Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:35
Behavioral task
behavioral1
Sample
JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe
-
Size
1.3MB
-
MD5
7fbecde0cd3ee62936f18b741302c01c
-
SHA1
f400947018e502902749900aaf957e8a50065e69
-
SHA256
bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697
-
SHA512
13929bf3e4b8856705672acfb51177f0b3140a2ed0832ce9319bdbb16365367a6858e6dd6bbcc520bced3852721395055a059615449e34688d360c4264871ea8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2692 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2692 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000186f8-12.dat dcrat behavioral1/memory/2424-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/1528-136-0x0000000000C30000-0x0000000000D40000-memory.dmp dcrat behavioral1/memory/2208-196-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/2268-257-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/2116-317-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/1572-378-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2800-438-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/2768-499-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/2764-560-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/3032-738-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3008 powershell.exe 1004 powershell.exe 2128 powershell.exe 2156 powershell.exe 2352 powershell.exe 2368 powershell.exe 1156 powershell.exe 1148 powershell.exe 2192 powershell.exe 3028 powershell.exe 2020 powershell.exe 2028 powershell.exe 2504 powershell.exe 2336 powershell.exe 1712 powershell.exe 880 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2424 DllCommonsvc.exe 1528 csrss.exe 2208 csrss.exe 2268 csrss.exe 2116 csrss.exe 1572 csrss.exe 2800 csrss.exe 2768 csrss.exe 2764 csrss.exe 788 csrss.exe 2140 csrss.exe 3032 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 cmd.exe 1644 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 30 raw.githubusercontent.com 38 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\explorer.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Uninstall Information\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Speech\Common\it-IT\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe 2444 schtasks.exe 1748 schtasks.exe 1336 schtasks.exe 2892 schtasks.exe 2176 schtasks.exe 2820 schtasks.exe 1248 schtasks.exe 832 schtasks.exe 1532 schtasks.exe 1612 schtasks.exe 1736 schtasks.exe 2104 schtasks.exe 448 schtasks.exe 1592 schtasks.exe 2428 schtasks.exe 2320 schtasks.exe 1948 schtasks.exe 1732 schtasks.exe 2188 schtasks.exe 2124 schtasks.exe 1940 schtasks.exe 1356 schtasks.exe 2300 schtasks.exe 1224 schtasks.exe 2588 schtasks.exe 1640 schtasks.exe 2252 schtasks.exe 1312 schtasks.exe 1740 schtasks.exe 3048 schtasks.exe 2904 schtasks.exe 772 schtasks.exe 788 schtasks.exe 2656 schtasks.exe 1728 schtasks.exe 1628 schtasks.exe 2244 schtasks.exe 2108 schtasks.exe 2612 schtasks.exe 2648 schtasks.exe 2440 schtasks.exe 836 schtasks.exe 2572 schtasks.exe 1912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2424 DllCommonsvc.exe 2424 DllCommonsvc.exe 2424 DllCommonsvc.exe 2424 DllCommonsvc.exe 2424 DllCommonsvc.exe 1004 powershell.exe 2028 powershell.exe 2020 powershell.exe 2192 powershell.exe 1148 powershell.exe 3028 powershell.exe 1156 powershell.exe 2156 powershell.exe 1712 powershell.exe 2504 powershell.exe 2336 powershell.exe 880 powershell.exe 2352 powershell.exe 2128 powershell.exe 2368 powershell.exe 3008 powershell.exe 1528 csrss.exe 2208 csrss.exe 2268 csrss.exe 2116 csrss.exe 1572 csrss.exe 2800 csrss.exe 2768 csrss.exe 2764 csrss.exe 788 csrss.exe 2140 csrss.exe 3032 csrss.