Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:32
Behavioral task
behavioral1
Sample
JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe
-
Size
1.3MB
-
MD5
378006af49b98b659391f3ed91761531
-
SHA1
05b2ce29ddea4f38f5f45bc4487d16f5f093cb05
-
SHA256
25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a
-
SHA512
f63dcef41d20703613cb5d7e64166b999f2e8b2f35431111b5b631da54cb4a0cfbae19e19ac984e9afef63ad0bd2ca36264557f9dd2a59a10ffb1c874aac261f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2792 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2792 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d0e-9.dat dcrat behavioral1/memory/1428-13-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/2596-83-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/2152-101-0x0000000000950000-0x0000000000A60000-memory.dmp dcrat behavioral1/memory/2068-191-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2008-310-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/2356-370-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/3064-430-0x0000000001180000-0x0000000001290000-memory.dmp dcrat behavioral1/memory/1540-490-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/2604-550-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2476-610-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/1380-670-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2120 powershell.exe 2420 powershell.exe 2148 powershell.exe 272 powershell.exe 2452 powershell.exe 2664 powershell.exe 2060 powershell.exe 1564 powershell.exe 1096 powershell.exe 2948 powershell.exe 2408 powershell.exe 2284 powershell.exe 592 powershell.exe 2260 powershell.exe 1640 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1428 DllCommonsvc.exe 2596 DllCommonsvc.exe 2152 lsm.exe 2068 lsm.exe 1824 lsm.exe 2008 lsm.exe 2356 lsm.exe 3064 lsm.exe 1540 lsm.exe 2604 lsm.exe 2476 lsm.exe 1380 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2652 cmd.exe 2652 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 22 raw.githubusercontent.com 32 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\de-DE\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\lsass.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\schemas\EAPHost\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1808 schtasks.exe 316 schtasks.exe 2600 schtasks.exe 1144 schtasks.exe 2828 schtasks.exe 2316 schtasks.exe 2936 schtasks.exe 584 schtasks.exe 2700 schtasks.exe 2840 schtasks.exe 788 schtasks.exe 1704 schtasks.exe 2476 schtasks.exe 1948 schtasks.exe 2932 schtasks.exe 2472 schtasks.exe 944 schtasks.exe 804 schtasks.exe 2752 schtasks.exe 2876 schtasks.exe 2868 schtasks.exe 2688 schtasks.exe 1852 schtasks.exe 1460 schtasks.exe 2820 schtasks.exe 2952 schtasks.exe 1852 schtasks.exe 2860 schtasks.exe 2788 schtasks.exe 676 schtasks.exe 2808 schtasks.exe 2912 schtasks.exe 1836 schtasks.exe 2184 schtasks.exe 1848 schtasks.exe 2972 schtasks.exe 2620 schtasks.exe 592 schtasks.exe 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 1428 DllCommonsvc.exe 2060 powershell.exe 2408 powershell.exe 2148 powershell.exe 2420 powershell.exe 2260 powershell.exe 2948 powershell.exe 2284 powershell.exe 2664 powershell.exe 1640 powershell.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2120 powershell.exe 1564 powershell.exe 272 powershell.exe 1096 powershell.exe 2452 powershell.exe 592 powershell.exe 2152 lsm.exe 2068 lsm.exe 1824 lsm.exe 2008 lsm.exe 2356 lsm.exe 3064 lsm.exe 1540 lsm.exe 2604 lsm.exe 2476 lsm.exe 1380 lsm.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1428 DllCommonsvc.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 2596 DllCommonsvc.