Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:05
Behavioral task
behavioral1
Sample
JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe
-
Size
1.3MB
-
MD5
936f2270ec6291f8f953c5c5ea5003e7
-
SHA1
88f59a2e41bdc801b41c5bef8e8af94beb08e98c
-
SHA256
e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717
-
SHA512
c299f46c5b4b81d8bbcb0f5b9aea31e2a301c4922d57a3c36ea754e5f2c16d9e0e51541cecbee69f4bddafbb243026cbfa21d204c86944188159f979355ca9dc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2940 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2940 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016d58-12.dat dcrat behavioral1/memory/2732-13-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat behavioral1/memory/3036-74-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/2772-189-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/1764-249-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/480-605-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3068 powershell.exe 1580 powershell.exe 2100 powershell.exe 888 powershell.exe 1576 powershell.exe 1628 powershell.exe 2164 powershell.exe 1428 powershell.exe 2688 powershell.exe 1852 powershell.exe 2128 powershell.exe 1740 powershell.exe 1540 powershell.exe 2992 powershell.exe 3008 powershell.exe 884 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2732 DllCommonsvc.exe 3036 csrss.exe 2772 csrss.exe 1764 csrss.exe 980 csrss.exe 1276 csrss.exe 2300 csrss.exe 1724 csrss.exe 1172 csrss.exe 480 csrss.exe 384 csrss.exe 2944 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 580 cmd.exe 580 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 36 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 18 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\services.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\lsass.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\es-ES\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\PLA\Reports\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Windows\PLA\Reports\ja-JP\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\es-ES\cmd.exe DllCommonsvc.exe File created C:\Windows\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1636 schtasks.exe 1496 schtasks.exe 2392 schtasks.exe 1952 schtasks.exe 2404 schtasks.exe 1272 schtasks.exe 1896 schtasks.exe 2896 schtasks.exe 2448 schtasks.exe 3048 schtasks.exe 2904 schtasks.exe 2972 schtasks.exe 1632 schtasks.exe 556 schtasks.exe 1684 schtasks.exe 2616 schtasks.exe 2104 schtasks.exe 1648 schtasks.exe 2960 schtasks.exe 1732 schtasks.exe 1360 schtasks.exe 2776 schtasks.exe 2012 schtasks.exe 2024 schtasks.exe 1772 schtasks.exe 2456 schtasks.exe 268 schtasks.exe 1432 schtasks.exe 2656 schtasks.exe 3016 schtasks.exe 2304 schtasks.exe 3032 schtasks.exe 1092 schtasks.exe 1560 schtasks.exe 1524 schtasks.exe 1808 schtasks.exe 2672 schtasks.exe 1664 schtasks.exe 1548 schtasks.exe 2176 schtasks.exe 1724 schtasks.exe 664 schtasks.exe 1712 schtasks.exe 2088 schtasks.exe 2644 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2732 DllCommonsvc.exe 2732 DllCommonsvc.exe 2732 DllCommonsvc.exe 884 powershell.exe 1580 powershell.exe 1628 powershell.exe 2164 powershell.exe 2688 powershell.exe 1740 powershell.exe 2100 powershell.exe 2992 powershell.exe 1852 powershell.exe 1576 powershell.exe 3068 powershell.exe 3008 powershell.exe 3036 csrss.exe 2128 powershell.exe 1540 powershell.exe 888 powershell.exe 2772 csrss.exe 1764 csrss.exe 980 csrss.exe 1276 csrss.exe 2300 csrss.exe 1724 csrss.exe 1172 csrss.exe 480 csrss.exe 384 csrss.exe 2944 csrss.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2732 DllCommonsvc.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 3036 csrss.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 2772 csrss.exe Token: SeDebugPrivilege 1764 csrss.exe Token: SeDebugPrivilege 980 csrss.exe Token: SeDebugPrivilege 1276 csrss.exe Token: SeDebugPrivilege 2300 csrss.exe Token: SeDebugPrivilege 1724 csrss.exe Token: SeDebugPrivilege 1172 csrss.exe Token: SeDebugPrivilege 480 csrss.exe Token: SeDebugPrivilege 384 csrss.exe Token: SeDebugPrivilege 2944 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2396 2860 JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe 30 PID 2860 wrote to memory of 2396 2860 JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe 30 PID 2860 wrote to memory of 2396 2860 JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe 