Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:43
Behavioral task
behavioral1
Sample
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe
-
Size
1.3MB
-
MD5
b138fab068fff7508e24a386f5185a0b
-
SHA1
318f36e371a2c39b3e45c76d93398f44d1d3bdfa
-
SHA256
37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678
-
SHA512
2b9db890c67ba3a5e8580719ef51cb96aeaa3dd56cdd4105a1f3f81c5c197e645698140522d633b804c568ffc978177d5e7461cc5e5f37f957e2474ee406d84a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2580 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2580 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000018636-9.dat dcrat behavioral1/memory/1508-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp dcrat behavioral1/memory/1828-64-0x0000000000C60000-0x0000000000D70000-memory.dmp dcrat behavioral1/memory/1588-334-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/1600-394-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/1924-454-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/916-514-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/2280-575-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/2408-696-0x0000000000100000-0x0000000000210000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2624 powershell.exe 1896 powershell.exe 2612 powershell.exe 2916 powershell.exe 2388 powershell.exe 2132 powershell.exe 1776 powershell.exe 1340 powershell.exe 2808 powershell.exe 264 powershell.exe 1196 powershell.exe 2312 powershell.exe 2760 powershell.exe 2188 powershell.exe 2508 powershell.exe 2736 powershell.exe 2564 powershell.exe 2552 powershell.exe 2976 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1508 DllCommonsvc.exe 1828 WmiPrvSE.exe 604 WmiPrvSE.exe 3008 WmiPrvSE.exe 1588 WmiPrvSE.exe 1600 WmiPrvSE.exe 1924 WmiPrvSE.exe 916 WmiPrvSE.exe 2280 WmiPrvSE.exe 2024 WmiPrvSE.exe 2408 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 3008 cmd.exe 3008 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 18 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Media Renderer\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Media Renderer\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe 1524 schtasks.exe 1308 schtasks.exe 1176 schtasks.exe 1652 schtasks.exe 804 schtasks.exe 2928 schtasks.exe 1864 schtasks.exe 1676 schtasks.exe 2280 schtasks.exe 2124 schtasks.exe 1616 schtasks.exe 2216 schtasks.exe 2704 schtasks.exe 1936 schtasks.exe 2204 schtasks.exe 692 schtasks.exe 2980 schtasks.exe 2344 schtasks.exe 2984 schtasks.exe 2488 schtasks.exe 2804 schtasks.exe 1920 schtasks.exe 2752 schtasks.exe 1556 schtasks.exe 1436 schtasks.exe 1196 schtasks.exe 1564 schtasks.exe 2052 schtasks.exe 748 schtasks.exe 2192 schtasks.exe 1848 schtasks.exe 1256 schtasks.exe 1604 schtasks.exe 3032 schtasks.exe 296 schtasks.exe 2424 schtasks.exe 2884 schtasks.exe 2236 schtasks.exe 2492 schtasks.exe 980 schtasks.exe 1744 schtasks.exe 2268 schtasks.exe 1584 schtasks.exe 2568 schtasks.exe 2892 schtasks.exe 1040 schtasks.exe 2248 schtasks.exe 2948 schtasks.exe 2016 schtasks.exe 2028 schtasks.exe 1008 schtasks.exe 1400 schtasks.exe 2436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1508 DllCommonsvc.exe 1508 