Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:46
Behavioral task
behavioral1
Sample
JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe
-
Size
1.3MB
-
MD5
ac69529a57c9aaba7a94c8f11c9c1638
-
SHA1
ebcefadb7e0f0f5a1b18cbc0480f13ea6d95d927
-
SHA256
01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734
-
SHA512
86f918b695df060ceb213f60719f4d66b7f1c52b4079500288f3d0647f66720737fcea8c633a68306b88b6650d88c19ae5b3890c5a08709a624d78b3300683db
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2744 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2744 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000193b8-9.dat dcrat behavioral1/memory/1824-13-0x0000000000E70000-0x0000000000F80000-memory.dmp dcrat behavioral1/memory/3400-155-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/3868-215-0x0000000000970000-0x0000000000A80000-memory.dmp dcrat behavioral1/memory/3128-275-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/3264-630-0x0000000001210000-0x0000000001320000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3028 powershell.exe 2184 powershell.exe 2928 powershell.exe 1116 powershell.exe 1376 powershell.exe 2648 powershell.exe 868 powershell.exe 2380 powershell.exe 2020 powershell.exe 2716 powershell.exe 2616 powershell.exe 2792 powershell.exe 2496 powershell.exe 2804 powershell.exe 1172 powershell.exe 2348 powershell.exe 2816 powershell.exe 2796 powershell.exe 2732 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 1824 DllCommonsvc.exe 3400 explorer.exe 3868 explorer.exe 3128 explorer.exe 2192 explorer.exe 3000 explorer.exe 2148 explorer.exe 3684 explorer.exe 1768 explorer.exe 3264 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 3020 cmd.exe 3020 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\jfr\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\services.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\jfr\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\es-ES\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\smss.exe DllCommonsvc.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\L2Schemas\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Web\Wallpaper\Nature\24dbde2999530e DllCommonsvc.exe File created C:\Windows\DigitalLocker\es-ES\explorer.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\es-ES\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\it-IT\cmd.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\winlogon.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\explorer.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\Web\Wallpaper\Nature\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\spoolsv.exe DllCommonsvc.exe File created C:\Windows\it-IT\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\lsass.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\L2Schemas\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2200 schtasks.exe 2428 schtasks.exe 1168 schtasks.exe 2136 schtasks.exe 1640 schtasks.exe 1084 schtasks.exe 2868 schtasks.exe 3064 schtasks.exe 396 schtasks.exe 2560 schtasks.exe 2692 schtasks.exe 2848 schtasks.exe 2212 schtasks.exe 1052 schtasks.exe 2952 schtasks.exe 2988 schtasks.exe 2120 schtasks.exe 2788 schtasks.exe 1176 schtasks.exe 1812 schtasks.exe 2840 schtasks.exe 664 schtasks.exe 2756 schtasks.exe 612 schtasks.exe 