Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:52
Behavioral task
behavioral1
Sample
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe
-
Size
1.3MB
-
MD5
1f532439752677e32e6d8943216e852a
-
SHA1
2c5de7dd1cf5755b5237302feb58a6a303038e30
-
SHA256
34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0
-
SHA512
20359be036ed722fe977c6206fdba0318279afe7d70b3305eb2c963d75127d7887d38b1a030c8cdaf92a6d60c92ee08ab5973143afb8991f76b245afb0ac5779
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2820 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2820 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001939c-9.dat dcrat behavioral1/memory/1696-13-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/2740-129-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/1244-188-0x0000000000860000-0x0000000000970000-memory.dmp dcrat behavioral1/memory/664-248-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/1632-309-0x0000000000B90000-0x0000000000CA0000-memory.dmp dcrat behavioral1/memory/912-429-0x0000000000DC0000-0x0000000000ED0000-memory.dmp dcrat behavioral1/memory/2020-489-0x0000000001320000-0x0000000001430000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3016 powershell.exe 2504 powershell.exe 1940 powershell.exe 1768 powershell.exe 1980 powershell.exe 2052 powershell.exe 2612 powershell.exe 2268 powershell.exe 804 powershell.exe 2204 powershell.exe 2980 powershell.exe 2168 powershell.exe 2580 powershell.exe 1744 powershell.exe 2496 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1696 DllCommonsvc.exe 2740 OSPPSVC.exe 1244 OSPPSVC.exe 664 OSPPSVC.exe 1632 OSPPSVC.exe 1968 OSPPSVC.exe 912 OSPPSVC.exe 2020 OSPPSVC.exe 1308 OSPPSVC.exe 2012 OSPPSVC.exe 2624 OSPPSVC.exe 988 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
pid Process 2364 cmd.exe 2364 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 22 raw.githubusercontent.com 4 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 39 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\MSBuild\smss.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_tape.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0b82a3532535a51b\Idle.exe DllCommonsvc.exe File created C:\Windows\diagnostics\system\WindowsUpdate\it-IT\explorer.exe DllCommonsvc.exe File created C:\Windows\inf\lsass.exe DllCommonsvc.exe File created C:\Windows\inf\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\system\lsass.exe DllCommonsvc.exe File created C:\Windows\system\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\twain_32\explorer.exe DllCommonsvc.exe File created C:\Windows\twain_32\7a0fd90576e088 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1308 schtasks.exe 1508 schtasks.exe 548 schtasks.exe 2644 schtasks.exe 2884 schtasks.exe 2616 schtasks.exe 1984 schtasks.exe 900 schtasks.exe 2732 schtasks.exe 2280 schtasks.exe 568 schtasks.exe 1136 schtasks.exe 1600 schtasks.exe 2960 schtasks.exe 772 schtasks.exe 2224 schtasks.exe 944 schtasks.exe 2516 schtasks.exe 1548 schtasks.exe 2824 schtasks.exe 2664 schtasks.exe 1800 schtasks.exe 748 schtasks.exe 2056 schtasks.exe 1708 schtasks.exe 2860 schtasks.exe 2172 schtasks.exe 860 schtasks.exe 2444 schtasks.exe 2760 schtasks.exe 2768 schtasks.exe 1660 schtasks.exe 1580 schtasks.exe 1272 schtasks.exe 1776 schtasks.exe 2180 schtasks.exe 1924 schtasks.exe 2696 schtasks.exe 1816 schtasks.exe 2528 schtasks.exe 1160 schtasks.exe 2232 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1696 DllCommonsvc.exe 1696 DllCommonsvc.exe 1696 DllCommonsvc.exe 