Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:29
Behavioral task
behavioral1
Sample
JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe
-
Size
1.3MB
-
MD5
4298eea3dfafc5e3e37cd4390fb07f2c
-
SHA1
d0f424c253ef02a00d840a560904adf62aeb2a34
-
SHA256
bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5
-
SHA512
25ab9031c4dba529b4da57687b1c020de7ebec4707b1be3bc903b16d1ffc31003066eb26142bec6527ac8571a721711859d15e3c0b7068e7ac61524ffc822103
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2988 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2988 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d54-9.dat dcrat behavioral1/memory/1996-13-0x0000000000900000-0x0000000000A10000-memory.dmp dcrat behavioral1/memory/2708-54-0x0000000000850000-0x0000000000960000-memory.dmp dcrat behavioral1/memory/2268-194-0x0000000000970000-0x0000000000A80000-memory.dmp dcrat behavioral1/memory/1972-254-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/2732-373-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat behavioral1/memory/2468-434-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/2448-494-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2968-554-0x0000000001330000-0x0000000001440000-memory.dmp dcrat behavioral1/memory/2920-615-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/1388-675-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2032-735-0x0000000001270000-0x0000000001380000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2132 powershell.exe 2624 powershell.exe 1520 powershell.exe 3056 powershell.exe 1676 powershell.exe 1596 powershell.exe 1948 powershell.exe 2548 powershell.exe 1616 powershell.exe 1268 powershell.exe 2196 powershell.exe 2404 powershell.exe 2676 powershell.exe 1720 powershell.exe 2432 powershell.exe 1624 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1996 DllCommonsvc.exe 2708 csrss.exe 2268 csrss.exe 1972 csrss.exe 2104 csrss.exe 2732 csrss.exe 2468 csrss.exe 2448 csrss.exe 2968 csrss.exe 2920 csrss.exe 1388 csrss.exe 2032 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2528 cmd.exe 2528 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 22 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Windows Defender\en-US\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Internet Explorer\es-ES\wininit.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\es-ES\56085415360792 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\winlogon.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\system\Idle.exe DllCommonsvc.exe File opened for modification C:\Windows\system\Idle.exe DllCommonsvc.exe File created C:\Windows\system\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\6203df4a6bafc7 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2736 schtasks.exe 572 schtasks.exe 2260 schtasks.exe 1820 schtasks.exe 1572 schtasks.exe 1276 schtasks.exe 1368 schtasks.exe 1892 schtasks.exe 2332 schtasks.exe 1640 schtasks.exe 2720 schtasks.exe 2364 schtasks.exe 1956 schtasks.exe 1724 schtasks.exe 2200 schtasks.exe 2180 schtasks.exe 2184 schtasks.exe 2388 schtasks.exe 2300 schtasks.exe 1376 schtasks.exe 324 schtasks.exe 1648 schtasks.exe 2776 schtasks.exe 1084 schtasks.exe 600 schtasks.exe 896 schtasks.exe 1728 schtasks.exe 3008 schtasks.exe 2772 schtasks.exe 2072 schtasks.exe 