Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:25
Behavioral task
behavioral1
Sample
JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe
-
Size
1.3MB
-
MD5
c95ef4f2b64f90c5eb9891a2f6d6cddb
-
SHA1
8537bcb9f79fff7c9d26d61d1dc13703c94e3ac3
-
SHA256
f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b
-
SHA512
c13d2c293a296a54c53335ba56ed8e875f4147f5d327ae77c670f048548ed8ca1e730a190ebbe94d9dbb552e68c2fb9140eb2d7a053698fbac7bfbc27fa0134b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2640 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000800000001653a-11.dat dcrat behavioral1/memory/2752-13-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/2044-149-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/1616-268-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/904-328-0x00000000008A0000-0x00000000009B0000-memory.dmp dcrat behavioral1/memory/844-389-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/1876-450-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/3000-510-0x00000000009B0000-0x0000000000AC0000-memory.dmp dcrat behavioral1/memory/2152-570-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/2476-630-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/1540-690-0x0000000001350000-0x0000000001460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2840 powershell.exe 2824 powershell.exe 1588 powershell.exe 2600 powershell.exe 2588 powershell.exe 2620 powershell.exe 2468 powershell.exe 1600 powershell.exe 2796 powershell.exe 2736 powershell.exe 1592 powershell.exe 2848 powershell.exe 2596 powershell.exe 2792 powershell.exe 2680 powershell.exe 2832 powershell.exe 2712 powershell.exe 2580 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2752 DllCommonsvc.exe 2044 wininit.exe 2900 wininit.exe 1616 wininit.exe 904 wininit.exe 844 wininit.exe 1876 wininit.exe 3000 wininit.exe 2152 wininit.exe 2476 wininit.exe 1540 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 1764 cmd.exe 1764 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 19 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\lsass.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\PCHEALTH\dwm.exe DllCommonsvc.exe File created C:\Windows\servicing\Sessions\explorer.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\es-ES\wininit.exe DllCommonsvc.exe File created C:\Windows\PolicyDefinitions\es-ES\56085415360792 DllCommonsvc.exe File created C:\Windows\it-IT\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\ehome\MCX\X02\spoolsv.exe DllCommonsvc.exe File created C:\Windows\ehome\MCX\X02\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\ModemLogs\audiodg.exe DllCommonsvc.exe File created C:\Windows\ModemLogs\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\PCHEALTH\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\it-IT\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 844 schtasks.exe 2116 schtasks.exe 3000 schtasks.exe 1352 schtasks.exe 1612 schtasks.exe 1160 schtasks.exe 1964 schtasks.exe 1880 schtasks.exe 2844 schtasks.exe 2672 schtasks.exe 2260 schtasks.exe 1572 schtasks.exe 2108 schtasks.exe 2464 schtasks.exe 2284 schtasks.exe 1360 schtasks.exe 696 schtasks.exe 2656 schtasks.exe 3004 schtasks.exe 2888 schtasks.exe 1932 schtasks.exe 1140 schtasks.exe 2400 schtasks.exe 2964 schtasks.exe 972 schtasks.exe 876 schtasks.exe 