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2424 DllCommonsvc.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 1528 csrss.exe Token: SeDebugPrivilege 2208 csrss.exe Token: SeDebugPrivilege 2268 csrss.exe Token: SeDebugPrivilege 2116 csrss.exe Token: SeDebugPrivilege 1572 csrss.exe Token: SeDebugPrivilege 2800 csrss.exe Token: SeDebugPrivilege 2768 csrss.exe Token: SeDebugPrivilege 2764 csrss.exe Token: SeDebugPrivilege 788 csrss.exe Token: SeDebugPrivilege 2140 csrss.exe Token: SeDebugPrivilege 3032 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 1152 2336 JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe 31 PID 2336 wrote to memory of 1152 2336 JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe 31 PID 2336 wrote to memory of 1152 2336 JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe 31 PID 2336 wrote to memory of 1152 2336 JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe 31 PID 1152 wrote to memory of 1644 1152 WScript.exe 32 PID 1152 wrote to memory of 1644 1152 WScript.exe 32 PID 1152 wrote to memory of 1644 1152 WScript.exe 32 PID 1152 wrote to memory of 1644 1152 WScript.exe 32 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 1644 wrote to memory of 2424 1644 cmd.exe 34 PID 2424 wrote to memory of 2020 2424 DllCommonsvc.exe 81 PID 2424 wrote to memory of 2020 2424 DllCommonsvc.exe 81 PID 2424 wrote to memory of 2020 2424 DllCommonsvc.exe 81 PID 2424 wrote to memory of 1004 2424 DllCommonsvc.exe 83 PID 2424 wrote to memory of 1004 2424 DllCommonsvc.exe 83 PID 2424 wrote to memory of 1004 2424 DllCommonsvc.exe 83 PID 2424 wrote to memory of 2128 2424 DllCommonsvc.exe 84 PID 2424 wrote to memory of 2128 2424 DllCommonsvc.exe 84 PID 2424 wrote to memory of 2128 2424 DllCommonsvc.exe 84 PID 2424 wrote to memory of 2028 2424 DllCommonsvc.exe 85 PID 2424 wrote to memory of 2028 2424 DllCommonsvc.exe 85 PID 2424 wrote to memory of 2028 2424 DllCommonsvc.exe 85 PID 2424 wrote to memory of 880 2424 DllCommonsvc.exe 87 PID 2424 wrote to memory of 880 2424 DllCommonsvc.exe 87 PID 2424 wrote to memory of 880 2424 DllCommonsvc.exe 87 PID 2424 wrote to memory of 1156 2424 DllCommonsvc.exe 88 PID 2424 wrote to memory of 1156 2424 DllCommonsvc.exe 88 PID 2424 wrote to memory of 1156 2424 DllCommonsvc.exe 88 PID 2424 wrote to memory of 2368 2424 DllCommonsvc.exe 89 PID 2424 wrote to memory of 2368 2424 DllCommonsvc.exe 89 PID 2424 wrote to memory of 2368 2424 DllCommonsvc.exe 89 PID 2424 wrote to memory of 2352 2424 DllCommonsvc.exe 90 PID 2424 wrote to memory of 2352 2424 DllCommonsvc.exe 90 PID 2424 wrote to memory of 2352 2424 DllCommonsvc.exe 90 PID 2424 wrote to memory of 1712 2424 DllCommonsvc.exe 93 PID 2424 wrote to memory of 1712 2424 DllCommonsvc.exe 93 PID 2424 wrote to memory of 1712 2424 DllCommonsvc.exe 93 PID 2424 wrote to memory of 