Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:52
Behavioral task
behavioral1
Sample
JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe
-
Size
1.3MB
-
MD5
fb8cc415eec439b5e9de7a180bb59356
-
SHA1
28277d0f2a99492ebf4c543cca37f855046278ae
-
SHA256
dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5
-
SHA512
ab70c2e461c2d2674a92753d0ad5529587e29e85bd7e42c4e5a6f7ff760e7af1e60f9e4d0f37fd5a0c404704c41730efab40fc13730056a4e91c7443d3b63e02
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2772 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2772 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00080000000161f6-9.dat dcrat behavioral1/memory/2684-13-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/1652-60-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2832-270-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/292-389-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat behavioral1/memory/2024-685-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 484 powershell.exe 2904 powershell.exe 1028 powershell.exe 1400 powershell.exe 1252 powershell.exe 3012 powershell.exe 2628 powershell.exe 2084 powershell.exe 2216 powershell.exe 2776 powershell.exe 2748 powershell.exe 2788 powershell.exe 2996 powershell.exe 2912 powershell.exe 2144 powershell.exe 2212 powershell.exe 616 powershell.exe 2580 powershell.exe 2704 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2684 DllCommonsvc.exe 1652 winlogon.exe 2028 winlogon.exe 2832 winlogon.exe 2628 winlogon.exe 292 winlogon.exe 1800 winlogon.exe 1680 winlogon.exe 2088 winlogon.exe 2392 winlogon.exe 2024 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2644 cmd.exe 2644 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 30 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\ja-JP\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\cmd.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\System.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\system\System.exe DllCommonsvc.exe File created C:\Windows\system\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\Offline Web Pages\System.exe DllCommonsvc.exe File created C:\Windows\Offline Web Pages\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\es-ES\cmd.exe DllCommonsvc.exe File created C:\Windows\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 864 schtasks.exe 2888 schtasks.exe 2464 schtasks.exe 320 schtasks.exe 1612 schtasks.exe 2672 schtasks.exe 2328 schtasks.exe 1940 schtasks.exe 3004 schtasks.exe 2264 schtasks.exe 2092 schtasks.exe 1652 schtasks.exe 1664 schtasks.exe 2024 schtasks.exe 900 schtasks.exe 2344 schtasks.exe 1500 schtasks.exe 2440 schtasks.exe 2232 schtasks.exe 2448 schtasks.exe 304 schtasks.exe 2604 schtasks.exe 2792 schtasks.exe 1748 schtasks.exe 2940 schtasks.exe 1616 schtasks.exe 1580 schtasks.exe 1760 schtasks.exe 2408 schtasks.exe 2004 schtasks.exe 2496 schtasks.exe 2300 schtasks.exe 1304 schtasks.exe 948 schtasks.exe 852 schtasks.exe 2392 schtasks.exe 2124 schtasks.exe 1628 schtasks.exe 2708 schtasks.exe 1592 schtasks.exe 1740 schtasks.exe 1900 schtasks.exe 2320 schtasks.exe 2444 schtasks.exe 700 schtasks.exe 1608 schtasks.exe 1764 schtasks.exe 884 schtasks.exe 2996 schtasks.exe 1784 schtasks.exe 2908 schtasks.exe 1300 schtasks.exe 2944 schtasks.exe 2648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2684 DllCommonsvc.exe 2684 DllCommonsvc.exe 2684 DllCommonsvc.exe 2684 DllCommonsvc.exe 2684 DllCommonsvc.exe 2212 powershell.exe 2084 powershell.exe 1028 powershell.exe 2216 powershell.exe 2748 powershell.exe 2904 powershell.exe 2788 powershell.exe 2776 powershell.exe 3012 powershell.exe 1400 powershell.exe 2912 powershell.exe 2996 powershell.exe 2628 powershell.exe 2580 powershell.exe 616 powershell.exe 1652 winlogon.exe 2704 powershell.exe 1252 powershell.exe 2144 powershell.exe 484 powershell.exe 2028 winlogon.exe 2832 winlogon.exe 2628 winlogon.exe 292 winlogon.exe 1800 winlogon.exe 1680 winlogon.exe 2088 winlogon.exe 2392 winlogon.exe 2024 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2684 DllCommonsvc.