1352 schtasks.exe 1776 schtasks.exe 2824 schtasks.exe 2040 schtasks.exe 768 schtasks.exe 1804 schtasks.exe 2224 schtasks.exe 1840 schtasks.exe 796 schtasks.exe 1944 schtasks.exe 2336 schtasks.exe 2932 schtasks.exe 2016 schtasks.exe 868 schtasks.exe 2188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 1996 DllCommonsvc.exe 2676 powershell.exe 1676 powershell.exe 1616 powershell.exe 2548 powershell.exe 1948 powershell.exe 2624 powershell.exe 2196 powershell.exe 1624 powershell.exe 2708 csrss.exe 1268 powershell.exe 1520 powershell.exe 2432 powershell.exe 1596 powershell.exe 1720 powershell.exe 3056 powershell.exe 2132 powershell.exe 2404 powershell.exe 2268 csrss.exe 1972 csrss.exe 2104 csrss.exe 2732 csrss.exe 2468 csrss.exe 2448 csrss.exe 2968 csrss.exe 2920 csrss.exe 1388 csrss.exe 2032 csrss.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 1996 DllCommonsvc.exe Token: SeDebugPrivilege 2708 csrss.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2268 csrss.exe Token: SeDebugPrivilege 1972 csrss.exe Token: SeDebugPrivilege 2104 csrss.exe Token: SeDebugPrivilege 2732 csrss.exe Token: SeDebugPrivilege 2468 csrss.exe Token: SeDebugPrivilege 2448 csrss.exe Token: SeDebugPrivilege 2968 csrss.exe Token: SeDebugPrivilege 2920 csrss.exe Token: SeDebugPrivilege 1388 csrss.exe Token: SeDebugPrivilege 2032 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1040 2416 JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe 30 PID 2416 wrote to memory of 1040 2416 JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe 30 PID 2416 wrote to memory of 1040 2416 JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe 30 PID 2416 wrote to memory of 1040 2416 JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe 30 PID 1040 wrote to memory of 2528 1040 WScript.exe 31 PID 1040 wrote to memory of 2528 1040 WScript.exe 31 PID 1040 wrote to memory of 2528 1040 WScript.exe 31 PID 1040 wrote to memory of 2528 1040 WScript.exe 31 PID 2528 wrote to memory of 1996 2528 cmd.exe 33 PID 2528 wrote to memory of 1996 2528 cmd.exe 33 PID 2528 wrote to memory of 1996 2528 cmd.exe 33 PID 2528 wrote to memory of 1996 2528 cmd.exe 33 PID 1996 wrote to memory of 1948 1996 DllCommonsvc.exe 80 PID 1996 wrote to memory of 1948 1996 DllCommonsvc.exe 80 PID 1996 wrote to memory of 1948 1996 DllCommonsvc.exe 80 PID 1996 wrote to memory of 1676 1996 DllCommonsvc.exe 81 PID 1996 wrote to memory of 1676 1996 DllCommonsvc.exe 81 PID 1996 wrote to memory of 1676 1996 DllCommonsvc.exe 81 PID 1996 wrote to memory of 2676 1996 DllCommonsvc.exe 82 PID 1996 wrote to memory of 2676 1996 DllCommonsvc.exe 82 PID 1996 wrote to memory of 2676 1996 DllCommonsvc.exe 82 PID 1996 wrote to memory of 1520 1996 DllCommonsvc.exe 83 PID 1996 wrote to memory of 1520 1996 DllCommonsvc.exe 83 PID 1996 wrote to memory of 1520 1996 DllCommonsvc.exe 83 PID 1996 wrote to memory of 2624 1996 DllCommonsvc.exe 84 PID 1996 wrote to memory of 2624 1996 DllCommonsvc.exe 84 PID 1996 wrote to memory of 2624 1996 DllCommonsvc.exe 84 PID 1996 wrote to memory of 2196 1996 DllCommonsvc.exe 85 PID 1996 wrote to memory of 2196 1996 DllCommonsvc.exe 85 PID 1996 wrote to memory of 2196 1996 DllCommonsvc.exe 85 PID 1996 wrote to memory of 2548 1996 DllCommonsvc.exe 86 PID 1996 wrote to memory of 2548 