1952 schtasks.exe 1188 schtasks.exe 2220 schtasks.exe 2308 schtasks.exe 1324 schtasks.exe 2932 schtasks.exe 2664 schtasks.exe 2636 schtasks.exe 1452 schtasks.exe 2960 schtasks.exe 2360 schtasks.exe 1364 schtasks.exe 1668 schtasks.exe 2484 schtasks.exe 1808 schtasks.exe 1488 schtasks.exe 3020 schtasks.exe 1336 schtasks.exe 2272 schtasks.exe 1972 schtasks.exe 2068 schtasks.exe 3068 schtasks.exe 1724 schtasks.exe 2248 schtasks.exe 2504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2680 powershell.exe 2468 powershell.exe 1592 powershell.exe 1600 powershell.exe 2848 powershell.exe 2792 powershell.exe 2596 powershell.exe 2832 powershell.exe 2588 powershell.exe 2580 powershell.exe 2796 powershell.exe 2736 powershell.exe 2712 powershell.exe 2620 powershell.exe 2600 powershell.exe 1588 powershell.exe 2840 powershell.exe 2824 powershell.exe 2044 wininit.exe 2900 wininit.exe 1616 wininit.exe 904 wininit.exe 844 wininit.exe 1876 wininit.exe 3000 wininit.exe 2152 wininit.exe 2476 wininit.exe 1540 wininit.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2752 DllCommonsvc.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2044 wininit.exe Token: SeDebugPrivilege 2900 wininit.exe Token: SeDebugPrivilege 1616 wininit.exe Token: SeDebugPrivilege 904 wininit.exe Token: SeDebugPrivilege 844 wininit.exe Token: SeDebugPrivilege 1876 wininit.exe Token: SeDebugPrivilege 3000 wininit.exe Token: SeDebugPrivilege 2152 wininit.exe Token: SeDebugPrivilege 2476 wininit.exe Token: SeDebugPrivilege 1540 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2824 2160 JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe 30 PID 2160 wrote to memory of 2824 2160 JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe 30 PID 2160 wrote to memory of 2824 2160 JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe 30 PID 2160 wrote to memory of 2824 2160 JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe 30 PID 2824 wrote to memory of 1764 2824 WScript.exe 31 PID 2824 wrote to memory of 1764 2824 WScript.exe 31 PID 2824 wrote to memory of 1764 2824 WScript.exe 31 PID 2824 wrote to memory of 1764 2824 WScript.exe 31 PID 1764 wrote to memory of 2752 1764 cmd.exe 33 PID 1764 wrote to memory of 2752 1764 cmd.exe 33 PID 1764 wrote to memory of 2752 1764 cmd.exe 33 PID 1764 wrote to memory of 2752 1764 cmd.exe 33 PID 2752 wrote to memory of 2792 2752 DllCommonsvc.exe 86 PID 2752 wrote to memory of 2792 2752 DllCommonsvc.exe 86 PID 2752 wrote to memory of 2792 2752 DllCommonsvc.exe 86 PID 2752 wrote to memory of 2468 2752 DllCommonsvc.exe 87 PID 2752 wrote to memory of 2468 2752 DllCommonsvc.exe 87 PID 2752 wrote to memory of 2468 2752 DllCommonsvc.exe 87 PID 2752 wrote to memory of 1600 2752 DllCommonsvc.exe 88 PID 2752 wrote to memory of 1600 2752 DllCommonsvc.exe 88 PID 2752 wrote to memory of 1600 2752 DllCommonsvc.exe 88 PID 2752 wrote to memory of 1592 2752 DllCommonsvc.exe 89 PID 2752 wrote to memory of 1592 2752 DllCommonsvc.exe 89 PID 2752 wrote to memory of 1592 2752 DllCommonsvc.exe 89 PID 2752 wrote to memory of 1588 2752 DllCommonsvc.exe 90 PID 2752 wrote to memory of 1588 2752 DllCommonsvc.exe 90 PID 2752 wrote to memory of 1588 2752 DllCommonsvc.exe 90 PID 2752 wrote to memory of 2840 2752 DllCommonsvc.exe 92 PID 2752 wrote to memory of 2840 2752 DllCommonsvc.exe 92 PID 