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 1652 winlogon.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 2028 winlogon.exe Token: SeDebugPrivilege 2832 winlogon.exe Token: SeDebugPrivilege 2628 winlogon.exe Token: SeDebugPrivilege 292 winlogon.exe Token: SeDebugPrivilege 1800 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 2088 winlogon.exe Token: SeDebugPrivilege 2392 winlogon.exe Token: SeDebugPrivilege 2024 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 1920 2484 JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe 31 PID 2484 wrote to memory of 1920 2484 JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe 31 PID 2484 wrote to memory of 1920 2484 JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe 31 PID 2484 wrote to memory of 1920 2484 JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe 31 PID 1920 wrote to memory of 2644 1920 WScript.exe 32 PID 1920 wrote to memory of 2644 1920 WScript.exe 32 PID 1920 wrote to memory of 2644 1920 WScript.exe 32 PID 1920 wrote to memory of 2644 1920 WScript.exe 32 PID 2644 wrote to memory of 2684 2644 cmd.exe 34 PID 2644 wrote to memory of 2684 2644 cmd.exe 34 PID 2644 wrote to memory of 2684 2644 cmd.exe 34 PID 2644 wrote to memory of 2684 2644 cmd.exe 34 PID 2684 wrote to memory of 2904 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 2904 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 2904 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 2212 2684 DllCommonsvc.exe 91 PID 2684 wrote to memory of 2212 2684 DllCommonsvc.exe 91 PID 2684 wrote to memory of 2212 2684 DllCommonsvc.exe 91 PID 2684 wrote to memory of 2216 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 2216 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 2216 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 2084 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 2084 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 2084 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 2628 2684 DllCommonsvc.exe 94 PID 2684 wrote to memory of 2628 2684 DllCommonsvc.exe 94 PID 2684 wrote to memory of 2628 2684 DllCommonsvc.exe 94 PID 2684 wrote to memory of 2788 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 2788 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 2788 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 2748 2684 DllCommonsvc.exe 97 PID 2684 wrote to memory of 2748 2684 DllCommonsvc.exe 97 PID 2684 wrote to memory of 2748 2684 DllCommonsvc.exe 97 PID 2684 wrote to memory of 2912 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2912 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2912 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2704 2684 DllCommonsvc.exe 105 PID 2684 wrote to memory of 2704 2684 DllCommonsvc.exe 105 PID 2684 wrote to memory of 2704 2684 DllCommonsvc.exe 105 PID 2684 wrote to memory of 2580 2684 DllCommonsvc.exe 106 PID 2684 wrote to memory of 2580 2684 DllCommonsvc.exe 106 PID 2684 wrote to memory of 2580 2684 DllCommonsvc.exe 106 PID 2684 wrote to memory of 3012 2684 DllCommonsvc.exe 107 PID 2684 wrote to memory of 3012 2684 DllCommonsvc.exe 107 PID 2684 wrote to memory of 3012 2684 DllCommonsvc.exe 107 PID 2684 wrote to memory of 1028 2684 DllCommonsvc.exe 108 PID 2684 wrote to memory of 1028 2684 DllCommonsvc.exe 108 PID 2684 wrote to memory of 1028 2684 DllCommonsvc.exe 108 PID 2684 wrote to memory of 2776 2684 DllCommonsvc.exe 109 PID 2684 wrote to memory of 2776 2684 DllCommonsvc.exe 109 PID 2684 wrote to memory of 2776 2684 DllCommonsvc.exe 109 PID 2684 wrote to memory of 616 2684 DllCommonsvc.exe 110 PID 2684 wrote to memory of 616 2684 DllCommonsvc.exe 110 PID 2684 wrote to memory of 616 2684 DllCommonsvc.exe 110 PID 2684 wrote to memory of 1400 2684 DllCommonsvc.exe 115 PID 2684 wrote to memory of 1400 2684 DllCommonsvc.exe 115 PID 2684 wrote to memory of 1400 2684 DllCommonsvc.exe 115 PID 2684 wrote to memory of 2144 2684 DllCommonsvc.exe 116 PID 2684 wrote to memory of 2144 2684 DllCommonsvc.exe 116 PID 2684 wrote to memory of 2144 2684 DllCommonsvc.exe 116 PID 2684 wrote to memory of 484 2684 DllCommonsvc.exe 118 PID 2684 wrote to memory of 484 2684 DllCommonsvc.exe 118 PID 2684 wrote to memory of 484 2684 DllCommonsvc.exe 118 PID 2684 wrote to memory of 2996 2684 DllCommonsvc.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dcc9632d583e049a72ccf3dd2d7421194bbd2d731a346bd646449e1cda95f8c5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"6⤵PID:836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3008
