Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:48
Behavioral task
behavioral1
Sample
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
-
Size
1.3MB
-
MD5
e47a9049e6ce57ce55e007018ab5fadd
-
SHA1
4f1f26d30d411f4a84a392fa5f2e1d106f678a68
-
SHA256
0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0
-
SHA512
b3d913f2b1e433f88420fa5cecc25dadf9d82059898ded0698013d4f6cbd29e254b19b1982a1e70e1f7509153a5b5c8b7ee140d245a80f89d0b6a10904e0bbd1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2152 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2152 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019230-12.dat dcrat behavioral1/memory/2204-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp dcrat behavioral1/memory/2504-133-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/448-192-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2780-252-0x0000000000AF0000-0x0000000000C00000-memory.dmp dcrat behavioral1/memory/1760-312-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/2128-372-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/2288-551-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/2228-611-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2092 powershell.exe 1896 powershell.exe 2404 powershell.exe 2360 powershell.exe 572 powershell.exe 2420 powershell.exe 1992 powershell.exe 2108 powershell.exe 1216 powershell.exe 1624 powershell.exe 2536 powershell.exe 2132 powershell.exe 1388 powershell.exe 1644 powershell.exe 1596 powershell.exe 2248 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2204 DllCommonsvc.exe 2504 Idle.exe 448 Idle.exe 2780 Idle.exe 1760 Idle.exe 2128 Idle.exe 2936 Idle.exe 2788 Idle.exe 2288 Idle.exe 2228 Idle.exe 2964 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2216 cmd.exe 2216 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\en-US\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3064 schtasks.exe 2452 schtasks.exe 1924 schtasks.exe 1920 schtasks.exe 2116 schtasks.exe 1520 schtasks.exe 2448 schtasks.exe 2160 schtasks.exe 1560 schtasks.exe 2456 schtasks.exe 1640 schtasks.exe 1140 schtasks.exe 1900 schtasks.exe 996 schtasks.exe 1004 schtasks.exe 1568 schtasks.exe 2328 schtasks.exe 2792 schtasks.exe 2640 schtasks.exe 1512 schtasks.exe 2596 schtasks.exe 2076 schtasks.exe 3032 schtasks.exe 1072 schtasks.exe 792 schtasks.exe 1804 schtasks.exe 2604 schtasks.exe 964 schtasks.exe 2428 schtasks.exe 2972 schtasks.exe 2408 schtasks.exe 1652 schtasks.exe 2228 schtasks.exe 1252 schtasks.exe 2696 schtasks.exe 844 schtasks.exe 1780 schtasks.exe 2720 schtasks.exe 3024 schtasks.exe 2112 schtasks.exe 2516 schtasks.exe 1888 schtasks.exe 2964 schtasks.exe 1572 schtasks.exe 2788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2204 DllCommonsvc.exe 2204 DllCommonsvc.exe 2204 DllCommonsvc.exe 2108 powershell.exe 2420 powershell.exe 1596 powershell.exe 1216 powershell.exe 2248 powershell.exe 2404 powershell.exe 1388 powershell.exe 2360 powershell.exe 1624 powershell.exe 572 powershell.exe 2536 powershell.exe 2132 powershell.exe 1644 powershell.exe 1992 powershell.exe 1896 powershell.exe 2092 powershell.exe 2504 Idle.exe 448 Idle.exe 2780 Idle.exe 1760 Idle.exe 2128 Idle.exe 2936 Idle.exe 2788 Idle.exe 2288 Idle.exe 2228 Idle.exe 2964 Idle.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2204 DllCommonsvc.