1960 schtasks.exe 1896 schtasks.exe 2532 schtasks.exe 1688 schtasks.exe 2440 schtasks.exe 2180 schtasks.exe 2308 schtasks.exe 2276 schtasks.exe 2668 schtasks.exe 2076 schtasks.exe 1840 schtasks.exe 2576 schtasks.exe 432 schtasks.exe 524 schtasks.exe 1584 schtasks.exe 2236 schtasks.exe 2876 schtasks.exe 388 schtasks.exe 1980 schtasks.exe 892 schtasks.exe 2464 schtasks.exe 1372 schtasks.exe 2492 schtasks.exe 2604 schtasks.exe 2528 schtasks.exe 2864 schtasks.exe 1152 schtasks.exe 1684 schtasks.exe 236 schtasks.exe 112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1824 DllCommonsvc.exe 1824 DllCommonsvc.exe 1824 DllCommonsvc.exe 1824 DllCommonsvc.exe 1824 DllCommonsvc.exe 2804 powershell.exe 2648 powershell.exe 2716 powershell.exe 868 powershell.exe 1116 powershell.exe 2732 powershell.exe 2020 powershell.exe 3028 powershell.exe 2928 powershell.exe 1172 powershell.exe 2184 powershell.exe 2496 powershell.exe 1376 powershell.exe 2348 powershell.exe 2796 powershell.exe 2616 powershell.exe 2380 powershell.exe 2816 powershell.exe 2792 powershell.exe 3400 explorer.exe 3868 explorer.exe 3128 explorer.exe 2192 explorer.exe 3000 explorer.exe 2148 explorer.exe 3684 explorer.exe 1768 explorer.exe 3264 explorer.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 1824 DllCommonsvc.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 3400 explorer.exe Token: SeDebugPrivilege 3868 explorer.exe Token: SeDebugPrivilege 3128 explorer.exe Token: SeDebugPrivilege 2192 explorer.exe Token: SeDebugPrivilege 3000 explorer.exe Token: SeDebugPrivilege 2148 explorer.exe Token: SeDebugPrivilege 3684 explorer.exe Token: SeDebugPrivilege 1768 explorer.exe Token: SeDebugPrivilege 3264 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2896 2248 JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe 30 PID 2248 wrote to memory of 2896 2248 JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe 30 PID 2248 wrote to memory of 2896 2248 JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe 30 PID 2248 wrote to memory of 2896 2248 JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe 30 PID 2896 wrote to memory of 3020 2896 WScript.exe 31 PID 2896 wrote to memory of 3020 2896 WScript.exe 31 PID 2896 wrote to memory of 3020 2896 WScript.exe 31 PID 2896 wrote to memory of 3020 2896 WScript.exe 31 PID 3020 wrote to memory of 1824 3020 cmd.exe 33 PID 3020 wrote to memory of 1824 3020 cmd.exe 33 PID 3020 wrote to memory of 1824 3020 cmd.exe 33 PID 3020 wrote to memory of 1824 3020 cmd.exe 33 PID 1824 wrote to memory of 2616 1824 DllCommonsvc.exe 89 PID 1824 wrote to memory of 2616 1824 DllCommonsvc.exe 89 PID 1824 wrote to memory of 2616 1824 DllCommonsvc.exe 89 PID 1824 wrote to memory of 2792 1824 DllCommonsvc.exe 90 PID 1824 wrote to memory of 2792 1824 DllCommonsvc.exe 90 PID 1824 wrote to memory of 2792 1824 DllCommonsvc.exe 90 PID 1824 wrote to memory of 2804 1824 DllCommonsvc.exe 91 PID 1824 wrote to memory of 2804 1824 DllCommonsvc.exe 91 PID 1824 wrote to memory of 2804 1824 DllCommonsvc.exe 91 PID 1824 wrote to memory of 1376 1824 DllCommonsvc.exe 92 PID 1824 wrote to memory of 1376 1824 DllCommonsvc.exe 92 PID 1824 wrote to memory of 1376 1824 DllCommonsvc.exe 92 PID 1824 wrote to memory of 2648 1824 DllCommonsvc.exe 93 PID 1824 wrote to memory of 2648 1824 