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"8⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3056
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"10⤵PID:1620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2700
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"12⤵PID:704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2232
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"14⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:444
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"16⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2144
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"18⤵PID:2500
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1612
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"20⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1052
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"22⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1520
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"24⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\system\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\system\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54c5644f53b7d6262b72a1a884cd8e1df
SHA11b8826aef029e4f4085ad3d28f1f1db446f463a6
SHA256efa072ce13a72139f19e9b5afe7ed1560eb5234f21d5456595fefbb421c2d931
SHA512f00a5c8fc7b8db94a519f574f82250e5bba1c519c3f68c12081421157e43ad924797871d46800b63aab8741fe7bd05a84632c769bf453f0f01128d82da97f223
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3f955d4b488b3bac13b112f8d7d1f47
SHA1ed3ca72b9ecc2c1b2cc870fdc986967f9c74044d
SHA2567cd5e134a4bc45eac2cfd8dcb5acd62e2f41daf2738491d803ee899516b12341
SHA512593944faede24db703229a19f764b2a63fb0b6637431fbc653bdbb4ae5f85424742789951ccf0a98eca70ac3f15b89fbe8a21c4db73a8f3bfc74e0290eb5bef7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af7597d46f9ff57b05866faa823eb4a7
SHA1ed728bcd845f874d4c9bb36f95758ea4499143b5
SHA256ebee7ec32d320d2f2db152c7a1ed893947828d647c4ef04ff52a0559d1085b23
SHA512400ea9f9ee5af7d6c1507903c5e2a914dc7aa1532ae76af74cd33638fef176c9bf7ecae6544ac3d37d76023cc889dbbb55a89c2b403979e354a0d1d2349194e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2331ae83e33f774311a055a8a3557e9
SHA118ce550b374c0a3db7be0b07189119b232dd0527
SHA25668beca2457dc30c8e1fd6a9bbae5f2d8dfeb91a87f2e64eeac7f0162e9cf5244
SHA512dc5fe5598249be9c070520086857c6996231f9644204a3d944edbf64b9dec83156b76b33302a8a29a3051c9581829077e4933e1eda504a513f117c17168fb701
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592832aab06e9b62df97623f048cf11ab
SHA1fe1e4ec57301f025f230d01daabe94f7e98e40f7
SHA256170995da823b7ce902e51f439d11598cbe2dbd1a9c9ceecfdf37fe013a88f3eb
SHA5123057f98683b33f490098b92f092c2d39edc031cdf089a64edaf174d867ed46e3db05a81e21ac0a1b890f4fa09433e585d5ef084935ec9cd28db65562d01748c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5402846b07cbe826b2ebdd8e826c28d65
SHA1446228fcfe8bab162d6e24514e1d9af236d6b1f2
SHA2567fa20d384d4c8b475d09415915807619070f05379ebb9c11cf0341a154d20227
SHA512b905aa1353dbaf9110110e9923284a64c797134b1a16884aae41d94e480f133c763d2202e9afdfcb4e131a7cc684126ef9e26e03b759ad89619331a1be16bf48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5923ea0dd9a836353ad5891fa8746aaf8
SHA185c4b5b874b4737b63f9fb18e7a15cde0dd89e93
SHA25622ddbfd3ca850789692479067538fc9ac173e25c547781964e9cad54e7fe9e62
SHA512d1833dd37a242cd1d6c8c9d314182b3645bf6789a8d7a7e80ac891de4a034193492b0ed68f274435dd46d0c8b317cec399d0833ade14a2539416cab8ca4bd23a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55256f8a7197e6cb1c72a61c0affa1224