2504 2424 DllCommonsvc.exe 95 PID 2424 wrote to memory of 2504 2424 DllCommonsvc.exe 95 PID 2424 wrote to memory of 2504 2424 DllCommonsvc.exe 95 PID 2424 wrote to memory of 3028 2424 DllCommonsvc.exe 96 PID 2424 wrote to memory of 3028 2424 DllCommonsvc.exe 96 PID 2424 wrote to memory of 3028 2424 DllCommonsvc.exe 96 PID 2424 wrote to memory of 2156 2424 DllCommonsvc.exe 97 PID 2424 wrote to memory of 2156 2424 DllCommonsvc.exe 97 PID 2424 wrote to memory of 2156 2424 DllCommonsvc.exe 97 PID 2424 wrote to memory of 2192 2424 DllCommonsvc.exe 98 PID 2424 wrote to memory of 2192 2424 DllCommonsvc.exe 98 PID 2424 wrote to memory of 2192 2424 DllCommonsvc.exe 98 PID 2424 wrote to memory of 3008 2424 DllCommonsvc.exe 99 PID 2424 wrote to memory of 3008 2424 DllCommonsvc.exe 99 PID 2424 wrote to memory of 3008 2424 DllCommonsvc.exe 99 PID 2424 wrote to memory of 1148 2424 DllCommonsvc.exe 100 PID 2424 wrote to memory of 1148 2424 DllCommonsvc.exe 100 PID 2424 wrote to memory of 1148 2424 DllCommonsvc.exe 100 PID 2424 wrote to memory of 2336 2424 DllCommonsvc.exe 101 PID 2424 wrote to memory of 2336 2424 DllCommonsvc.exe 101 PID 2424 wrote to memory of 2336 2424 DllCommonsvc.exe 101 PID 2424 wrote to memory of 2588 2424 DllCommonsvc.exe 109 PID 2424 wrote to memory of 2588 2424 DllCommonsvc.exe 109 PID 2424 wrote to memory of 2588 2424 DllCommonsvc.exe 109 PID 2588 wrote to memory of 2864 2588 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bea63bea228e90f03925bd55ce869d6184cdeef9920e1390e6c9eaa37e946697.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KGsCHCwju.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2864
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"7⤵PID:2656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2756
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"9⤵PID:2628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2800
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"11⤵PID:1320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3008
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"13⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1612
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"15⤵PID:1980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1784
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"17⤵PID:1148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2620
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"19⤵PID:1768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2444
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"21⤵PID:1152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1544
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"23⤵PID:1440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1656
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"25⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3068
-
-
C:\MSOCache\All Users\csrss.exe"C:\MSOCache\All Users\csrss.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ca51e5ecc706cfb94fa5d64ad951df76
SHA11b9706858ad6233f72a1e5f9a195d7da18020bba
SHA2566786d58b4d3a73fdcb821ac44eb0dce3872b6035ed3944a1cee6aadb6a13e1c0
SHA512f1f754a85858ddce7c91bcb5bb2d5ef80b9d8ef3f741a392652b42ca731c5305dfe011bece42859c2a89f2511c9e0bb36b1633291e4f019ed384d59589dbb302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544af11b9b5912fc50725d239f2a5ceec