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2152 lsm.exe Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 2068 lsm.exe Token: SeDebugPrivilege 1824 lsm.exe Token: SeDebugPrivilege 2008 lsm.exe Token: SeDebugPrivilege 2356 lsm.exe Token: SeDebugPrivilege 3064 lsm.exe Token: SeDebugPrivilege 1540 lsm.exe Token: SeDebugPrivilege 2604 lsm.exe Token: SeDebugPrivilege 2476 lsm.exe Token: SeDebugPrivilege 1380 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 3036 1972 JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe 30 PID 1972 wrote to memory of 3036 1972 JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe 30 PID 1972 wrote to memory of 3036 1972 JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe 30 PID 1972 wrote to memory of 3036 1972 JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe 30 PID 3036 wrote to memory of 2652 3036 WScript.exe 31 PID 3036 wrote to memory of 2652 3036 WScript.exe 31 PID 3036 wrote to memory of 2652 3036 WScript.exe 31 PID 3036 wrote to memory of 2652 3036 WScript.exe 31 PID 2652 wrote to memory of 1428 2652 cmd.exe 33 PID 2652 wrote to memory of 1428 2652 cmd.exe 33 PID 2652 wrote to memory of 1428 2652 cmd.exe 33 PID 2652 wrote to memory of 1428 2652 cmd.exe 33 PID 1428 wrote to memory of 2260 1428 DllCommonsvc.exe 59 PID 1428 wrote to memory of 2260 1428 DllCommonsvc.exe 59 PID 1428 wrote to memory of 2260 1428 DllCommonsvc.exe 59 PID 1428 wrote to memory of 2284 1428 DllCommonsvc.exe 60 PID 1428 wrote to memory of 2284 1428 DllCommonsvc.exe 60 PID 1428 wrote to memory of 2284 1428 DllCommonsvc.exe 60 PID 1428 wrote to memory of 2148 1428 DllCommonsvc.exe 61 PID 1428 wrote to memory of 2148 1428 DllCommonsvc.exe 61 PID 1428 wrote to memory of 2148 1428 DllCommonsvc.exe 61 PID 1428 wrote to memory of 2664 1428 DllCommonsvc.exe 62 PID 1428 wrote to memory of 2664 1428 DllCommonsvc.exe 62 PID 1428 wrote to memory of 2664 1428 DllCommonsvc.exe 62 PID 1428 wrote to memory of 1640 1428 DllCommonsvc.exe 63 PID 1428 wrote to memory of 1640 1428 DllCommonsvc.exe 63 PID 1428 wrote to memory of 1640 1428 DllCommonsvc.exe 63 PID 1428 wrote to memory of 2420 1428 DllCommonsvc.exe 64 PID 1428 wrote to memory of 2420 1428 DllCommonsvc.exe 64 PID 1428 wrote to memory of 2420 1428 DllCommonsvc.exe 64 PID 1428 wrote to memory of 2408 1428 DllCommonsvc.exe 66 PID 1428 wrote to memory of 2408 1428 DllCommonsvc.exe 66 PID 1428 wrote to memory of 2408 1428 DllCommonsvc.exe 66 PID 1428 wrote to memory of 2948 1428 DllCommonsvc.exe 67 PID 1428 wrote to memory of 2948 1428 DllCommonsvc.exe 67 PID 1428 wrote to memory of 2948 1428 DllCommonsvc.exe 67 PID 1428 wrote to memory of 2060 1428 DllCommonsvc.exe 69 PID 1428 wrote to memory of 2060 1428 DllCommonsvc.exe 69 PID 1428 wrote to memory of 2060 1428 DllCommonsvc.exe 69 PID 1428 wrote to memory of 1496 1428 DllCommonsvc.exe 77 PID 1428 wrote to memory of 1496 1428 DllCommonsvc.exe 77 PID 1428 wrote to memory of 1496 1428 DllCommonsvc.exe 77 PID 1496 wrote to memory of 1636 1496 cmd.exe 79 PID 1496 wrote to memory of 1636 1496 cmd.exe 79 PID 1496 wrote to memory of 1636 1496 cmd.exe 79 PID 1496 wrote to memory of 2596 1496 cmd.exe 81 PID 1496 wrote to memory of 2596 1496 cmd.exe 81 PID 1496 wrote to memory of 2596 1496 cmd.exe 81 PID 2596 wrote to memory of 1564 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 1564 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 1564 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 272 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 272 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 272 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 592 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 592 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 592 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 2452 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 2452 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 2452 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 2120 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 2120 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 2120 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 1096 2596 DllCommonsvc.