2752 wrote to memory of 2840 2752 DllCommonsvc.exe 92 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 93 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 93 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 93 PID 2752 wrote to memory of 2680 2752 DllCommonsvc.exe 95 PID 2752 wrote to memory of 2680 2752 DllCommonsvc.exe 95 PID 2752 wrote to memory of 2680 2752 DllCommonsvc.exe 95 PID 2752 wrote to memory of 2848 2752 DllCommonsvc.exe 96 PID 2752 wrote to memory of 2848 2752 DllCommonsvc.exe 96 PID 2752 wrote to memory of 2848 2752 DllCommonsvc.exe 96 PID 2752 wrote to memory of 2736 2752 DllCommonsvc.exe 98 PID 2752 wrote to memory of 2736 2752 DllCommonsvc.exe 98 PID 2752 wrote to memory of 2736 2752 DllCommonsvc.exe 98 PID 2752 wrote to memory of 2824 2752 DllCommonsvc.exe 100 PID 2752 wrote to memory of 2824 2752 DllCommonsvc.exe 100 PID 2752 wrote to memory of 2824 2752 DllCommonsvc.exe 100 PID 2752 wrote to memory of 2832 2752 DllCommonsvc.exe 101 PID 2752 wrote to memory of 2832 2752 DllCommonsvc.exe 101 PID 2752 wrote to memory of 2832 2752 DllCommonsvc.exe 101 PID 2752 wrote to memory of 2600 2752 DllCommonsvc.exe 102 PID 2752 wrote to memory of 2600 2752 DllCommonsvc.exe 102 PID 2752 wrote to memory of 2600 2752 DllCommonsvc.exe 102 PID 2752 wrote to memory of 2712 2752 DllCommonsvc.exe 103 PID 2752 wrote to memory of 2712 2752 DllCommonsvc.exe 103 PID 2752 wrote to memory of 2712 2752 DllCommonsvc.exe 103 PID 2752 wrote to memory of 2580 2752 DllCommonsvc.exe 104 PID 2752 wrote to memory of 2580 2752 DllCommonsvc.exe 104 PID 2752 wrote to memory of 2580 2752 DllCommonsvc.exe 104 PID 2752 wrote to memory of 2588 2752 DllCommonsvc.exe 105 PID 2752 wrote to memory of 2588 2752 DllCommonsvc.exe 105 PID 2752 wrote to memory of 2588 2752 DllCommonsvc.exe 105 PID 2752 wrote to memory of 2596 2752 DllCommonsvc.exe 106 PID 2752 wrote to memory of 2596 2752 DllCommonsvc.exe 106 PID 2752 wrote to memory of 2596 2752 DllCommonsvc.exe 106 PID 2752 wrote to memory of 2620 2752 DllCommonsvc.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4c2f82fee6facc3133c1d9a271e17447fdfd17212743df0ac13e3069ef4a92b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\MCX\X02\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hv928MovAA.bat"5⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:904
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"7⤵PID:1724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:844
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"9⤵PID:2336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1376
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"11⤵PID:1368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2808
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"13⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2576
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"15⤵PID:2120
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2408
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"17⤵PID:976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2624
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"19⤵PID:2100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:668
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"21⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1668