DllCommonsvc.exe 93 PID 1824 wrote to memory of 2648 1824 DllCommonsvc.exe 93 PID 1824 wrote to memory of 2796 1824 DllCommonsvc.exe 94 PID 1824 wrote to memory of 2796 1824 DllCommonsvc.exe 94 PID 1824 wrote to memory of 2796 1824 DllCommonsvc.exe 94 PID 1824 wrote to memory of 2732 1824 DllCommonsvc.exe 95 PID 1824 wrote to memory of 2732 1824 DllCommonsvc.exe 95 PID 1824 wrote to memory of 2732 1824 DllCommonsvc.exe 95 PID 1824 wrote to memory of 2928 1824 DllCommonsvc.exe 96 PID 1824 wrote to memory of 2928 1824 DllCommonsvc.exe 96 PID 1824 wrote to memory of 2928 1824 DllCommonsvc.exe 96 PID 1824 wrote to memory of 868 1824 DllCommonsvc.exe 97 PID 1824 wrote to memory of 868 1824 DllCommonsvc.exe 97 PID 1824 wrote to memory of 868 1824 DllCommonsvc.exe 97 PID 1824 wrote to memory of 2380 1824 DllCommonsvc.exe 98 PID 1824 wrote to memory of 2380 1824 DllCommonsvc.exe 98 PID 1824 wrote to memory of 2380 1824 DllCommonsvc.exe 98 PID 1824 wrote to memory of 2020 1824 DllCommonsvc.exe 99 PID 1824 wrote to memory of 2020 1824 DllCommonsvc.exe 99 PID 1824 wrote to memory of 2020 1824 DllCommonsvc.exe 99 PID 1824 wrote to memory of 1116 1824 DllCommonsvc.exe 100 PID 1824 wrote to memory of 1116 1824 DllCommonsvc.exe 100 PID 1824 wrote to memory of 1116 1824 DllCommonsvc.exe 100 PID 1824 wrote to memory of 2716 1824 DllCommonsvc.exe 101 PID 1824 wrote to memory of 2716 1824 DllCommonsvc.exe 101 PID 1824 wrote to memory of 2716 1824 DllCommonsvc.exe 101 PID 1824 wrote to memory of 1172 1824 DllCommonsvc.exe 102 PID 1824 wrote to memory of 1172 1824 DllCommonsvc.exe 102 PID 1824 wrote to memory of 1172 1824 DllCommonsvc.exe 102 PID 1824 wrote to memory of 2348 1824 DllCommonsvc.exe 103 PID 1824 wrote to memory of 2348 1824 DllCommonsvc.exe 103 PID 1824 wrote to memory of 2348 1824 DllCommonsvc.exe 103 PID 1824 wrote to memory of 2816 1824 DllCommonsvc.exe 105 PID 1824 wrote to memory of 2816 1824 DllCommonsvc.exe 105 PID 1824 wrote to memory of 2816 1824 DllCommonsvc.exe 105 PID 1824 wrote to memory of 3028 1824 DllCommonsvc.exe 106 PID 1824 wrote to memory of 3028 1824 DllCommonsvc.exe 106 PID 1824 wrote to memory of 3028 1824 DllCommonsvc.exe 106 PID 1824 wrote to memory of 2184 1824 DllCommonsvc.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01a897b6dad0294b7cfbef7246b759c1e8fc27e17497132c5238632a4d767734.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\jfr\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Nature\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\es-ES\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ndEobUK6hB.bat"5⤵PID:2092
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:332
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"7⤵PID:3788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3832
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"9⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1736
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"11⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3076
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"13⤵PID:2808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3320
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"15⤵PID:3388
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1692