1696 DllCommonsvc.exe 1696 DllCommonsvc.exe 1768 powershell.exe 2052 powershell.exe 2612 powershell.exe 804 powershell.exe 2204 powershell.exe 1940 powershell.exe 3016 powershell.exe 1744 powershell.exe 2580 powershell.exe 2268 powershell.exe 2496 powershell.exe 2168 powershell.exe 1980 powershell.exe 2980 powershell.exe 2504 powershell.exe 2740 OSPPSVC.exe 1244 OSPPSVC.exe 664 OSPPSVC.exe 1632 OSPPSVC.exe 1968 OSPPSVC.exe 912 OSPPSVC.exe 2020 OSPPSVC.exe 1308 OSPPSVC.exe 2012 OSPPSVC.exe 2624 OSPPSVC.exe 988 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1696 DllCommonsvc.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2740 OSPPSVC.exe Token: SeDebugPrivilege 1244 OSPPSVC.exe Token: SeDebugPrivilege 664 OSPPSVC.exe Token: SeDebugPrivilege 1632 OSPPSVC.exe Token: SeDebugPrivilege 1968 OSPPSVC.exe Token: SeDebugPrivilege 912 OSPPSVC.exe Token: SeDebugPrivilege 2020 OSPPSVC.exe Token: SeDebugPrivilege 1308 OSPPSVC.exe Token: SeDebugPrivilege 2012 OSPPSVC.exe Token: SeDebugPrivilege 2624 OSPPSVC.exe Token: SeDebugPrivilege 988 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2564 2556 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 30 PID 2556 wrote to memory of 2564 2556 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 30 PID 2556 wrote to memory of 2564 2556 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 30 PID 2556 wrote to memory of 2564 2556 JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe 30 PID 2564 wrote to memory of 2364 2564 WScript.exe 31 PID 2564 wrote to memory of 2364 2564 WScript.exe 31 PID 2564 wrote to memory of 2364 2564 WScript.exe 31 PID 2564 wrote to memory of 2364 2564 WScript.exe 31 PID 2364 wrote to memory of 1696 2364 cmd.exe 33 PID 2364 wrote to memory of 1696 2364 cmd.exe 33 PID 2364 wrote to memory of 1696 2364 cmd.exe 33 PID 2364 wrote to memory of 1696 2364 cmd.exe 33 PID 1696 wrote to memory of 1768 1696 DllCommonsvc.exe 77 PID 1696 wrote to memory of 1768 1696 DllCommonsvc.exe 77 PID 1696 wrote to memory of 1768 1696 DllCommonsvc.exe 77 PID 1696 wrote to memory of 2612 1696 DllCommonsvc.exe 79 PID 1696 wrote to memory of 2612 1696 DllCommonsvc.exe 79 PID 1696 wrote to memory of 2612 1696 DllCommonsvc.exe 79 PID 1696 wrote to memory of 804 1696 DllCommonsvc.exe 80 PID 1696 wrote to memory of 804 1696 DllCommonsvc.exe 80 PID 1696 wrote to memory of 804 1696 DllCommonsvc.exe 80 PID 1696 wrote to memory of 2268 1696 DllCommonsvc.exe 81 PID 1696 wrote to memory of 2268 1696 DllCommonsvc.exe 81 PID 1696 wrote to memory of 2268 1696 DllCommonsvc.exe 81 PID 1696 wrote to memory of 1940 1696 DllCommonsvc.exe 82 PID 1696 wrote to memory of 1940 1696 DllCommonsvc.exe 82 PID 1696 wrote to memory of 1940 1696 DllCommonsvc.exe 82 PID 1696 wrote to memory of 2504 1696 DllCommonsvc.exe 83 PID 1696 wrote to memory of 2504 1696 DllCommonsvc.exe 83 PID 1696 wrote to memory of 2504 1696 DllCommonsvc.exe 83 PID 1696 wrote to memory of 2168 1696 DllCommonsvc.exe 84 PID 1696 wrote to memory of 2168 1696 DllCommonsvc.exe 84 PID 1696 wrote to memory of 2168 1696 DllCommonsvc.exe 84 PID 1696 wrote to memory of 2980 1696 DllCommonsvc.exe 85 PID 1696 wrote to memory of 2980 1696 DllCommonsvc.exe 85 PID 1696 wrote to memory of 2980 1696 DllCommonsvc.exe 85 PID 1696 wrote to memory of 3016 1696 DllCommonsvc.exe 86 PID 1696 wrote to memory of 3016 1696 DllCommonsvc.exe 86 PID 1696 wrote to memory of 3016 1696 DllCommonsvc.exe 86 PID 1696 wrote to memory of 2204 1696 DllCommonsvc.exe 87 PID 1696 wrote