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"23⤵PID:576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2768
-
-
C:\Windows\PolicyDefinitions\es-ES\wininit.exe"C:\Windows\PolicyDefinitions\es-ES\wininit.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\MCX\X02\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ehome\MCX\X02\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\MCX\X02\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD511702cc52cc92f01b8e0fbb66cd8c276
SHA102eb8b408c3563bff382b52951b9d2b0b7528ff8
SHA2565d8d94d365b8cb0d733bc29bfd6b316397097aef0f67738ffac3c131c6a91d0f
SHA5121da83d8a1874b36da6a824fa64214f1cc5e7540af65cfe6cd0d721040cc4e2e0dfd6811c73f22620e72863f5722662523133f63239d28450a98a9928f973eece
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55744a430de616e7b0065b29884ea81be
SHA19f606c8b159fe220636d92a6bd0be03eb3d374ad
SHA25664ae49414073326cb5e23875a67ab076c7f2491fee304f06fbbdce3b03c3a851
SHA512b5d744a22fc93a6350852189d8efaa0ce5d71446ace743f775a27bdf304efa55acbf63b426c1358c741b5f3270bd7bc41b0457304ebb545bd63a54b7a905ed56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b891ea7841b7dccb5711c34072dbcba
SHA17e946d269ed101e1f8f51f725b3999ecbae90ac7
SHA256bd1fbc0082d71b353802a392772e4aa19355582961afd0e333469a59da9a132b
SHA5125c90044001722b20a9ef6f278b3dfb737ef2ef3f8323bf23d08ce076d40f3b91fc1e3024cc42d0ef1f5fb7cb3e1b815662c41e08f6b203913b1735569c91f973
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546e9af7a9e67ef34d4aed0780a2f4ffd
SHA1d6ffb0cdd3657ee7551ffd6fc9b43c42e7df8dc2
SHA25659557e764659bebd589c3100a71a377d98c7999d8106fbd08aa3b62460db0f12
SHA5127e98c0312f0f91ba75b48a229e3858cabaac7ff099baca5b900a0e5c502caaf45035299bd972ec6e73d68545198da9b36b2f8ffba9b2a11195664d76bf37c239
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509f5893fb81f9642051475cf83459660
SHA19fa257714960b8d4324cc3f88523778e16220d7b
SHA2563ffe5d72fd8efc7ffa671f5cfd939d76ea6bad797cfe620c4ea4eea3c691b6e0
SHA51272103a2366924141dcbd57d141834e25afa823b246f23b0c18dedf76ff3a1d3ae95e15574d412b724e37e43b96de7558219b1a5e6afc7e837110efa165901ae9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5733845f02ee31ee760a17130cef95572
SHA12685ea5651226c1729b86b442174e7042296561d
SHA25694765ae99c52252dad274aac14b1e59213ea00176fa0bcd21c3ac22a563cecc9
SHA512cfc7f6008199110cc8e06968e4973a04221bf4469f507afd3b6518c51246792028c036eba80e443ff3fd543f5ac4d4d2c0d20157296914c1615e5b3421fcfbb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53834206d086de6676182ba343b1ad2b5
SHA1fc6368027dbfe753919deb03bb4275fa55d246b1
SHA25659dcf5dc31509782388d3c7a434272c9102a7b6ba7c6d8c817637995722b01d5
SHA51232f51fb9cb8e0036db618e47f739d0d9f62a7c4bb5023f39c174f8741e3301b3106d27771fada2b01ad38be68a304e000f0d544e6eee67bffe109ad913c035c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5b878bff5abe9d6b0888e5dd54928ac
SHA1c7fb9ccabc9c7d821ce173ec495d1fdc6477d417
SHA256c6cf49e39997f83ea9d7ca9843899d49eb64b13fb61620a1d0e3b0a021484987
SHA51284838132457d284c92e910e58adbfa881f90b7795ddeb60693396fafb11e74981713ebf04375bf597f1ff28cbca021d8433405df5bb185b1a89a6b5f8c08b81a
-
Filesize
211B
MD5223c2158ef605296a1ed19304fc2579e
SHA1eba09eafca7ad739ee7d6f3fbba2a43bc6d20efd
SHA256435796614319278c13f0562fd14b96a49f666d2fc2d38091a0192e028036de18