1996 DllCommonsvc.exe 86 PID 1996 wrote to memory of 2548 1996 DllCommonsvc.exe 86 PID 1996 wrote to memory of 3056 1996 DllCommonsvc.exe 87 PID 1996 wrote to memory of 3056 1996 DllCommonsvc.exe 87 PID 1996 wrote to memory of 3056 1996 DllCommonsvc.exe 87 PID 1996 wrote to memory of 1616 1996 DllCommonsvc.exe 88 PID 1996 wrote to memory of 1616 1996 DllCommonsvc.exe 88 PID 1996 wrote to memory of 1616 1996 DllCommonsvc.exe 88 PID 1996 wrote to memory of 1596 1996 DllCommonsvc.exe 89 PID 1996 wrote to memory of 1596 1996 DllCommonsvc.exe 89 PID 1996 wrote to memory of 1596 1996 DllCommonsvc.exe 89 PID 1996 wrote to memory of 1624 1996 DllCommonsvc.exe 90 PID 1996 wrote to memory of 1624 1996 DllCommonsvc.exe 90 PID 1996 wrote to memory of 1624 1996 DllCommonsvc.exe 90 PID 1996 wrote to memory of 2132 1996 DllCommonsvc.exe 91 PID 1996 wrote to memory of 2132 1996 DllCommonsvc.exe 91 PID 1996 wrote to memory of 2132 1996 DllCommonsvc.exe 91 PID 1996 wrote to memory of 1268 1996 DllCommonsvc.exe 93 PID 1996 wrote to memory of 1268 1996 DllCommonsvc.exe 93 PID 1996 wrote to memory of 1268 1996 DllCommonsvc.exe 93 PID 1996 wrote to memory of 2432 1996 DllCommonsvc.exe 95 PID 1996 wrote to memory of 2432 1996 DllCommonsvc.exe 95 PID 1996 wrote to memory of 2432 1996 DllCommonsvc.exe 95 PID 1996 wrote to memory of 2404 1996 DllCommonsvc.exe 98 PID 1996 wrote to memory of 2404 1996 DllCommonsvc.exe 98 PID 1996 wrote to memory of 2404 1996 DllCommonsvc.exe 98 PID 1996 wrote to memory of 1720 1996 DllCommonsvc.exe 100 PID 1996 wrote to memory of 1720 1996 DllCommonsvc.exe 100 PID 1996 wrote to memory of 1720 1996 DllCommonsvc.exe 100 PID 1996 wrote to memory of 2708 1996 DllCommonsvc.exe 112 PID 1996 wrote to memory of 2708 1996 DllCommonsvc.exe 112 PID 1996 wrote to memory of 2708 1996 DllCommonsvc.exe 112 PID 2708 wrote to memory of 2092 2708 csrss.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf73d3ce0d72b81c8e1a7d65206ee14bf9d147052c6d453c2313a0adf7603bd5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"6⤵PID:2092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2120
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"8⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2304
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"10⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2224
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"12⤵PID:2776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3032
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"14⤵PID:2464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2644
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"16⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1992
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"18⤵PID:572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2712
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"20⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:636
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"22⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1736
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"24⤵PID:2216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1792
-
-