SHA16c9e797ff4d11835537c78123a98517bcec2c14a
SHA2561c01ffad43cef1f273c9bbe46f06a3eea41f0ee094a7affb52550ace05ade476
SHA5122ed35f791260349fab9de02ab7a792bc88a45a3f63c411d57382fd0e55bbda4346e6f3d7b17b5d3b72e3dcb0944fb0fd3d9070df18e8afa809a06f0f40ea2870
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5917202e1623cae29166d943ba29efd87
SHA19a32749d6b2f09fbbf2b7dd6b240eda27279dce7
SHA2569598514a16c86272e7c4fc35750107027c3e5ecf757fcc7fe50bd21f076e2b68
SHA51292eaa8eb3ced734c5ae44fdd0ede7c06755e6a2d1ece9938a26e39655475a653e0d7f4b410a1f77c895ed5a5c1ca7cc0ea4bf0b35b4f6d4465bb043a90620a78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5168e4c36b24d80b676c93e4c703e0531
SHA14bfc9e5504612b55b7176ac22a7511e3f84071ae
SHA256367acd9c7337facdf15d61e98b852ab08c7d5ab11720839fd6a64543c364b079
SHA512f2fc1d555e5ca52930e24edd9ae51934fb13c46f9d0ed249c2ca38529cdb7efb5f1dbee0bf111b4050d70901f6c27e4e108b2c0707fba7afd0a8b67a13cacc37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5182c58b076c9987080e40b2c2253d907
SHA14c582f11b65840cf8f8723a836051418ef7086ca
SHA2568dd6ecee4e58ed4feb6d33b82ce2207b88fae8fe9087951f014bc3393c8a3ee1
SHA5120bd409c551a195a8c15681b55afdfd9534e5744788ae5a5b83cf9c38e2f2ddf397db1f64c5f7593333efea745ef1e4530e28b3ea66fdf4fa43ce77e7e2f8b20f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578585aac158ff9eb859b1b33843c7f49
SHA11692d0f01565f922ddf78501a32e26af7fc11815
SHA256f23761bd710eab14475471f0c6b5da3b567344dac419a6950c88426e4914c0e6
SHA512b7ba46dca528f160d587641a42801837745079a927fb1cbfeecf009f528917f461dc623c458fe67bc0c7ec84e27a15fd3f676f8894b18f459c6f183266ad851f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a142fafacf58ae23c5131e8442be69a
SHA1bdd9118c8024b68ab8acdd44b94ee7b68a591c5c
SHA2566dbf9c8c19f9609b8610b445eb526290be90ff49d1eba097919e550355207f32
SHA5121cd1e6c632ba5763949c34df38b060fb96fd4855cabbc7c473e0c6a293a882741e6efef925574e9f2b72644d46e6ec2ae25d9b5fcd96ca09037b9df0b94a038a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5a5818a8becbaa63a4a4c5da444a91d
SHA149da1e1750bd28f12da2a8f252ed1f9cabb799b7
SHA256e0c4471a776fd175fe4a9adc75a8b0c6ed6a37150e25eda886a60c03910ecbdd
SHA5128b9a6bb7c9b8ee465210ea02c5936753ee6a6f011db16088bfcb357761fe6bac505987658465c6afcfedcf1b1f367ed238c63b7ef4f1633eafe15b272ae024e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb5df8aae489e940c38e843eafbc14eb
SHA1ee3f56476f8d7f9a7685ee0dc385bfc9f5379c35
SHA256e964e43af02b8078849d5c1f532550273d4afad34d4b01295e62a9a1c46f4eb7
SHA512dd64d4f062cf8f323be38a615b69af34f7e4ffa4a7e1c06b813bbe16a802e066a2d4b95df6c44dac24c762c92c85f27ea7cb74515481bf5ecc1437b63e2d7cb7
-
Filesize
196B
MD567779d61ff37ed66cf3d5d97e771c5e5
SHA12311bb6f925f72dbcd078f3b3c5c5a8d4769e0ac
SHA25655b315c5d77c6de423bcc3214d573591bf3ba80e60817655251c7c557fce9776
SHA512fdeb7c7e6701c44182afaa3ddd29ff90e013affe174226d757b4b3c75ebb405834afd666dd440001b0e94a8c41f4bc527c34f8df4536a732270dde8050ba3a39
-
Filesize
196B
MD5b0927cbdf007f1d37bfcefcb8d7e582c
SHA18379cdbe85a4672191663a96b84e9289959ca952
SHA256684b359c9977849432ee5a80f7009f466c7efdc67768c6e7f8e213213e7790e5
SHA51209f4189da0fc0007b76b278026427ba7757cbe9ae8787d24d8eb86f1fe73ad86fc4f0ac490525a5aef4539932ae8353250b48c30538a14a0b50c5fe1d7add787