30 PID 2860 wrote to memory of 2396 2860 JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe 30 PID 2396 wrote to memory of 580 2396 WScript.exe 32 PID 2396 wrote to memory of 580 2396 WScript.exe 32 PID 2396 wrote to memory of 580 2396 WScript.exe 32 PID 2396 wrote to memory of 580 2396 WScript.exe 32 PID 580 wrote to memory of 2732 580 cmd.exe 34 PID 580 wrote to memory of 2732 580 cmd.exe 34 PID 580 wrote to memory of 2732 580 cmd.exe 34 PID 580 wrote to memory of 2732 580 cmd.exe 34 PID 2732 wrote to memory of 888 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 888 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 888 2732 DllCommonsvc.exe 81 PID 2732 wrote to memory of 884 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 884 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 884 2732 DllCommonsvc.exe 82 PID 2732 wrote to memory of 2688 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 2688 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 2688 2732 DllCommonsvc.exe 83 PID 2732 wrote to memory of 1852 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 1852 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 1852 2732 DllCommonsvc.exe 84 PID 2732 wrote to memory of 2128 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 2128 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 2128 2732 DllCommonsvc.exe 85 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 1740 2732 DllCommonsvc.exe 86 PID 2732 wrote to memory of 2100 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 2100 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 2100 2732 DllCommonsvc.exe 87 PID 2732 wrote to memory of 1428 2732 DllCommonsvc.exe 88 PID 2732 wrote to memory of 1428 2732 DllCommonsvc.exe 88 PID 2732 wrote to memory of 1428 2732 DllCommonsvc.exe 88 PID 2732 wrote to memory of 1540 2732 DllCommonsvc.exe 89 PID 2732 wrote to memory of 1540 2732 DllCommonsvc.exe 89 PID 2732 wrote to memory of 1540 2732 DllCommonsvc.exe 89 PID 2732 wrote to memory of 1576 2732 DllCommonsvc.exe 90 PID 2732 wrote to memory of 1576 2732 DllCommonsvc.exe 90 PID 2732 wrote to memory of 1576 2732 DllCommonsvc.exe 90 PID 2732 wrote to memory of 1628 2732 DllCommonsvc.exe 91 PID 2732 wrote to memory of 1628 2732 DllCommonsvc.exe 91 PID 2732 wrote to memory of 1628 2732 DllCommonsvc.exe 91 PID 2732 wrote to memory of 1580 2732 DllCommonsvc.exe 92 PID 2732 wrote to memory of 1580 2732 DllCommonsvc.exe 92 PID 2732 wrote to memory of 1580 2732 DllCommonsvc.exe 92 PID 2732 wrote to memory of 2992 2732 DllCommonsvc.exe 93 PID 2732 wrote to memory of 2992 2732 DllCommonsvc.exe 93 PID 2732 wrote to memory of 2992 2732 DllCommonsvc.exe 93 PID 2732 wrote to memory of 3008 2732 DllCommonsvc.exe 94 PID 2732 wrote to memory of 3008 2732 DllCommonsvc.exe 94 PID 2732 wrote to memory of 3008 2732 DllCommonsvc.exe 94 PID 2732 wrote to memory of 3068 2732 DllCommonsvc.exe 95 PID 2732 wrote to memory of 3068 2732 DllCommonsvc.exe 95 PID 2732 wrote to memory of 3068 2732 DllCommonsvc.exe 95 PID 2732 wrote to memory of 2164 2732 DllCommonsvc.exe 96 PID 2732 wrote to memory of 2164 2732 DllCommonsvc.exe 96 PID 2732 wrote to memory of 2164 2732 DllCommonsvc.exe 96 PID 2732 wrote to memory of 3036 2732 DllCommonsvc.exe 113 PID 2732 wrote to memory of 3036 2732 DllCommonsvc.exe 113 PID 2732 wrote to memory of 3036 2732 DllCommonsvc.exe 113 PID 3036 wrote to memory of 2308 3036 csrss.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e87b485eb161c539f5cef0934121369f83e0080981ce49c998e99c4a0fa08717.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"6⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1128
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"8⤵PID:1656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2024
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"10⤵PID:2016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:656
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"12⤵PID:1172
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2204
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"14⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2576
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"16⤵PID:1072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1856
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"18⤵PID:2868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1792