C:\Program Files\Windows Defender\en-US\csrss.exe"C:\Program Files\Windows Defender\en-US\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\system\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568bb4080d9aa472cb7a253e17f59e507
SHA1d31cd125f0e946e1c442383be2e25e8a4017bf03
SHA256e15061bf875002f0cab8419ea52124919ea476b2dfb9392562f2ee913fef568e
SHA512983c30bc83f66240aa631c03d82880c62e845d042f4b46f77c82c1d2f93aeace03cafeb83bb6b98dfe91610e96819af3acf70a56b807cd96911f92d4a7431865
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e600fe35e5e0937ead6d9cedcee6a610
SHA1d0e1cab56a243471bd973ed7b70546b98cf5f421
SHA25618675959d58f1d6209b87de43bfbdba6025f2c6f1c561c14d109fbdce7a2594e
SHA51251e53e8dbbbf7ca3deab88ed2f66ede42d8d3e1fd311e9f545b966d9c65afd9ffa187f4b793df17a853ec830d58c3266e6c62f1534db3203d97123eac5e99413
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5028633b84f5e9ac2662da348edd40228
SHA1a4811878c2bd34d99fe13e4f6bc522736cf73fa2
SHA2561a56cba8b874c346e77c7f18097cfa90e2d004cda81e976da850932aea38e9d0
SHA512d60243721a7b6934431ece3e9179f3984eae952197c61d45fdf9ff9073a30fd85fdb76e63428b54a6c333b8c64740c7106d363ad4e84569e1d3330f6ffeba544
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9a3961ef7965bbaa31a1199ba713b7b
SHA11d78328878ee2e5ddd9129f7f93c3c0f5344d7fe
SHA2561e0cd8207dfaebbc0cb996acbd917a89de3501dffe6bdbffc1a7b58ffcd2b99c
SHA5128c96045aa5e5be0620fcaf9a1fb5594ce451465c6d26fcd9fe51ef64db6da9c730f25a5ac185bf1ef1d34819ff65999f4fce9c5d23285bd87d3bd43146c4992e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547712fd9023c64130a8a8140a06347a5
SHA13e4b65d90b07acf802870740a55fde3434e1d5b2
SHA256e3a6e8fd369a7c7ea84827689953f416eeddecfe060bcd414f7a75593271fc15
SHA5121f9015a21160542c9e299f50d42d1859eec49d97e65f6817a52d97af7ef2c11c425eb5e6303f2e989782f8e4de0e2076dba516bcd4c4f276d12f00d9df7fe4e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5200663a3adacf03a3becaeac06c50ece
SHA15b17cc16fcc868ee90aa275f28723dddf26c8d8a
SHA25616f53e7a01b87a1db4bbb20d41bc62c3a0326da8b859be7e8743262ccb0f5140
SHA512c8542dde69a4202e57d06f01c0f80e66975f053564e954d095b24030f7340035469eaa1ee7f04f3d24b2e23fc12c5608d8a303e427220d71d8f34353230167e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ba2e332566ead3c6475a81c570eb605
SHA1c9884fc2ae1c04606f2753269c48c029a2d6fc83
SHA256a6bdd15c7107d21a9d7c6845de258381d3ca54eb7df9ace9745e547339a75211
SHA5129e5f8fb9300ebf90a2df2473e02e45213defc745cd1c6eb3f90c020094708efe5d0ef86d86adf056a0a2da093b33093f336ea4ddce54d9757e02ccb276bde499
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d3557f648358cc79ad25a00df92631a
SHA1818efdb6ccc16b2a36f5d7ae4ceb2124adf5d1db
SHA256338cc94aec7b28b3e9366d75e5b0620248fa1a9566fc04164e62bc4ef84c8e13
SHA512a84de6b6415eb2827342a6b302f18e766f55d48b9c0cb51e2ef6983ac886734e934f03478eca3dccb347c1c1c8dc20d1fd69a3d171edc14ece20649d31575c90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5844f14970e7ae900215a1363c9a1bf5d
SHA13905f37f9a424c9e722f32ce4330e4c4c79d794f
SHA256d14df65f6eaaf6581903c78531a42549052b4ed7ec6fa687e90822610b202ca0
SHA512d19b3a4808017597fc02d4ae7b39cbbefc8cb196cf445126182e48ae266b736005529a0c2117aa2fd79d3d7d3d63d74fb183287c068c8fa49474bb4905da26c6
-
Filesize
214B
MD52efccd115665f974d26820fa6af188e4
SHA1317f0c27514aa84f24ad90d91527073dfd2c7394
SHA256cd9dcd1bfed979aafbbcff6021a9edadb0f7edd044d67626b6fd71d002f80f63