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YtdDrdHd9N.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1636
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"8⤵PID:2988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"10⤵PID:3048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:896
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"12⤵PID:1168
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"14⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"16⤵PID:2092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"18⤵PID:2628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"20⤵PID:2396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"22⤵PID:2240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"24⤵PID:1004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5202e1a3f49cbb5112334d83081952c16
SHA13b77c43cb7af7eb6db50c90128ebafe526e52100
SHA256b27bac8de87b65c46abd2e7aa426d15e73e5a1d3ac5fc15953584a5d819d5c44
SHA512302b2788a292ed5068228897f95dd2497861afd8f0467bbb92b65a2f17370bb886f2f5c8fafebdae469175f428fb64d17937cbfa54d47655807469f12d0bc3ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2c0871ee9473f12b75d9c8b4b0489d2
SHA19eaacff29ff8698d9da7eb4e0d64211e75cdf42d
SHA256e6fff40a7393f8a0a63f8023e3e3d753bada377d7a6a2cafa52bd78d9ca8fd7f
SHA51268f546082fdf04eb9aa64caf1d68be457fc7ad69a8bca6756eff16e4b28940c59469dc78824120ccf1a37f16d54117255b87431a3e5eb06c588109bbf3c059ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb5ced5e96ffb5eb9ca2427b91404a38
SHA1e9e2a9a106c7a1caae7ebd53e14ea030755d8001
SHA2560d79955d3c406c38206ca17d9a1f72f1ffc1e538dcf25111549307fd607bdcef
SHA51214ad56fe673e7f715a2bf54e53b480c3e806304360986e2ce075dd56235ac4e42d5bbfc72c4b1ab19d659aeb3e326fd2ab2a4a54c8154813e073e58d8a86009f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589e865f14c7c39679efdf0d2553a9eaa
SHA1d76c3f8e21c237998722bae33706d801cda1762e
SHA2562979ad03f4bf53ea3a10c8356344afd48126e0322bdfe42d7089b19e6914c73c
SHA512c695484cc8631695977e1934a0aeeefaab97af935f3ad10715f7f529f05aa11b4dc4807524c12a65faba7d252661efbd6a8cf81c5a1e0269fc112c0f09f156f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfd52ec299fcd7c4d020b63c659112cc
SHA1307b072de0ab2f3f52f6d6ef5971e6e392f6580a
SHA2561bc62ccaef1f1beff0791dda7a8c1b390a653341e54ec2ccf58194ff0b6529f0
SHA5128c94bbf2aa78f6f47b0677df6739f3f778c3cc0638995da5fee910b785ecef1892a49770f2fcabae161082fada18b06028f12b6cb394201729fb38df9ecc4bd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577819f8daeb4528ee6b58401af1cc33f
SHA19f9b04066c0ae82445142076d80837e1970b3e01
SHA2567e4ab2398e9bbdfc5fa20fe3f087e4b00718257a6e9a3e656f27378801c21eec
SHA512bed52d9bff68475d1d7e3301c8f5a822da156e6cc48b7090735a37329edf53c34cbac7da451cfd7799f593e165bee991f2b3595b10f23e5258901cb5618624f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564b8af758913f3755bfef3a61b4de612
SHA15360ddfc41953c5b5cac948544bb7742970c1151
SHA25643b0c785516bf9cf5aa7625d17829901853a4055623ab1c564830b1a9bc8a4de
SHA51212b7cca6c208b92880588a6b778c389e5fe923d6cb012ca6f92a3cd4005b36f44c33de18f57fa42d044a30f022701408305d61019725b6549db394f609f8276c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ae897d8ef747ffaba71c32b1911ea07
SHA1e2c4a696d60fb276ac63fed71b2aadbe815a861e