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"17⤵PID:3704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3744
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"19⤵PID:1536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2336
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"21⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2432
-
-
C:\Windows\LiveKernelReports\explorer.exe"C:\Windows\LiveKernelReports\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\lib\jfr\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\jfr\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\lib\jfr\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Nature\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\it-IT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e2b3fe96c3dd7aa024d24beaa49993f8
SHA1f13695b3b518f05e0fef13f17c32edda4fc43ceb
SHA2564d534aa2ebff19483aee2b415f27b62f7aff8d1b2ed538c8c8019c9cb3ee5b18
SHA5129cdbb6ed89548088d51ed6acaa77951ae3f36cfbd94f8dc7151d5044049ae17c6b5500ef59cde9106cc19b6e458233c1c7575497cc57c3a7ec9b6f55dfccb7b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cfeeb900d957f91d7e9913e51fb46d4b
SHA14b714ed96f9f5df5d5f63c596e2eacc95c93b5c9
SHA256e95fe5ed59911828292975d3961f854620884a9aa013ead9834ea3475c570917
SHA5126d65809ab7b51fd9af15b653fc212382a584a1f17f2ebc3abbba3042fd4500a4c34f675dd6c44d2bd3f8fa273528cdb8c7429a783c0566b2fcff985b8547f8c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5405bd0625be23f6db749e63b0d56ce1c
SHA13ebd07092b5b009b425842502b88ce8db06fa316
SHA256ba63a18e71410c007d440905994fdd99d84508201590ca0f00851ec33cd21f4f
SHA5126e523627a72b3a7449185289c904383356b500f98f9b276242945eb80dc355a31d1085796c1c92b21702ca209cd916cc1e4ae7093d51c3b7243b3906675d6952
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5719182bd4563b8696fc6e3cb54793f93
SHA1937d3c8d46a1ee9c984836efce7a24e9a888bab3
SHA25636f4b6a6401bbaebea0a5ceaaefab933c2b720de9b688184be97af62eff70cc9
SHA5129c096b23730f1860dd71c011a83b714b51a8e5058d360f5767ad68372d7eaf1c3711e065a7f3fde548d99ab23ba63a12d1b950fcd13edcdeaaa940d54f1958ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508bbde0ce56075c5852a2247f7b6d38c
SHA1aa71cfd54d7a49b23b088fb4ce4dd0f16a9c13be
SHA2561669d6230bfabc83e987f34758f2ffed72a4b99740e7a174c29b56435f1ab557
SHA512daf444e7c38e3063cbd54871ea2e04860381b3f61ed03cc485e328782bc7bd6e5a028109eb0eeb4c0148959d6bc24d731234f81ef829dd3091c5ac7611422f28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc88853355deec05e69931811f77168c
SHA196a86e4d090a87153502a52ffe99cd7dc1cc482a
SHA256cc61092b95d96f07d6a7e2b371a9939e801643f9bba2d917203bd4ed90fc8155
SHA51273b7990d0588c9bf968527d2a0874b2ab88e31c31c6e4c1e3a872d0c275c4a898768aa50f882f1f88587f1f29d363ffeec0747e856e7eb7c80b90ffa6dc7781f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5966397384a40c4371416baf5746f5278
SHA16e58f8559397b646580040e4f26a57ed378ebcbf
SHA256e7b5bd47c39397b53c9f64c77c0c33bbebebd6e3fb9bfc6cd4525a207fa33180
SHA5125627fbd210309242c860eea54f4ab6322ada7ace1963e3e6d98fba0df8517d54150c10292eadc9b3520df27cbbc18bde5de817045b759a4b20f010986515fb74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515ee74d6c3dfa009556da4cf4d831f61
SHA1e2f1588ae2033b23d217838c5a25fc30caff7359
SHA256bb324e2015bcd4428f7d72d8427bff167e55fd957510522687620348c1fceba6