to memory of 2204 1696 DllCommonsvc.exe 87 PID 1696 wrote to memory of 2204 1696 DllCommonsvc.exe 87 PID 1696 wrote to memory of 2052 1696 DllCommonsvc.exe 88 PID 1696 wrote to memory of 2052 1696 DllCommonsvc.exe 88 PID 1696 wrote to memory of 2052 1696 DllCommonsvc.exe 88 PID 1696 wrote to memory of 2496 1696 DllCommonsvc.exe 89 PID 1696 wrote to memory of 2496 1696 DllCommonsvc.exe 89 PID 1696 wrote to memory of 2496 1696 DllCommonsvc.exe 89 PID 1696 wrote to memory of 1980 1696 DllCommonsvc.exe 91 PID 1696 wrote to memory of 1980 1696 DllCommonsvc.exe 91 PID 1696 wrote to memory of 1980 1696 DllCommonsvc.exe 91 PID 1696 wrote to memory of 1744 1696 DllCommonsvc.exe 92 PID 1696 wrote to memory of 1744 1696 DllCommonsvc.exe 92 PID 1696 wrote to memory of 1744 1696 DllCommonsvc.exe 92 PID 1696 wrote to memory of 2580 1696 DllCommonsvc.exe 93 PID 1696 wrote to memory of 2580 1696 DllCommonsvc.exe 93 PID 1696 wrote to memory of 2580 1696 DllCommonsvc.exe 93 PID 1696 wrote to memory of 1248 1696 DllCommonsvc.exe 104 PID 1696 wrote to memory of 1248 1696 DllCommonsvc.exe 104 PID 1696 wrote to memory of 1248 1696 DllCommonsvc.exe 104 PID 1248 wrote to memory of 2308 1248 cmd.exe 109 PID 1248 wrote to memory of 2308 1248 cmd.exe 109 PID 1248 wrote to memory of 2308 1248 cmd.exe 109 PID 1248 wrote to memory of 2740 1248 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_34f19e77e80c969abefb74e0677fe33c1e3cbd9bf269a7ac9c89b60f0c9b7db0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pa81yZHIdl.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2308
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"7⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2276
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"9⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:564
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"11⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1276
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"13⤵PID:2828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:484
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"15⤵PID:808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2600
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"17⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1164
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"19⤵PID:1272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2648
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"21⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1576
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"23⤵PID:2360
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2124
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"25⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1864
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"27⤵PID:2828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Recent\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\inf\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\system\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\system\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6d586322558fad300303aa7d6038947
SHA1e6dec9b3c10ef18ad04a8820edb98e526175b176
SHA256c2a02dd41e951f2df24e02f457d167b0e755a8b9bdae51873538fd719041049f
SHA512dd2ee33d6e53b989bd70cc9601969ff0a0863aca18f65473eaa68274e2cc16ee717d283fb8fe32f303812c0689447f2693f47eeca71f3400595a24b22574e308
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551f04184fa7ecc610be44e709f1752ff