DllCommonsvc.exe 1508 DllCommonsvc.exe 1508 DllCommonsvc.exe 1508 DllCommonsvc.exe 2508 powershell.exe 1828 WmiPrvSE.exe 2388 powershell.exe 2312 powershell.exe 1896 powershell.exe 2736 powershell.exe 2132 powershell.exe 2188 powershell.exe 1776 powershell.exe 264 powershell.exe 2808 powershell.exe 1340 powershell.exe 2976 powershell.exe 2612 powershell.exe 2624 powershell.exe 2760 powershell.exe 2552 powershell.exe 2916 powershell.exe 1196 powershell.exe 2564 powershell.exe 604 WmiPrvSE.exe 3008 WmiPrvSE.exe 1588 WmiPrvSE.exe 1600 WmiPrvSE.exe 1924 WmiPrvSE.exe 916 WmiPrvSE.exe 2280 WmiPrvSE.exe 2024 WmiPrvSE.exe 2408 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 1508 DllCommonsvc.exe Token: SeDebugPrivilege 1828 WmiPrvSE.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 604 WmiPrvSE.exe Token: SeDebugPrivilege 3008 WmiPrvSE.exe Token: SeDebugPrivilege 1588 WmiPrvSE.exe Token: SeDebugPrivilege 1600 WmiPrvSE.exe Token: SeDebugPrivilege 1924 WmiPrvSE.exe Token: SeDebugPrivilege 916 WmiPrvSE.exe Token: SeDebugPrivilege 2280 WmiPrvSE.exe Token: SeDebugPrivilege 2024 WmiPrvSE.exe Token: SeDebugPrivilege 2408 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2680 824 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 31 PID 824 wrote to memory of 2680 824 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 31 PID 824 wrote to memory of 2680 824 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 31 PID 824 wrote to memory of 2680 824 JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe 31 PID 2680 wrote to memory of 3008 2680 WScript.exe 32 PID 2680 wrote to memory of 3008 2680 WScript.exe 32 PID 2680 wrote to memory of 3008 2680 WScript.exe 32 PID 2680 wrote to memory of 3008 2680 WScript.exe 32 PID 3008 wrote to memory of 1508 3008 cmd.exe 34 PID 3008 wrote to memory of 1508 3008 cmd.exe 34 PID 3008 wrote to memory of 1508 3008 cmd.exe 34 PID 3008 wrote to memory of 1508 3008 cmd.exe 34 PID 1508 wrote to memory of 2508 1508 DllCommonsvc.exe 90 PID 1508 wrote to memory of 2508 1508 DllCommonsvc.exe 90 PID 1508 wrote to memory of 2508 1508 DllCommonsvc.exe 90 PID 1508 wrote to memory of 2808 1508 DllCommonsvc.exe 91 PID 1508 wrote to memory of 2808 1508 DllCommonsvc.exe 91 PID 1508 wrote to memory of 2808 1508 DllCommonsvc.exe 91 PID 1508 wrote to memory of 2916 1508 DllCommonsvc.exe 92 PID 1508 wrote to memory of 2916 1508 DllCommonsvc.exe 92 PID 1508 wrote to memory of 2916 1508 DllCommonsvc.exe 92 PID 1508 wrote to memory of 2736 1508 DllCommonsvc.exe 93 PID 1508 wrote to memory of 2736 1508 DllCommonsvc.exe 93 PID 1508 wrote to memory of 2736 1508 DllCommonsvc.exe 93 PID 1508 wrote to memory of 2624 1508 DllCommonsvc.exe 94 PID 1508 wrote to memory of 2624 1508 DllCommonsvc.exe 94 PID 1508 wrote to memory of 2624 1508 DllCommonsvc.exe 94 PID 1508 wrote to memory of 2388 1508 DllCommonsvc.exe 95 PID 1508 wrote to memory of 2388 1508 DllCommonsvc.exe 95 PID 1508 wrote to memory of 2388 1508 DllCommonsvc.exe 95 PID 1508 wrote to memory of 2564 1508 DllCommonsvc.exe 96 PID 1508 wrote to memory of 2564 1508 DllCommonsvc.exe 96 PID 1508 wrote to memory of 2564 1508 DllCommonsvc.exe 96 PID 1508 wrote to memory of 2132 1508 