SHA512ef4cb5d952628c6e697c7e60e7c106e9d4cd14aa70f54d2f4d592437f10b305f005ef93771118c3d161c0474c9bdcf559b94aeb35e262fbc705f6764a9e6f958
-
Filesize
206B
MD54655f8a88532f2ba7c1901b4376a36d6
SHA1889b9b1a7e18a3f8500d414b6cc9ed2460b4ec18
SHA256c1f3b1e6bd8d16ef8900b44a2c0fa5e320ad313bdb2895172532ec2c29e2bbcd
SHA51233a24beb803ba724f5c63d1312e1df76a366c7a6e59b9454bbff211d788be3d7105f912f418badb32da94c5689fa8d0d117509bf66f64708052a89e51114baeb
-
Filesize
206B
MD5042985e7c7b7759b1a49a37c824db4f8
SHA1f130a507b5959c1d3e69f9257a314052d1c735a9
SHA25637c716a55b876c3ac34e6b69c17b6a2a053b65ce43fdaf64c56f07f9e543a249
SHA5126c54b1fa200550256ca8c7a10526e9694dbae6741756c36c2fb95e137f16b60058848aef1f643fee24fb19b379f22b9fe4546e26e1f5e7b193c13b5e9ed012cc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
206B
MD5e4066a2375591784b990162b6ee32905
SHA1073b480aad452f08c2b115425b61659e6bd46c51
SHA2569c27c76cc8db8b62386bcfa77423d5f8d0b2c3be3eeaaa030a491bb3502005a6
SHA512ffc575731117b3f5b688fea51ee539ff546fb2397068aa5672c272553cd1e6c2067fb2438f45eca48440b802ec88d76d0e97336b11c33ecb8926eb7bfd621749
-
Filesize
206B
MD5c3249807a752dce00d2ce905f4a30617
SHA1eddd5079465d8990114d2ef674464d7e13cc9188
SHA2564e41e66f2490dfa33f72d834935f7127de59b4e88d6d138a1c17d0f785ce62cb
SHA5124704f73311858f496d2767bdf95891b81da03170cf74220c3ea621879a96312f0724a9089088df21490653b98be4dea8cb3de75e83dcb5d9c9d8f1d54c3fe154
-
Filesize
206B
MD568714df2cf7f16d71a8f3332e0e1bff2
SHA1e0ab6b6bfcc56458677216eb5cef308701753da7
SHA2564e0622b42bf9b6af6fed2c0e9e0576e707af0226e5a02c10ba49c91a2f52aff2
SHA512ef9fdc1f626908ae74fdbfbacf79f74d48bddabbd939fab073fe40bd776834be0f9ac7c62ee32047ad5693c4c81016f081423f7f9aec79ebf0b15c4d8120d4a9
-
Filesize
206B
MD5dd6f09f1f7885bf1993197da117f7201
SHA103cfdf7eee9185ddda6616417a590ca2d7ea6eca
SHA256974b588d9723b77e08f3e1a6e743854079c37ab25eb8b5f17805443d3dc954c6
SHA512a92f5084295aebe94920f79ca5d4907e52fb0bdc791501aeb7ddda64e3a55df0bc3e807104d0a7edad799c3a859872caa1abac87b8de9e6f9d410315ba19d04c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
206B
MD5ee9dafa1cb41b0e03dcd5327638c7a2b
SHA127bf8568fe9eaf3dd91e650fdc4ef23fa06b14ec
SHA256387e84a0a012ffbf9d6116c5d9172f6c97942fb5747bd3782228d15c64e6d9d8
SHA5120427f9c291d494de743a0c4e625fd0758c415090d3dd8bb326219aa541a0730cd84c5e92b568efdf39161a26e2b2d4b4f46a2989a1c8ba6b3e1641ab690b62b6
-
Filesize
206B
MD536515cbac314e86eebe9d0e024529234
SHA1bc318c8d1907f696e762719be660c7a01c8b3189
SHA256d96aef1d2559909bcae60b5d227de107a08c2795dd9e9a70f4ca259909310bc0
SHA5122817c08ce13aa8dcaf9dcd13e2abf2089214180a477c99a7282bc24242187b776a130120c4daf10d2c2da273d4f80157bd8c469e77fae5b112d3e64cd1ca0a57
-
Filesize
206B
MD527b087337daa13547fe68a62c5112ad3
SHA11424db272863780852e0f42527232a3548ad6584
SHA2562b29187caf07fa2331296892bdc4a7a23de9ba98a0950d81c96d2913e7598a41
SHA5122c04a272f0287bd30c41d1957e4aeb564ac9e55664c78824679df14d4384119ed19cde7332578f4a6293e2189c07346ffe84c19d7b8d2355796620f5cc83a692
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD573eec08d7ed1777d1df9893d1678bc4c
SHA1c9af648adc28edd1d1fd92b6fa66a3ba14c5508d
SHA25683d3eb89b203839cadde2bce392041c3872cea0cb414d4caccf596ac5286d90a
SHA512df57f62d6a85ea57360ef19967a2abaeba1b3d7f20bfa56989ee168b172f979add744d6755130acd9ac45f7fcf4622e0de40e266487464d181a786185585aa60
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394