SHA18d9bf9744d6957640d644caede5fab7fdb34a9b3
SHA256d4ad7df819dddb949c5d95a1d58dc7ee62f856bdeb751dbe18dd48b3a76cf802
SHA5125422dcadcba43827f46335c026aa35fcf1c58765f36a67eb2e702366c30f23a6187d0c66706d1a721d29f0afb330f6e5c243e4da6a6d32607508120560bec843
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0a27b39feded214d760082aa9c3d616
SHA1900fe3e2e0d68d47c144ee4727c2513300aac8c9
SHA2563b8aa8b4ec1cff189d1d35fdc4875c0cff8107f02d3558e08e245d9062785ef7
SHA512c6bb5816fc139f19668de85d237452be074a4af3b963292d563d65e50f1140c4cab44a8d1aec36da15ad188f72faf27286af95918bbb8c63ffc0fd4b143b22d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0f32b6ae88cf1725f8cdae494ebeae8
SHA10795812ba1aec9ed5ef88149b3e905945fbead53
SHA256ce6e7bae73b486942be006228649e2238c2698c995e9bad7bb7a86cbc943a777
SHA512df44e19bd1621f62e9dbc7bdeaf86a70f91fbc9965e60153b1a03170023445636a523325ad1cf680855f22f31ad28791b06c9d524ad88be81e7ae11cbe93dd4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e682cb5cfb28cfdac437b1077707e1e
SHA1278c20765dbf174c26f350014fb1dd845470e392
SHA25662da0a92d6dc2774d83bb1f80006e20203e252b68363b7d87cf8ea6b75e478b3
SHA512bbae0d6e7028219290d040845908ca49b485e5c45f2312bdd43822ebbb9d94473f10074b4653972691fff3b1dc08552e778381cae56d9496c11f870fc74369ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ae882e629ff018d85d73102d912a105
SHA1a011d0424fbfb905518a69e9f9177debbdae9299
SHA256d68324897f1e3378b1483cdccadaeffa9f86dc8a3e507c490daa9bdc017285b6
SHA512e480f08d1ce42d38be61fd077c2700940c50b0c5268fbf430aacfeb35d5a46c55f7f1bf0b0f0e08e89fe3458cd3f6acf43e99c26eab49acb0868bdbd3fc98723
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517a53a8b38029c0a84b96fbeb4fe6693
SHA15d84e1222dbd81ce0628adf4985c77c92ac0dfe1
SHA256d84d6b6e0a2ebae1db6039fc09907e1a91e9ada282080abd145f566b5afc937f
SHA512d9c0aa47c9a12f7abf14e09ef843b713216bb955ec1a26e76d04c99e8323ad3fb64e904833ff8db7d927f75f61c4a41f4307b22853d0ff5183b6602b9bee632d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD583a36bcfb4b6db5084588d9bfae7c7ea
SHA15266b2a4b1ecdbbb025b1f2fbb35bccec81f2eaf
SHA256160fa79c5f27baa0c1cfe271d727dd65d6422a02e325458878679d31268203fc
SHA512553e0f5aa57d6796d59b323daeb1876a32e6ec5a55819a7f04857be7fb1ceab5deb37b7f12069af34c37e680b69f3924e1e755137af84d9d9d481b284bb0a267
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528dca846571c5678da269ea608ec1a9c
SHA18dced5acef9069978a7ddd51a8dd1b612cd338ee
SHA2561726589ba45c6e432c580f4a7ccd9c13d710e759c59a8a259a6487812fd3b462
SHA512100c4a471d75caff26f40cb7a5c1e6043fd53cfdbe44b808120d9ef9f41e50659888b43610e6b50f4754e30875a816515fda69fddb8dccb596f5c007e8722047
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58da9e68ddbd670f7d0ff1bf08879264f
SHA179c0346677f4a4708992a76f65be91999fb33b4e
SHA256857773e0ea277ab8a4315f1608b64e33950b04967ea8f4309a8314c1ad51b837
SHA51278b13f2d28ac956c9bcd4115242c026688ca013788dbd832815e455b4a71e7dd31634627c6ba4093fc6d81183ff2ad91f6812c1db8754caf511a283b049494e4
-
Filesize
225B
MD533199990112857bbc66f3542c4c7725a
SHA1432420d28a69f09c928d6e49322aebe365efb65b
SHA2568a0bb6db1f9059a9fc8e27b9283f59229bb964613b747a3e2e70e1136310566b
SHA51201dd0bfb8cc8cce2bf46522e505bf8722a8fdd83e82b1f45e3623fa5201104235b56a88cd389e0e25a65e4492ee5653aeea8392e89395e682b13d5c7a92516e2
-
Filesize
225B
MD59e414e41f523adfe98b9077103803c8a
SHA19fce44b8bde0ed782a774aa1494e3cedc64a35f1
SHA2567f85fda9c9d25c76666e5076f9fcfb217f73d4079ab1c2c2e9d158fb2df95c32
SHA51288d6a934f5a35a610341e016f4401dca4eb88482bce205860fd02102d650b49ad196d451610f0f9013a2fe3c7e0ebc38d0255c489280e846e4ceac06a960fb71