DllCommonsvc.exe 97 PID 1508 wrote to memory of 2132 1508 DllCommonsvc.exe 97 PID 1508 wrote to memory of 2132 1508 DllCommonsvc.exe 97 PID 1508 wrote to memory of 1896 1508 DllCommonsvc.exe 98 PID 1508 wrote to memory of 1896 1508 DllCommonsvc.exe 98 PID 1508 wrote to memory of 1896 1508 DllCommonsvc.exe 98 PID 1508 wrote to memory of 264 1508 DllCommonsvc.exe 99 PID 1508 wrote to memory of 264 1508 DllCommonsvc.exe 99 PID 1508 wrote to memory of 264 1508 DllCommonsvc.exe 99 PID 1508 wrote to memory of 2552 1508 DllCommonsvc.exe 100 PID 1508 wrote to memory of 2552 1508 DllCommonsvc.exe 100 PID 1508 wrote to memory of 2552 1508 DllCommonsvc.exe 100 PID 1508 wrote to memory of 2976 1508 DllCommonsvc.exe 101 PID 1508 wrote to memory of 2976 1508 DllCommonsvc.exe 101 PID 1508 wrote to memory of 2976 1508 DllCommonsvc.exe 101 PID 1508 wrote to memory of 2612 1508 DllCommonsvc.exe 102 PID 1508 wrote to memory of 2612 1508 DllCommonsvc.exe 102 PID 1508 wrote to memory of 2612 1508 DllCommonsvc.exe 102 PID 1508 wrote to memory of 1340 1508 DllCommonsvc.exe 104 PID 1508 wrote to memory of 1340 1508 DllCommonsvc.exe 104 PID 1508 wrote to memory of 1340 1508 DllCommonsvc.exe 104 PID 1508 wrote to memory of 1776 1508 DllCommonsvc.exe 105 PID 1508 wrote to memory of 1776 1508 DllCommonsvc.exe 105 PID 1508 wrote to memory of 1776 1508 DllCommonsvc.exe 105 PID 1508 wrote to memory of 1196 1508 DllCommonsvc.exe 106 PID 1508 wrote to memory of 1196 1508 DllCommonsvc.exe 106 PID 1508 wrote to memory of 1196 1508 DllCommonsvc.exe 106 PID 1508 wrote to memory of 2312 1508 DllCommonsvc.exe 107 PID 1508 wrote to memory of 2312 1508 DllCommonsvc.exe 107 PID 1508 wrote to memory of 2312 1508 DllCommonsvc.exe 107 PID 1508 wrote to memory of 2188 1508 DllCommonsvc.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37c3ce5ead21b3fc3f8212c369b64b7712ce80908cb2163f1b5ae0ee574c2678.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"6⤵PID:952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2832
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"8⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1728
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"10⤵PID:2572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1932
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"12⤵PID:2884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1828
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"14⤵PID:1916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:824
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"16⤵PID:2612
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:996
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"18⤵PID:1488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2716
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"20⤵PID:1532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2472
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"22⤵PID:2052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1196
-
-
C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"24⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d01675b0d7516646ac01b4ea1ebdf04b
SHA123bad7346eb799abe520d530082656d62da6375f