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 572 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2504 Idle.exe Token: SeDebugPrivilege 448 Idle.exe Token: SeDebugPrivilege 2780 Idle.exe Token: SeDebugPrivilege 1760 Idle.exe Token: SeDebugPrivilege 2128 Idle.exe Token: SeDebugPrivilege 2936 Idle.exe Token: SeDebugPrivilege 2788 Idle.exe Token: SeDebugPrivilege 2288 Idle.exe Token: SeDebugPrivilege 2228 Idle.exe Token: SeDebugPrivilege 2964 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1908 2252 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 30 PID 2252 wrote to memory of 1908 2252 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 30 PID 2252 wrote to memory of 1908 2252 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 30 PID 2252 wrote to memory of 1908 2252 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 30 PID 1908 wrote to memory of 2216 1908 WScript.exe 31 PID 1908 wrote to memory of 2216 1908 WScript.exe 31 PID 1908 wrote to memory of 2216 1908 WScript.exe 31 PID 1908 wrote to memory of 2216 1908 WScript.exe 31 PID 2216 wrote to memory of 2204 2216 cmd.exe 33 PID 2216 wrote to memory of 2204 2216 cmd.exe 33 PID 2216 wrote to memory of 2204 2216 cmd.exe 33 PID 2216 wrote to memory of 2204 2216 cmd.exe 33 PID 2204 wrote to memory of 572 2204 DllCommonsvc.exe 80 PID 2204 wrote to memory of 572 2204 DllCommonsvc.exe 80 PID 2204 wrote to memory of 572 2204 DllCommonsvc.exe 80 PID 2204 wrote to memory of 1216 2204 DllCommonsvc.exe 81 PID 2204 wrote to memory of 1216 2204 DllCommonsvc.exe 81 PID 2204 wrote to memory of 1216 2204 DllCommonsvc.exe 81 PID 2204 wrote to memory of 2108 2204 DllCommonsvc.exe 82 PID 2204 wrote to memory of 2108 2204 DllCommonsvc.exe 82 PID 2204 wrote to memory of 2108 2204 DllCommonsvc.exe 82 PID 2204 wrote to memory of 1992 2204 DllCommonsvc.exe 84 PID 2204 wrote to memory of 1992 2204 DllCommonsvc.exe 84 PID 2204 wrote to memory of 1992 2204 DllCommonsvc.exe 84 PID 2204 wrote to memory of 2248 2204 DllCommonsvc.exe 85 PID 2204 wrote to memory of 2248 2204 DllCommonsvc.exe 85 PID 2204 wrote to memory of 2248 2204 DllCommonsvc.exe 85 PID 2204 wrote to memory of 1644 2204 DllCommonsvc.exe 87 PID 2204 wrote to memory of 1644 2204 DllCommonsvc.exe 87 PID 2204 wrote to memory of 1644 2204 DllCommonsvc.exe 87 PID 2204 wrote to memory of 2536 2204 DllCommonsvc.exe 89 PID 2204 wrote to memory of 2536 2204 DllCommonsvc.exe 89 PID 2204 wrote to memory of 2536 2204 DllCommonsvc.exe 89 PID 2204 wrote to memory of 1596 2204 DllCommonsvc.exe 90 PID 2204 wrote to memory of 1596 2204 DllCommonsvc.exe 90 PID 2204 wrote to memory of 1596 2204 DllCommonsvc.exe 90 PID 2204 wrote to memory of 2420 2204 DllCommonsvc.exe 91 PID 2204 wrote to memory of 2420 2204 DllCommonsvc.exe 91 PID 2204 wrote to memory of 2420 2204 DllCommonsvc.exe 91 PID 2204 wrote to memory of 2132 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2132 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2132 2204 DllCommonsvc.exe 92 PID 2204 wrote to memory of 2092 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 2092 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 2092 2204 DllCommonsvc.exe 93 PID 2204 wrote to memory of 1388 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 1388 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 1388 2204 DllCommonsvc.exe 94 PID 2204 wrote to memory of 1896 2204 DllCommonsvc.exe 95 PID 2204 wrote to memory of 1896 2204 DllCommonsvc.exe 95 PID 2204 wrote to memory of 1896 2204 DllCommonsvc.exe 95 PID 2204 wrote to memory of 1624 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 1624 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 1624 2204 DllCommonsvc.exe 96 PID 2204 wrote to memory of 2404 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 2404 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 2404 2204 DllCommonsvc.exe 101 PID 2204 wrote to memory of 2360 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 2360 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 2360 2204 DllCommonsvc.exe 103 PID 2204 wrote to memory of 1668 2204 DllCommonsvc.exe 108 PID 2204 wrote to memory of 1668 2204 DllCommonsvc.exe 108 PID 2204 wrote to memory of 1668 2204 DllCommonsvc.exe 108 PID 1668 wrote to memory of 1252 1668 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9s17GBcp13.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1252