SHA512ddc184702ff5ad3b395f5bbce8ed4b8192c1760509345115f43e3f796cc5c56604e53ebfc5dd1e39115d0a657f84606b708d2ab6658df28b46e0148a09339f29
-
Filesize
214B
MD573a36471fa4e44c4b3429d93d5bda43f
SHA15a2ddd0eb0e35e327f144575dbd6899ee47e29c8
SHA256679f0fdeb8919d42ab005ba0e1ac5597a4b0eaf099615f9e7668a452a9697e89
SHA5121afdb6745b79c861193ebfc0bad113af75fdc48d25c388fd18c1595e36a966dd494877ba97f713c666af7e8c1e2c543ae84eded7da582bd86527fcd1945a1cce
-
Filesize
214B
MD57c0cd8e85278f6cd3460132e9412d72a
SHA12be136364354cf9aa34a92eced1f05ea42801c81
SHA25648c3d0d087560cb19f6ac03f85e87e875e8408e4219c47b1447b379001ef714c
SHA51250c7bbc71396b43c4e9d90dc1242520b6f2cd4134e4d4b55a733173df52fc3a58887d9a8da4ab4447e21b9271fecb9a3e60abce934d033f184f24c53c3a95541
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
214B
MD5d671aec20d49c660f8d2c2517054a835
SHA1f6cccf0025b0b9e1d0e35ea88f805422cd6c9051
SHA256b0bb7fb98a204f1a7e9c805662bf81ea04395830bfecf722e688581736617078
SHA512f719aa9c1507f42bd59276cb96f06f8d5af265a68f4fcffbdb13b62b3bd7265c49dbf273280e4201c498cc54b31766497ef2c56026fa0417001d486d5c42c5f8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
214B
MD5c32b8dd5fbb765dc4c9dcead13f65fea
SHA1de2657bf33dbed531eb6ac059d6755e418bba5a3
SHA256b876cbdbae28b9a6371e919b0b6b250202c031c49023fece5b7bbf2f8ccbbc75
SHA512668425c4d4f735314d517bf0e4a811bdfd3e55203d7b442f3964d1b53ff0e7b9087a6a2957769d0f0c314e2f9040b4f9fb79a0b895188a9cc20cfd79bead92b5
-
Filesize
214B
MD54c2fbeb28e452f04c6dd018557d1618d
SHA15ac0c94985ac0f79695888ba8354e8f894ebf922
SHA256478872d3d1011adde8d4470c0e5083350a6cfd05581c77580ee1d147985b2f3b
SHA51254e01c1013d6a1ad52f1e356a67ed223ff3821a16e42d9ffbb593df893c4fc5d57c081c8c6c1b2d11e53d3ecc644d05a8127b2c2500f30c9b98e7f7a5458b1a5
-
Filesize
214B
MD5b913c403b4784d2829c5ed5a2d44b57b
SHA1be43ae140ded3f0123c8e0e3423e30cb2df2ad4a
SHA256c7783b9c171c05666496914634fe83b940709307e63410de388cc0ee3a149ebf
SHA51242158b75b02890611c4c88c22b968e043c07d1dceb014fc4fefdd25ab455a6814aa93080c3c0dfbf8a8e20546ab8b119d7e247d8233184aebf27f5c2845380aa
-
Filesize
214B
MD5ca78d3a8b6ec12bd847db4109e8f9cd4
SHA174a8f75c920fa7eaa05bad45bc5cb07f0073482e
SHA2561fdb3b29e2d34aaae624564536a6089d71ac4e2c98e9415257db4cc21b72b3be
SHA512aa8ba9d1215bee45831a2adad4767778861c6e457bdcf5ffc40df7487a7a3043269efbf57082fbcdb22038f6894aee4fb82338adc4e1c364e39bbf9853c1f5cb
-
Filesize
214B
MD5b9abe7d7e5b0a8585f75ff488c0af4c5
SHA102154fddbcd19b4f718164e7d5df1f7297ad5fd3
SHA256d8cc7e33aade95d59fd8b988d1cdc730bb3545f7a1ee164eb81e7b20713311cb
SHA512732a74fe1dcb907519636138a6c6b691024a58e17e18eac15b132d7a8949a43a6ed08a61bfa24931d161cd34cba0ff429adbf23fce4c8fba58938cc9a35eef41
-
Filesize
214B
MD54facec3f8828d24144b7cbbcb740e4a7
SHA129555b46a3ca96e38907ef062a51c54208be3dcc
SHA2563f1a2e62a93531dd92f3a4061ed312447903a895adfca57bd96f3e2343d0f982
SHA512bf2233fe113f7727b40543fb7335b72d5d0268c831df4f0affa2ee7b729171494389f8d9fcbd7f26410b4887ec7d16ba1f11986638a21be87dc8a5e12246308e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD577776f3a1a95e12817eddaf3b7d44151
SHA12176c291828e9087334fc78b9274a608af31fb27
SHA256b5bf77d971241bf0fc45a11253ee458ba1f662b6b548e1f11e74a50eabf5eaff
SHA512fc72ebbdf50f4f032852e3d96d9b7549a4efec918aabdd3e9f2e4b950e33513f470a4b5b2fd007268e2aad5641082e5dd2cdf692a546fc53c8be009eb21e014d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394