SHA2568bcca7a106bb58cec23bed3c715197df133f07cd11076d5014dfdff2714c7a88
SHA512f76a01b9cef1f25e476b9f3455991ab3627414b4c200ddb812a9b8d4ccd0144e4d0a85bd123d712531eb725bf345135b479976d363cd6febed55f9f356a388ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2294d00f2f390818befa203962e23c0
SHA155895afab205799439c3ea5ec7a860fc9522227f
SHA2568e55f7bae0c1879f1ba981667734806bfae51cd1ef54527cac672c632e124514
SHA5125ce8f25e9e28a0f49dcae8c9861452071535b7f1a9dc20ffbcc8babe02727bb93c3b7b21eea9821e65eff54ff2cd8de0a2b17b4f2bf7a742cd6c2d070d59838b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b2283558e8a8373977f2d89a0d5d777
SHA151e34bd794214bbb0ce94077ff5511db5f2cedba
SHA256f8adf373ad3ee85caa02d041d7884b9a30c718631ff908ed1f901780aae62402
SHA5126cd8c4de61c3dfa7e2987984b85e4a7d32eb52eccca2cb85abbd75506fb6c0faa648758165c01766e53dc8101757a9306a36f24938e4b71920585307c06c2886
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e647fca0a8a89975c8aa4080c67c1182
SHA16b84d40f788d7da1bb793b335b468ddc6ade7b7b
SHA256cdb00756e8b242986f7e0ba15360f936e3aab5f9dcdd455948ba2b435d775cd2
SHA512f2d6f15bc839f3fcdd571a35b6d1d4f8a9b869ea9ec4ab9946d8a24f57e6f5746da865880dd0af4cc90c8b66c135e298be1aef4037556c28cd3c4b909a3b7a90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54cd9c7033bf47f9faa95f88fd5213f6c
SHA1ad58ccee17f081cb04f1b3f7c4699c333a14fe08
SHA25647b0ed723dc6cd5cad200fa3aebd0f0e88f5bb835d3f1fd17a1d692f0f8ad5b0
SHA512b4a0819c437697ab71e526d8cb8feda33e3c2559bd701cb9b262867d0343b3d2e1fb64b8933df6b6d89291df0ece151a9f7e7e4dc06a147279197c1315e38b81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c89723e23e893442614aab52f29c708b
SHA162eb7fe377f1e5a22b836f151b5c8f7df67dc9d2
SHA25637c70bdea1229233f662e4e0844f9047d295de89aa45a1403631012ee11df363
SHA512019a389da57d1c361a291356c02d7125ac793a3f750b83b48f1f59d767bcdb5769f6a59ff015037aa7c8a1814a7361c88217931752d983ecea1fccbb98708f82
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a9775ae663df5999f6306de70978279
SHA1b379d29b49671b01922c5c219bd0310abb048185
SHA2564ad2cfd8e8761e90dbac13a42cbb062391406b763823a5bd7618a6be99b87386
SHA51277c330f88d38529c59a41c64cad40f5e0dfad284f05a0d9371dd578d77bacf535d43b543c7776a5dee7e65eb866f7f29c8898efb57bea6be3e122e81f18e9a38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57df8d8505ec093e642c83591a7ded07e
SHA1a09d1bc12c4cbaf57c8264fbc5553b9a07eca27d
SHA256b2d30427de65eac61a9e01abfa2c7616211323f5a398dd48aad27bd3dc5d5c84
SHA512a918b94898abeae1a964cc45a510016638ae784e6bd9732882158752f4412f0183d4249de5b34fe6d1b9df78cf6aab6b3bc00975da73761d0bfdfcb0c0dec24e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e62ba35800810bee0022724bd90e85c9
SHA1543518e6d6c16b0cac0b8cb9a65e328c60fadd20
SHA2567b7d855b5ffbed23bd36272562fb4e2350a77bc9bb3ac240cc562f1ff7faa0e4
SHA512e481b67cb776cf38665b5eac5b5b4b63e6bb3b90b5a6c99cf0d05b730e963e295e9dd35854301fbcc53f26e8a84f10ee3f757651facd91528ba12e33d77f54c0
-
Filesize
225B
MD513c933ea3b441676d419f01f311608d8
SHA10d59e59df1c9ace69919ca718842ffe06fa2fa27
SHA256a07458bbe24d8a7d45a6bdeb2913e1c92b78a2ae21b4c1bd5500c1346693eaff
SHA5122691c605142ab5c1caf8c9c629d53860970c176ebd81d96bce0ef910e414ed0f2241b6c1adc34ddc33979688ee5f13fac290b819517ec3edebb509dac669d409
