85280288ae179444f4cc8ff793165149a2933d798e24272898c21e9b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD5bc4067612915712d00df17ca0c3f5ff6
SHA107911f38851bf921b74e1c89dcd93703b6217c46
SHA2564c48a06de08b1ccf97b7ecf072d7c326f068b3344c153c942a83e8a018803c74
SHA5123a726cd9ce840f9a42b8bee5696042331417399f2c7b8454d5a0b1d5376cd7eae5ad4ebb4ede508828f4967a6614e644063c3923e2a9cfc4db8f70bdc6e3c73f
-
Filesize
222B
MD52e31a4893222c6a8a7ed6fd2dfa2c573
SHA192427189923a6cf880350f69a658b2249254603f
SHA256ca232b6dee1f9419143676d04a1db11e30749fb79589f6f552e7a2d30eff43d3
SHA512561d05e984fa5caf28dcb79f3de4a2851237a6a3f7a4ebb67ad25bb4a3f22f56cceff11283e2c7a2a9b3f6ac289f2b143f949f4af6bbc163ef5d8e8c52f04eb0
-
Filesize
222B
MD501b5b41675a94ea703fd5c13a0e6a35d
SHA167a498526120d296c13deed36218854874252148
SHA256b9bc63e00477dc2bddb98ae84e513816792da93923a9836412d124d4d1e58be9
SHA512705d01dc4f576d289e0d4d52e56d5364ddfd11c74b4aa509a8d65ddc43603eda605c15b74665cb566539981de4160f26c96f3fe48ceeb3600349eccf5944ff3c
-
Filesize
222B
MD549480e2d4226581eca1ab9536579cca8
SHA1e8d701891e4485bb22b07bc9e4d9a8ad4ed69327
SHA256476765f9ff907b5581612be55ff1bb4aac9a25821e00fd204dc970b2e786d9da
SHA512d65ff9ba9e1f449a6a054e38aa0eaa71842fe9b061c3ebc3636f7aab4a3b430a2372116d0b51db0554a0a4fe7ef64bab2db024159eab0aa8638881c1802c8a84
-
Filesize
222B
MD54d4f835ab711a904c105234bcf826685
SHA17a873c6cb93c5a9f6d4ec61ac11cc0b227de74ae
SHA256de23b5b57ae2ceef46e29efee90583cd1198346e92cf6fdc734f4cd3a35fd76a
SHA512246dcbf4dce516756b99c9859ce1f4cbdd77265b4e09cc2a3061a1b3e1ceb2117a3ee5a75b403617da1f0e55ebbd13321c240c86e810ed8c0b6d74526570baac
-
Filesize
222B
MD59f08da2e45e5cf9cb14cf692f93e92ce
SHA12077019f538c3833ba38275d886b562d35404b1e
SHA256ca2aede63dde919ad3e7d859a5a476fab86a82d2c46231a3bab3d1bdb824291c
SHA512d36b4d67465b0470d98cffb0876931e5013b714d5e4073a1f7a2386c354d75a49bcac9792770a9796628f6f87f6ff3577282a634184abb4768e7f600000d9b10
-
Filesize
222B
MD50ab815d19fd9399e28b1a795a345734e
SHA1143831df7f6bb0831bed9f7a9e4607fa6ba28728
SHA2564d5434f624e8c6459e758e281eb7511c21ac000b8b8e2238e23a9dbadaadc314
SHA512c4e67f66cacfc3f26236f8bb71d20399c0fc866c4be52e8076e0c5b98973c11326811e4d63a1945cefb0cbe4207bb334b352f4b75914b4451db7088aac6fe262
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52aed011f9e3af9a873c46db3ebb0793e
SHA11acb4ad5df174e17aa7f83b8f4bef4ed32315fc6
SHA25603df5d8cc49d94c0faa51443ac327ae3f5ced7972153c05afe6fb6b1aa9ee4b9
SHA512bb648737ca0935a87183e400204de48da892ef25a8c9070af7b691841fd3f567f3199a2dff0079f672d53b93531f0e1a7f4492e0e36d68592a4c6092ecc24f7a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478