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"7⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2408
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"9⤵PID:684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1772
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"11⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2280
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"13⤵PID:2760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:3032
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"15⤵PID:2620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1588
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"17⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2984
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"19⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1112
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"21⤵PID:1216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1924
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"23⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2940
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d70d7f5f0ff61374b0b525057ee1686
SHA1a910ed8d6770e02ac22bb47eb5a494d7ce3c4588
SHA256aebfca571f05ad8bfd976069545987615d8be756112e56c2edac9a88489f3246
SHA512042fd29c76093462f6f385c84b58d3ea31a6d50f8c2d69f9518eb3845253402e760a3650bc4e888b37d06483f1133b1c1b905bc9d145f99664be6af581dd9133
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55496360d5b4360d9403d864edd07686c
SHA151854f9e6a0618657e21e00f0b5b99fa8ad81c0a
SHA2560aa195514b0e6e34382264ea7d128bea5327db4805da7be41d24069234fca434
SHA5122ca9d228a1d169b517887704ddce8738f0344246fa9469b97a9dd3c0c442a4a1553f2a43aa7bcfe1f7d7333852c65cc0b48ccba435efbe297868728576a5e031
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5d8bc934cef106e1eb52292a26aff0a
SHA165bc65d4b21f26eb16dbb27cc3a0557d33eab75a
SHA2560b20d2a1a55e34023986593f8572badc2a551bb6b65cbff9191b6faf9ae4356d
SHA51251b9c88d5c44c2849ad8f3ded05747b561dc4e8af513dc870f8a1ef1971aa44018f8214b37cc6049ca08e12f694cbee00d08931b3024c03d84851a01025486a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cfcecbb55c0909cd6061b0b54fbdd6af
SHA1acaf95fa998fbd878293e8e214b78527d5cc160a
SHA2568070a8e106317cada56e8db7065cf08f8c164c4b2814694cdf305101420d6415
SHA512d60c702a2893496f0575d67ca0d44b08549f6e6819f73afa7080dec2584446fa00eb638a572d8e69df2acd3c6610ac0684381bfbeed5e2667176efa92522db6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ba6bfcc5184227654f4a4b3aa77ca41
SHA11867244f89bb76b804a1199c1a9ec0148167e6ad
SHA256d8c277577b106d99f2d5d555af74a642ff83d4c17b59151099f214f4d5b02be6
SHA512654c39ef41941e8b845130f6c2219913c34d1b07f42de3dcd3ca4ecd45597c4a0efec76bc7dbc71591b00c79dc2d592f23fa99a98cfdd5da782358969afc7109
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5815b0b10690e8ac8d29801c7d612d04f
SHA142885b92849b7a74cdd9289e0bbcbcf647c49d5d
SHA256160cd773f04791baea470bc2b11cb926c5879f93aebca539c073177afd6f7d25
SHA51218d3e53afa2f8f9b3027509b7140ce5e31d254ea20b3432983bcc0bacf574d20c5b32d48e09f0ea7f34c9ea8900a6c19026469b6f8f76eca126806c2ac109169
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565f4454fa3f1176fe8deef5ace0ea32a
SHA1f7afe8c0ab1b828f3f1c96f7e622350534d07d17
SHA2564f3553d3034a995526970b3a049bb73e3c3fc4a41a55c2f196e1558c13a14f09
SHA512dc6511dc2153df9bf5c9883f164f7043188d6d27bd7d15be1aab3d8851bca91d2d64d4adc8a7f42b684603da21031c6bedc72d8d08072a19de306b4012c1409d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57155b242e169211866ef2d1e2fec2151