SHA256ce7e89a1f71c04c7b84a402080a9253b65b01c9ce9221203916c6ac0fc9dd5eb
SHA5124423d0dd6b3e60ddbb56188f9b49b2574c9192d5b75be17c9f6d92e7d8246caa128b9b002cb79b90b0b57fca0bbbaa8dcbe23b48b1a694864c67fc24faaa5d43
-
Filesize
228B
MD5e58b5d98c8834c619d74207cff57b98b
SHA188ab5989b6bb97ee00a33f90b05b9e908bed050b
SHA25663e322db3a4ed4f1e8748eff5e083800029a01f7d73b161c84b7fafc90ba0d4f
SHA51277e94552aefa7c591bd368bd8b6e933d3c73898156a9d8cf16df1121c2951f2bdc31b0f86cc1e000233e126dec060e2a9084901cc6fd4d59365ace866b4dee0f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
228B
MD5cd1b4610783aba83a6d58399033311bc
SHA115f2051ae0b6433acfd3cff4d7bd89eb5068fbc7
SHA2567d946e5fb274255d18ebc9fe835005744336d690e215df00edcb3261e7c00378
SHA512885dc0a3f1789624d1d61bc982041b1b3046af4b76d8993bebf27f30d90285708d8348faad1379b116062be5084f7a8a80270b39febc8f35af9093f0e295dbea
-
Filesize
228B
MD51848e3cc522c4699f7dc7cc951979edf
SHA172b0244c82eab3f0e0550fe9500bef08e72999b5
SHA25626b56da88df486c7c65ef6366d89a272cff766a9485a05906ebfff674dfd8d0d
SHA512f8213f076c12f8f555aadf3ec22fa976ceb8491cb89309b72a581b2412656b038f9fc9a5287413b6ead471a59918e7fb172234ff42ea401b780fc869dade5a64
-
Filesize
228B
MD5dc9be7e231537809d1c97c83678bf21c
SHA1fceed099cb85dd4766fa98caf4b14acdef55cdbc
SHA256da0e92ebfb05d595d8993b90fa66244e7fe53408d3b55851e3528e7cc5387431
SHA512d024aba4900fcb6742ea71b0d307a458dbe200e377c029f7edb342978fd5c5604fdf570e419baabed29dbc936e0448e787e16640201b4f31044f9c784c9d5df5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
228B
MD54921af15fe5e5b81e34d583196141baf
SHA171d6e9dbacceeeb9eaee7d391a52f4d79f80428c
SHA256e14888907e525b2435a2a865f7f774aa27fdb689b21f5fb4aa093b750dce0be1
SHA512a430975de19a60252c9d09e1b5260f8734f97738a77616c60de45d8468230b52007420098992858030ba79c5682c7fe1d6a2d4caca0b530c83a573e54730acdf
-
Filesize
199B
MD5b8bb9086e3e9636f10c86303810cfa1c
SHA1180e40b3e4016e87d678673f38d267bc5aa0a337
SHA256338e44cd08aa3278cb31242ea8f4566bff246805c319b2d0514df07870d2ff96
SHA51202322436bf95a57349e6d748aa9c05a1412190d93ac79d025c63af7af5a661d88019e4508d232a39e93312d072ad835f48efcbc01d4c609870023e84ed242be0
-
Filesize
228B
MD5b12740bfd0f4656350ee80626b31b698
SHA1056612adcc00d2a22935422d4f152b72492dd140
SHA256975c82d743d1c2887d7bd46e1bf86fb70e851144e48f46801bef2d4a80a94b91
SHA512c7c8940fd5037e2d1d17a5d064c52ba4be2570681f2619098619425de89b80a3df6d44a511b0998ac6f33c489edeef3753226d0ee55685626a663489e7788c90
-
Filesize
228B
MD5a8ed6df5142e62ace1d49711630dc32e
SHA1b4070d4f217b2574a55fad985ad35ffaec1affb3
SHA2569b9e0b7e7675fffe8bf644bae83f45f3ef221263906305b6e5ef9bc0c88a5d92
SHA5124e555b6ee10de9a46635affe982b7e7da580875fc1c3ba0d3a2da89158f7f73f1ab9bc9e1a682ebeb1c99a4feba534eff0c62e74e46b12969b009a1093a3a6c9
-
Filesize
228B
MD52326fa76f1200322667b57d4e8468e0c
SHA1dd2904bf68f272c25b3100e19d1ebf0511dd74eb
SHA25606b9ecfd52018979683ffd90636c97cee35d05dece76dabadfa511edc21da054
SHA5125dd0a27e7a0517072e413b89a107f2ef2cc7be8b62e85167a12c92d818c6b0bde59a4aab70bc03ef5294c8d6a7a9b85b12f610d40761230b85f76f78748b12d7
-
Filesize
228B
MD55e5f4c24db333c4304b4675156600c39
SHA1db70f9dddfebee3da15864b5eab0c2455f68daac
SHA25627f8ea595141fdaaac420655d0a67970292bb8b2e936f23b88ef1397c5589691
SHA5122ac52945ec26a7c4a472bcd6731c458ed53be578372c1333939ae10c8aa3546cf1c4147f863c84a7eb998b784a3a118d1cd6b3ca53fad853d402510645d702a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53d24c9b0473704bad71c06979c47bed4
SHA12bde3d9e38e888030eefbdb2224dec88e859d10e
SHA2566059952a3136dbddc9dc5050d62aa73304694e888219f10bc64fe5922417a266
SHA512d135b439452b0cc6368595fcbde70db33b0050648020563f5b0fd258c804547634cdd63e91567ab93c82e16d61dcccb04d00e48a5f413a11586b34efe3d04cc4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394