-
Filesize
225B
MD55076bb86741d99d23d63851d7a936a65
SHA1240e7fba5350f23994b8a5bae5b8dd4922f118c4
SHA25632ea3a82a4fb589fb6fa78ffacc7a0f39b8fbd78f6e25e23cc20bd8c70dc4fbd
SHA512863144c1930242e912e4d10d285925269dcd4a6bdba0136aabb44fd9d3d795c59315bbc7a8926b2987dcad0a068633dafc6311f5b95e3e02f74c61ec7a7864ee
-
Filesize
225B
MD5159c3aabd487960ff2c3ef67add4e350
SHA14d4cab15c26c3324c67e653d4abddc7fcf7bcc26
SHA2560944f1a6dd5dcafeefe1699fef252bebebbd0954cf259502629cf0bd6413a455
SHA512e50fda1bdd16754e96f3621b392566ee8c51e0467d01e2b0de5ac2f7a4cff81fc3574b3f0d5876c2739b7f0abef8693a1c0fce55b36ff352f733a60e8ae8ccff
-
Filesize
225B
MD564e5a8a1155cddf77be6c9e34d96b244
SHA122b3c598c628536e4d4cdf30ff3051ac9f7248eb
SHA25675586b65e343f9c95593c98210a1b9a1295901ada1f0c5ea1b9ad332dcade9d1
SHA512435e2d148f4234227e654c12959a6d987d7077065dce64dce782cc374895285c1a90fbd01bcd2647a14d16880e6cc2eded986af87d3380eebe63b74f21158a5e
-
Filesize
225B
MD5778b9a6022fb5c04b3ee451fedf5bb82
SHA165c38d6c59dd28ccebdff59ad21d31fa432e3e34
SHA2563b994136abe0bb2b294b54af7db279a9d6a5d2830cd2d7021bb2c3f9855f1979
SHA512d96f9df321d56454c692f72c3a353f38830df208ff0306e64966001554ee8f28a55b4f56444fc2c501e2d7c551c156a4bc072a1dcddcc6755c692a0ddbcd861a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5cee4583b8aeca484a4128479bd3194d8
SHA15c30b6b76c2a956166520d9b27e1a43517c5b70d
SHA25688e2298924fd8103de510ecf0f66b9bb8ad1c43ad9c7ec1162104ef9d98898ed
SHA5128a4dcb77672058c95922a47bbd02021d4f5d6688590ff09f78444601872490df26e5d01dcac7d31a23ccd3ca66fe2a193ec028c08bde5273a471d97c300b107f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5a4d4cce380c8f834887133a2e11c8634
SHA1e7fbe716779702206cfb29075cc68cf999e16c09
SHA25666d1f26647f30bb714d50f337cdc9d974faefd2de462209826b9cc83baefbcd7
SHA512908ac084b5f6ecb3ae625f5aa4e9abcd56803f16a413db2397fe770a7c5a8709856bd5097c2aa5a233242bc440d9683865d61dec853234eeb621d4aeaae56c03
-
Filesize
225B
MD523715ac66eeb3662344a6ab7fe6aa0a0
SHA1b141857c8aa1ff2a0257b4100c5f93dfae1af77d
SHA256b4ad12fef0df1a064ba2530f017fbe406492192b404c7aaecc2b5dd55c9dd5b9
SHA51207f67081f8eeee07dcd3954b26c8a35fa84b500a6da68a85101afce1ecfe45a0d79360838b4938502484a49c66e548bdd4848ad49c688b5b1490b9a35ed0f5be
-
Filesize
225B
MD5f68a2125fbad78e973e553832cbbc115
SHA1acbe3f72f66966853b9706aae250b5f1f48cf31e
SHA256d2adf29f3e0bdef1770bf6a9df5d032806048a53b7cd1760abebfaabd5c8f508
SHA512f106544bf3cae86a37b7df18d58404af01cf375b453493f3408ac0899f483a6b29fe935678a9471446cd4ece2c0c7fdb40a8d402185cfd3a561b455c04f9c520
-
Filesize
225B
MD51f04b6a6627a7c9949423e8bb6aa4a1e
SHA1b1b75e140019fe2374e424683b6b55d497fa6d2f
SHA2564582460c86c2ab8001b92fb5ae30fd85efc623088823e92384fe534107b149d8
SHA5125f00010e15c0aa71259f60304c512a3a20280c6a288291859ea50b2847e5d3ba9fde712f8d1c7e68ffe689ecb9058883f877465469338dcca622033bd0b6b72d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55f3ef07d345734cd70322a08706db8cf
SHA14b11bec7ca4644e312033cd8f9d21796330266b9
SHA256b72e6262118bb1a09b3ffe812dc56ec660396ce024db915d35eee73f23386008
SHA5122243f978f7f528a7920dffc2725dd4ba0bd9583952292cabf6217534bcd1d811d1d98a317ad5fd451e9ec1b92509b2a05a05dbe524281fce52c6f96b31b5b845
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394