SHA512bc9280724bd756264e0b7c3a7da83691db73cebaa9277315f07072c7dd26cfeb4d83401c49ad4385fba591766a6634a53311d91f4ab6032263fba60760461b8d
-
Filesize
211B
MD58e3f12ecda693d9cfe184558f3d33632
SHA19d989bcadfbc14e95eea736fc5dd5774f624453e
SHA2569f825732afff257eeaa91b5a0c8df0f9a16ef8a7a997f97e14508ee8465c71c8
SHA512da8de3710206eaae6ad1b86c0c1d6c338300e3eb57e8ffef8a327ab980fdbfdbdb726c0ef7b2c02088329ce95bbe874720c637f0489a4bea3f9964d7c3202033
-
Filesize
211B
MD52c876ca82a62e040c880aa53ccc6e48f
SHA1190a03f0043288df25705d4e4d935b2a215e3996
SHA25668feb0317a98be3db637df131f8fd713139cf8feee4242c6a7a7ecf99188682d
SHA512cfede145a5cf926355e4347925298ca96359039988d4d35722f50b771954552230650cb8c4c34faadeeb2918d4394ec2733119ced1c81142b2e75b70ab0dbf93
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
211B
MD51666b4cadbea9f7fcaf89ed142373f84
SHA18c4be67db481610b859f1f40e526beb8db3e3e67
SHA2563fe637aec384537f4d22bec3fc75fe6652a64439352668849cbecdb3aac53a74
SHA51263f93a797b4aea5e8fc0710edb1bfd2d57659914451f8221a0b56eb422486833c44b7bd310255e2d20ac4c9d49cf5b401627444fc394cacfb2c006872f057465
-
Filesize
211B
MD558942a18d5c5f71d093e3f2cc167fe35
SHA13d38943aa29afab5b53009fca2794224c0df2520
SHA256dd8ad47b4635b1cd73e45e1f1e29cb0d86417cddf944648ef0c21924f5e8515e
SHA512c57a9e68d8b50145080176364c48033b4b7e0173b6edf851e3d3b3626b7c15f344c897b2f07555d99c8dcb0539259a83714f4c686a6bb9521ecdcf08e69383da
-
Filesize
211B
MD5f15e6c2fe2dca29793b21cd62244fd40
SHA1dd24a5976e285b3379a4d4ab30b780fa6fbcfe17
SHA256aa690d1299aa8b13f254c7bcd8f6a645cc660b7dc2cd36e7e1f0e0544d079332
SHA5121f8f2ee6f08e1baf6a351765a9e53fd54ad3effad8335f2156511fa3ccbe0461c732d532671b3e20ecfa74a4205f5c90516df41dcb33756077b04c4a74d52fae
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
211B
MD591f5322fdf28b958bddf7901bf26df95
SHA1f37b464dceb263e9ccf62a057b532c250ebf307c
SHA256d8af9a07a1bed84e7fe006b42f334501465b32306a8e26243741ed3aa2784a62
SHA512262b05b805ad3a12acf3ab779eb4d8b1f9fb04e0cd00710519e8c2b5f4e3ba6b297abb26b546235dc854f45b3766c0fbab94f8eb877a1b1cbd1e86fe84b07f53
-
Filesize
211B
MD594079e22a15962eba3ce18883440f54a
SHA15b793cd2dd68e02382f486e19765fae83bf468cb
SHA25666b1531658c02cf8aa3e10bb5599ddb3745154b085379100a1103c4c1561520a
SHA5128c3e34e6865c54adfa3601f3a7eb84f7ffc8954d641fc4233f402862a107507ed5c639a58bdd3740e1ffc418a6b86f10241c3538624fd54c890b8fdc61a675e4
-
Filesize
211B
MD5ca1c583249b22fd78509d2326b695ff2
SHA1b9807a8ed426377bcc606bf56a65b8165f144932
SHA256d31906a46c3bda7cb17b3ccdf1d7c05dcb0b95a26cece703932e573137aeaf39
SHA512701c8bbd2b7a56bcb8abbaa5c10bd7a5150527acce80edb5a52c2b9d73e06b7e18be85fddb80d13cc1d128869a18abf68cf765f2792e69931df2d72e120e6329
-
Filesize
211B
MD52427d048ce19b9e3a1e12116276e00d7
SHA12a17957c2fd3d3d084c00655b77849efaad525a3
SHA2569bd3764f7018f17a90c001ecd3a30658afe3d748aae82ebed9f59398b3e60914
SHA5128bad6ab28bba4f42975a30343c65a261f39353a72fb8f09538d43f088408e6b19a4ef2833cd432227882c167cb1f89b0a44f7303082b32b4aa5f62d205878c6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G4QTMPJL3IRZCEZX4JX.temp
Filesize7KB
MD51bd5abdc78b114ce930338e79bb67120
SHA1a98d470b39cc79093722c86c5919943606f2ad67
SHA256782b3a220dc8b51d702c9d3ffe8941f5d63bdce9adb9f7c9488ea23347670144
SHA512c6684e05cb5242e354df729441e79d6acb0533f5743145ebaf6cf80f0fbb3e99a026d24167348a315e85b28035c155b0e272ba6948242a2d6ab5890fd9b1795a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394