SHA10c0fb645b2c0665e23cbb9ef431402d38f29745c
SHA256940d583b32d2a8a2fd8bace30ccc2bdd2bf515900ed338fff7d209cfe9319030
SHA5128ba1af06520468d92c26ed7c7fb6cbedb5e4c4792e5ab100fa0572084bfdf19416b6700ef32d227c0ff52d2da75314a5b93ea3f8420ea0523d2fea035bc98d46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e37dde5f2bfc5976d6f2e8a3cd4b1b8
SHA10e758670efd234c3287071119739aebc489d0795
SHA256ce8f70fda25777fd3e32c98cc958fc18fce4ad248402d8587a1afdf6d70b98f3
SHA5122c9290e5104c29dd67bf163ed0a3cb63acb745a3f86d3213354bb4e6142e8bab6f7efa41a61367f8d80c127408b25273c736f01f6e341754f2de5f9d96e2b1e4
-
Filesize
226B
MD5dfddf08b1862d8d8b346dd85aa050cd0
SHA13f743520c27750a799a0d5b24990e31e32c40531
SHA25645f59cda49bf65520776fac2f20727b3a8e29b62487915f8d2443a7bb14d346f
SHA5120798bb41069fd506c0f77b926827448fa1446430721018bb963fbabd83f113f4f6639ce37b07f382845ffff48f3765f79eee2441d509856590bcaa554e6592c5
-
Filesize
226B
MD5032ba6ad0bc377ddad675db53187d7ac
SHA1af0d8b2147f40cfebc4e50fda5e7f46938ac642f
SHA256d5b3239686a7fc4481160332ee2028045ed1f4bca610edc0db2621a57ce9b6d9
SHA51205c9d63b35e77f1a768173ad52b27ae00dcdf44e3d359a69a1efbeea442ef54637799ed478e0a6e5edc032df916e250745ae458d9eb84aa15d1504f17fef07b6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD50dc59ad41ec7801635e546fdad01c902
SHA168b67b3fba496c15415d526f8cff69154f96bd3e
SHA25618c15d02b43f646ec2d97d45610848551f4a48ab98994a58948cc1334bfc6075
SHA512cc2bc8b31fa3ae8c6fe3aab90caa16fb4bd334ff4e487c721a7099e77be3be04c5283ba498b5cc64ebd019d000649c708e9a4ceb997246d3d995e8ed24ad6e0d
-
Filesize
226B
MD5c1a75d7b3a951e6d2d152bda6460a0e1
SHA130c6d27935560746d389141bfff57daaa4eba04e
SHA256acf77716ecaaea52696ed9192bde5bdceaee6e3ee3d5220b1059493e3ffe77d2
SHA51234dc80058cd1beb33d57f65708ebc68bf23f0b453c076bad0b4731ae2c42193291061f824ba473292da2cf4c662a948af3b2d4fc0ebefeccf6f21c8b1a3d50b3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD56ee7d6012bd94210dfe2b2696517a753
SHA17e61299b570c15571539f926c39f283633091cd0
SHA25652d4a5072226c680a41e9f96b6670a5348299ef30ac7e2e628460abf07457952
SHA512171e6d6cc7427fafe385bb8ed314423a5ae1639e09990c720daf98b3ed2e577d6cea9b9fd1e5b399ceb40fcbbb1008fc7d1b68fb9f9d97374c3509bff665f694
-
Filesize
226B
MD521098b78361b94b78a491bef10675837
SHA13cf4773dc7b928b27627f1849821d8bb92f541e6
SHA256fef8f3334106737ab2bef6ef36adc2d579b53348316569c7ba24787a43873b2e
SHA512ba08e2d2c024977dd34ca19b8c06981cedf7b25cb6371c905641dae058863e00b11345b04bf0a17d7c4f8a3ee51a293dba43993a532476b90e9e1da2dbccab3a
-
Filesize
226B
MD5a16030feb332ee7c5e43b0d4300f7cad
SHA108604d556d2846e33aca0db5ae1783cb76cda32e
SHA256c4ea03a9dc841fdfe1755064025f71c2f500538828122fde039171641b4d0503
SHA5126c9c4bef3aab9206487f231bbfd864cfc5c16307e32dd49201f96e4511c00bdddfce6cfb5b63f5b424cf30e2693dbe44219bf4ea49d889e169b0b85632d82dba
-
Filesize
226B
MD5cf9f1cb9b0f59f397aeef038c21dac2c
SHA1d9b5a2f9c01e3f8682b4a0afc90f472d84892a72
SHA256aa1ccbaface0e191e921f26b949d1d3eaf2261c2e5132555bc4e301eb46cd8e8
SHA5128b9c242c15a9bc90e97af231f85a0c166194f6461eabd462d60bb11bf9ec94a25fc92c8854b130f92d2a2aa7f3264e14b0ab1cfa15f0c4237403e0cc7e604fbe
-
Filesize
226B
MD51dcd8beb5f062fcbf75826a2ee52907a
SHA12e6e43afd8a8e7d0fc093cb25036b55a1de3c506
SHA256946824e1f8356a7db9f5d46fdc6a74b9be6df9e8d1fccd9684e38595238da814
SHA512ba9351bb59a414e54bdecd6c3486b8f4875881803dd853e5e777ed9129b3649a74b41e55c17678429b2f000ff311a3d8c29decc905b37a91f63462edf3dfdb43
-
Filesize
226B
MD5ba8c6cb25b9513c1453670bc9db1dc75
SHA1a401c66b63094713f3017fce2361ae1346860638
SHA2561dcc936bffbdc3b60fd2da722d078ec49b484755b570f0fb0c8a9c55cc9d66a0
SHA512143203b8c2e3eb8f778e744d804267cac527dd1608dcbe759655f29366af590ff20c8f92eeed2cc8ea58afc90a04b849fcebbf44297bf9d88054a19a8c08c524
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5894724e09b936216cfc4b794085cea12
SHA11e00e15859d32c096a31ec3f4ec1c70b240127bd
SHA2563acbaf45b6b570d5a88ede44f3d63e8861a128981cab50117d181f3ca0d44c29
SHA512df7a6b1acdde70cabe163d313e09edf3b00621aa14aaf684ddf8260f5118a94c4bf7fab3397f340c823aecdaa13bc9ec9a615ab75f9002bb2ab9310e2e3060f8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394