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5b7dcfef2c43d3eeedeb9fe1ebdb7df44
SHA121656a7e69b2fe9d8c1a23a931bb13c6ad780bef
SHA25616d56ad190da41f792ae549f5471c221b6d37c4510a54ab56d7bfdfe8e20875a
SHA512e04813d05175558c8d3c68c72e77b8953c090eda6cf570fdbd7c31fa2f733055701526db2f711b3a965011dd143588b31242107e817746a2075be8ed692a7f29
-
Filesize
225B
MD582b810375fd041afc215d9798a1bb6b3
SHA1032b1f1e51d88e4d15d895b2c711772ac570cf63
SHA256ae539ec9236debd8a8d4949d1feff379ecf78d5e272bd8465ecb65c860fa9e90
SHA512213abccb9fd95fbdac9c28d34fe76e6a424779131997a9cd49470d072545f849527eb8c43099cee78a0b7726a57407911e42df55723a8f6f61601e0b3df53c24
-
Filesize
225B
MD5812f1b8e602fecf730d72b5c3f0319f1
SHA182c1a1cfad777a43e220a3e7bf45b44a90f78f3a
SHA2568ad95ee236ada37b095e3dc2f4f5c4c295c620d99b6e650663c50ad5587f5dfd
SHA51238612cfe122c048c2037822955a58d3d248512d338996128fd0daa7931b989b8b70f1e233d5584d2201c31de8c71c8df8309f15b2dc4f12d9bdcc361dff08388
-
Filesize
225B
MD553d83d8defb45d1c412c4191e955ea80
SHA1c602ae425882ab06abb4bc104fe16e4339df081e
SHA25699a3a8dfa7a1521b6b9a2e3914d8bea8f854f3e3b87bc2466e738abe579df0f4
SHA5129b176b78db40d849a33fe34f79059a14cc11095455389e5606be9d378b16374815dbd04e28348f532f25b7219ea686c3905e6d5cecc7c1b529766f48e74670e2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5356dba04e623715bb29cb99dd48b28e4
SHA18109f12b32475ce5483d096bbb054fd6dcea05e4
SHA256d325beb97ab34ae3ed372f68b35ff74624a516aa2f5ad95c06d0ce50abc1beb1
SHA512ac0bbbf56c1931e26e90b8776143203ea53b59222460ae14990d313dab7d507f9f9820487062c8f6a8bfa814749130cbb60c4acf0d54baf7edcf8746fd8e6366
-
Filesize
225B
MD551fb98d84099afc80174d21d7a99166e
SHA187cf4abbb55d1e0df21c335834a91b06f3cc6b24
SHA2563c8a0d087ac35a1b00baa3c96f2768a88d205eb4cf97b76e1d2f9736aff3fd3b
SHA5125a08460a0938f73e73669922207a04d2852745a70f3989505d6ba12f805714011260803c8a2a6c7cb35921eacea6cca988661a2dc87d14c28ab1de45703d65f0
-
Filesize
225B
MD575b5b7b1869ef6c92c7069e229c286de
SHA1aa9c3116114bc3f7f966c1c384de97e666dd52a6
SHA25692231cc4a9fbc06901c0dd4da6f9495d54a9f21471cbe3af1f8d3ef723a85a1c
SHA512fd61c0c2abe4b82d6f77df05a8b26332a0f38b5223240aad17ed9c47a43d6c2ab2b5c8521367819269d5ec6799544abc5c30df10e076b3c90b059fcca9c0bdd1
-
Filesize
225B
MD5f08c3603a2027e8f8faa5428309147b8
SHA1cb5b3582aed69fdd90182d11fb80dba299f9a020
SHA25694e11fae316aa28375fbb8be1a3fb051f8eb2eb55705139cfb09470121e95402
SHA512d3b35181b263efe3a3ecc88f77492adc4aeaa97006a12da68df2e12996707e022fb28386b98563630a5e6db3092e1e4344e5841cd23ce193b5e8968442e03d66
-
Filesize
225B
MD5de182ce4e1394702d30805d5e272f856
SHA154c708c25e8c9e3cab4d5792a44d05225d97a5b1
SHA256e31131293e59e60d973489d66adb7fd94c4eb55c142e752f6ecdb6f0829f2392
SHA5122dee68df030e519d3b5fb45ad2b91ea22b40f8d900ed84ac5c13a15344ad5adba459a1769f67cb169a8b3c22502d18398ea04a05d97e6ddaef86c3aa8f870f21
-
Filesize
225B
MD5584de7d20ac3e029ca8ea5be34be1565
SHA118daabb0e33da96cf770a6b36c0754b829647d39
SHA2565d0c29e786a2b9020bc8ca5dc09814492aa0c7b00f4b7338b585aaeba04f6ebb
SHA5122cae99d777bc1bb64600f6294cbf23e329617a6eca1c2d952979c0cddce0e393ed51bf00bc5a5481e67d051e82e67337e4cd9318a8282101ae98f91d48429b8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5384f78ccdd614489e59dfa7be2bee213
SHA1a3f53273436081f554d5347e93814209432dbd6b
SHA2567f4f8d080027faadcab27a693e9fdec91ecd7c391333a82f4d689e83a7fd635b
SHA5129f7dd856ec3de4f1cf7025d2d8070cacb944da6a8dde55767c1b61248622e45cf6d0ba01e828fa880469e1b6711057a01ea7c13b55b6e3b857129ada0a9318ff
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394