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
196B
MD51ed0e4d8a478d89ca54cff89b76dab36
SHA1e107c455805a1a00a0179032267a3aeb9bd92281
SHA256330c38f11d2c018809b1e8168068ca5ecf855e9d6023534ee3d2d93bc767a07c
SHA512bf73cbbec56783b3d837788f336a85b7ebed53bbe334806d877793c0d0db4c594725cd7813bab9d8aef523e9316f116714da362bb3786a4e2ae67d4c0a2d8d7e
-
Filesize
196B
MD535894975a0fbe0d7088b9f4ab37c8854
SHA1634aa037f64300ea32f0dcb3f06041b49054cf7f
SHA25654fdd2124ae1e70f887f885ab2395256fa0fc5c748fb87a56e3460982e45b78a
SHA512cade0025e431a1135183599c17d2da49148ee4def0b11c0743938a2ec5aa1caae8baabeb42ada48a42ced65cbf1e7aeeff5338448a01d75c6cf5f0ad73d2ec77
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
196B
MD5a22aee161ce6f52ed5cdc6c26921f2fb
SHA1b6db42e4d7d86103133a7b299cb0480b548c1e13
SHA25653773ba10ac9018a6b4a0d8dcab837a2b86ee57d318b2fe909eb69a1ebe2d5f6
SHA512f0a126bff06271fbea484f1160afc89f4f03c8724efcb4b80706ff7f92cb9d76cd58335ba1a9ee90b4b5566e8d463fe7a74d437e0624a4efa51eb79a3c79cd66
-
Filesize
196B
MD58470e15fbd96280fae02631b96d4745c
SHA169f27412a81f9bf7810ee16889bade877f4815b7
SHA25633fbcd0d0ea9a8d8aa59e6e1d5833be48157a9ebb7b9818db46b2b45c1f14a8e
SHA5127ba3875b100dd28dd533339b79a9b4659f3aa203d295d41359f907a2cf150d3067055fdcbdbd12ee9766f29c98ce0fad2901cb16053606f34195cb4e463a10d4
-
Filesize
196B
MD57e962ba49dcb2ce81e0d970c4299b199
SHA1de9d5cec67dad242a6e2125dffc40fa0c4d741c1
SHA256156e4c9cafc8e69bb8421ec18f0172215682114c5227ed05eb677ce239abd26d
SHA512bc012d44064eafcf02984574f863d65434035bd8d7409376815b478bbfa8a444ffddd742c8b7cf8a6cc4eaa8dfb6d1532ff04cbac4e785a74bf7f3ba9eab7d91
-
Filesize
196B
MD56768b4db36d46e447e9d62614e58c15c
SHA13354214ba7744cfec2e4a4d72cebcd703a0d2dd1
SHA256a6dc5cf9aa87e7fc265ca14155821f2077c818044d382a071954c0789729e4e2
SHA512ac95ca1227b0155ccbbb28d399f0d735367d7881d078891c12a839ab75075c24896ca22d39d6e1a51904c098f379bacd160f2ff8f34e967244eaf97912c6a198
-
Filesize
196B
MD5d8f802b8e950abf099fe98b02c3cdee5
SHA1e7caa1dbe5af07c3df615b90d478ad64a86b1464
SHA256145b8b96fdce990009b13a919a111ae1ae5041f79e28d71075d2b8941923fe18
SHA512180b777b83012b55f3418bb76a9b63bd23b91bc365eeb6555c752fc0f84bb21530e0456f302831c1424b4c247bfba915813e46de3213bd8cb5ea2e513434ddc2
-
Filesize
196B
MD5800609394c04bb396df235b365b78891
SHA1829517853d8255f15706dabf8fb5fe0745f24987
SHA25654972110b958ac0462c8e170692681a831fabd3d9af051075dd853403898df1c
SHA512aa9d1d0dfafca87e4f28f6dc4f08b52d713c44c0ab844633d60cb3f036477fe966ef015c8f8f72e056b073a6b801e13411243ebe3f054e4f6a1443a252b68cd7
-
Filesize
196B
MD5fb0b9be02e499d5c6041b8f6114bb3d3
SHA1de5f23cebf630a70902856bc64f53bb1be07be23
SHA25635dc609c3a53b82646dc8cc5d9f8098cfbacaecfe3617f0843435fceec3b7b40
SHA5121f2908ec13c2d19f5d1f4fd973e8662b92c839ad1518b4297ba17cdf8de50bb4de9fa93c8f576f57df5524ed61eb9d54ee17191446290596a49fc5ad8ee5437b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD594789fa1434800d3d98da6f7c91a7fbe
SHA152bfc0f50a961887130433b8b381ce2ceea05187
SHA2560c5b8c4bc494e6dd2b6450b899e90a79d579401c29901a85028a2eb81b2ff8a7
SHA512529248963ad61139fef166db2598f202c97a40e6aa0f6990e68e028777631f3a557d5dcc17ba75fc95b97f923c1fece010787c4d1a8f1bf573d2870bdc0fac42
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478