SHA18d0cc069d84f20820e900e4bc70200a3f4ecaf21
SHA25623e70f46bffef7c9c34bfc4b0ca7f949ff80e21a0c437b0dbca2f93958b7be28
SHA512f07b1ae317ebace0b05e6113041c653d7e760446145b1db492b3d7245eea77e703c13332d2fe35c9adf8b72b0cc853f23e9c55a655fd9f748e97fe3af1725570
-
Filesize
222B
MD5104deb44419dfbb55790794c0437958b
SHA1fc4f7d9773f9aa3043489e50804c9493225fb67c
SHA256ba1e29a988b537cd31e5da958276d651b2b973791a892e359c30a66d396fbf85
SHA512c7396481a32eeba28e4289619cab73a9551a38e1aef3c110d0f2d5f14216098338cf15d720df951c8b2d96f35216b485e0fdd1d92d12f6cb5066c7b1db82949a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
222B
MD54c139758c1592f95770c7d025d70ce18
SHA115c1f65bc2c8a80783c202364bd455671f7b2be6
SHA256efd930535c7b0e8ae70d9e4650a14b3cd63afbf1b010ecd665b40bce24fadd24
SHA5127c7fc311eca79e4e3a452386c1e30add3817ca6a43297ce3d612c080da19d6ec1477629961f64d5ac9382d7cad37370f6df7910e35c173efaa266515611410bc
-
Filesize
222B
MD517db69c70c6f0aac7077c8c9b77c77f5
SHA188242ac97e26e01a5847691edca4bd113d1683a2
SHA2566a3b920ea41501c2a21834db9a6ec6ab5542704f72f737dc3729620a89ca91c0
SHA512a6a910ab0f5855550e5ebac9e0b66c712ea17c51bee11992b2bf85e1056f79476b561866c85849d2848883d34e3944580c36d8809a8e56822a642354fde3111e
-
Filesize
222B
MD5a7bfd139b1757960387fe2146bd9136e
SHA13987bfc854817ba4f90a16619d84f60f43234e96
SHA2565bf68c02354528ab3b2551d4237a13bc6279f80f0b628246b5efaacef155dcb2
SHA512f508c8008189c6b10c5fbdc47d9c2495ab15e424933bebe8bddfe76aa31abb78749d44a11d069ec0ad98cdfe565a68764fed435a7628c44460baadbdf53ff916
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
222B
MD5ed3174ba332a46d08339b4d1bf5baeb6
SHA1a8e694f7481b41c1b59f9f07dfab20decd9d948d
SHA256aad4271ad1579ab78b6034fb37f5b7a2c959a7838fbbe5f163c43d9780cb6654
SHA512a2dd46fa1f5b7916a4cbef3d2d2896135798bbca60c43dd7cd9978c6b7e08544208b4f9932cd1b99c7fc4c2358e536d7ef0a31664b6c0b29f84763e0f9219b8b
-
Filesize
222B
MD51f5c0ec1d2e4383b9ddad622135b2f35
SHA14e50e31bfcf084a1d77fcaca41b174e46d262106
SHA256583fb7ace553f834dcf4ab2ac98fe3ba7776c3f7c554e8f5f737f2bba3cf27aa
SHA5120b04a0448c932711f910a2bba1e896371114ca5a54ad06cc26e6284cdffacb7644b34fe6134404ef95bb89276b7e7743b033053a33b4c0c8d15d69aa901ae058
-
Filesize
222B
MD53e517d620f417af1aeb1b49eed7709b3
SHA15037c9d20749b703c3f562a9607db2b79c71273c
SHA256d826f623cd9a7deb88e2d6d785b71b5973c93a1dd68ecaab145e150c172a24b4
SHA512d705cadeeb1aca1361bf85f137d48cbb3bcccbf72615c1b4fba3834b8bb9db4bc9c195f6218289f6a4f8cb97fd66d8fbe045665ff695e48b5a57cc3ad1d3121a
-
Filesize
222B
MD5d773923a6c4819146e589b5bbffad263
SHA1700d66aa4d2626688349d0d6fc7131a1ab398173
SHA25678af7333c4164cdd2084008fc42da946f34e267afd0d2e155fb46be52f7b0c67
SHA51200eab36289ab9689447a363d436b2207fe7d06c539655bbfd01404aad138d1888deb1c4673f675b76981d8bd5fcd4b6a35eb0fd63f629795af6aa0eefe13190e
-
Filesize
222B
MD5bba830f262607dde425b57ed1f73fd91
SHA131a77dd916136ce74514d3eda09c615fa5eefff0
SHA2566109af1cbe68a6211e68c25c54c12905a78a2791f6c5861418617422c5023c5f
SHA5126b74f83e6ed75f6837879cf68753f0a3140a7991fa6dcbc6901c9f3a541013a93dd5f329c310ce9658bad4030e646c1d6327d28aacbc1d44ca67b478f0207809
-
Filesize
222B
MD533551e045d53087826345a5eda19719d
SHA14887082bbbdbb3b410879cff541d4851e82df9ff
SHA256c6d8cc2d077142c77be4a5ba90fc8accd032e1a37ef9d9b8aa9d04d123cc0e98
SHA51243bb64cd53332b40709a861d91e0eeb4d8f080c27a810e61fe702e654056699829195e2b154f7c8dd9ddf679dae7ab6dd18f4d7ffd26da94ec4afa670929ce36
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb4f4ece97bcabd60f7efd118757f74c
SHA1e836dfaaa5e5818183f4432896fab3ecc0572ff7
SHA2564f5a75cde4b8ca3f3d030e609adceb1d4d52c0a687d09743184677534e2f677f
SHA512590facb8a2dbfc86b39efa0390289730a9fcce8d8435869590d21e5b4f3a0a79d30fc3db7c8873e3baf14517c148d93a3a74223a6961df4c17bd3ac30a35a2fc
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478