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"20⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1732
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"22⤵PID:2428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2784
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"24⤵PID:2656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1148
-
-
C:\Windows\PLA\Reports\ja-JP\csrss.exe"C:\Windows\PLA\Reports\ja-JP\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54fe830a552d841f0c190c6977f461cbe
SHA1df23c52fe22246dc351ddbee525ab2e771bc4f85
SHA256ed3ac33b1e1a443fb0dd7bc2cfb6a0d9686b33ee45deed1db236018a0b54d2fb
SHA5122980dfae7490f472c73005418350196845dbbea84e65baebcfdab5be00553766c784bdaf56a8678454103a58ae897d58f88b5f710669bb79185dd65b0e56d967
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533827fc7d4d0bc29922c190f8c4813d6
SHA1c147018fde9e9e5215fc6b878ddd195758e2ffb6
SHA2566322529e85f9ea56dd64e46794629654d78200e51eb9e304d24515f7b5f7c100
SHA512b2e3407a1fd6e44784277285740b0dce4c6c5e33e12ebe227034f61e2cc00350f38a480484a9846fabc8908b57285dd896362c4b5c969b4c1a8b863b258df9fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5540fa3eac6b8b7b1d6410571b758b142
SHA12df6f1f95298d314ba422c1d164b8808da48e33e
SHA256439246531769e3e388a431c31e40cd803931c6b9080f12b4337e4a9012348f18
SHA512c79615cd4fce1520e3be43edddce578f033072a67baf6a81538358e033f195ff291cdb3b8647d8019cfc8732240dcb44e3dfd71f7a7fd4e0455c128f63d82c65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52537847e85b581a15f22b77825f7f68d
SHA13903d76a5dd7d5afcf9246ec07eb8bd7d2cce5f0
SHA2565cb8a966328f6b7d34de60e8719a04c3c87f2a81972da57c2cc47e3b26a05402
SHA51296c98e772dc1241f65d3c642dc17014dadf8b81a38ad1bbe4b7f7e9afad3b50a38c9c7d0c1290dd12898d62e5b5e6ac9efe5b2ce18ba44bd2e383fadfeb75778
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c92392dd4b0d227874cac32326a82a42
SHA18a129710a73dc837b34c35e3a37db65e4a9c357a
SHA2562cac4ea19244e74df3b66cea27a15fc73e0445555e7f23735314f66cece7c842
SHA51250e1712224b11063725c0b64a78d644d2369df9398bdd6eda5c5c4ca8ee1f075eaa8858c3f233c5c712a94753507622ce2c5fc300ebcb406a859c94a1ddf7147
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e28ece6a1f0f8ff7f8a23423de2b2b9e
SHA1d2e843c2eabcddfb7c7791e5cd4a97816d5e5e0e
SHA256c04ad85311e7ec6b73c6300e42be9269c36ad0b674d1cd800a8366f112c2ba78
SHA512294d3b5f2006640e7ec79a1bc8981b81ecce58e4a5990260579ae9c0a68b0331811cbab4c7c7118e035ec634a8243d3c6fe877364e6679903d8e71ce6f3bd5e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5242df990de681407c20530e9233886a0
SHA1a2053f5fb7d6d7d086233822a5e4c7d49ecdd3ca
SHA256aa85a1fa14df8f63e86530bec0d281694bcefceb6536a651630dbcd3037fce12
SHA5128e68ea28ac60119b2973cb11753443d28b1a93866be4cea7d61374488dc73ec3d54cfcc49d7d01437bb780a2dd0f9352ee5136a15100daf1b696f98c3bb0244f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de125c3243265a29deda534674b2b030
SHA1a337b6331be2af0c5a2ecd0c2d04deef0dec46e6
SHA256f69e7fa76fdc56bea82fba9434aa1c2092a48bd97548efe320a447519e49e355
SHA5123d4393c4b18dc3a1d356d311fcb70c378c688a9e9486b5f1c822f5a4b96bc0d379b5b216019711540d88a54f44a121fa579198725c8305856284bff02fa16b65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ca30f6308abf7396c1adc6e52d6c0a3
SHA1df252ce17f4f8ad7e29880b86bb6843e9fe448c0
SHA2568bb0ba5e2968418809c50ced183f86f639fe224b12119c8e414181ec992ee53f
SHA512ed0f46c1cefb21d942b4895ed13d15e75ac66c54f72c42823b861ea67815acc196e811f3ae6498b13cd67dc010cc942932733feb05872fb6c56041305136096b
-
Filesize
203B
MD543aa374b1389f64c19c93878afc813df
SHA1635b3400a24b9c0ceeea1639b313c5d0d8417756
SHA256c77505424a8ba11bc3bb68016d5867ff2faadc4588fec90292b759b5369ebf85
SHA512593d01713f2849d629438886fe7ef5864e11aed7af44d344ab836b3a0061bc77310eecef371acdb78c22f67bddda41793501104cd32e7cd200a00cdd97fc5631
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
203B
MD5ca85d7c993ab24412bbda98c33e257a6
SHA18383d6f7977c53f2664671800b0f7009c6753075
SHA25656886045444c73581214e11c694d3ed33141c55d5f9f106b234e2bf2ba43fab0
SHA5128bc7244940ba365fd249dc7e90fac886080727eb37c69c8d49a9620c0cce40c3e0c802c02a40695ca75f7860710e804e020d9d0a049e74d55dc1302082f070a1
-
Filesize
203B
MD5da464b939c5b4ab53f6d6e4010b6f81c
SHA18769ca326d0242182167e7509497e7ad9e018a60
SHA256b1be2cd09c0c9c2d0a7915c2a25512f7f60ffd9b225efa38958f46fda448c606
SHA512739020af4f153635cab52240ba0af67e4dfb2939182e258d319bded08312e5fb40927c28cf01b06b636404546a403d5e30e98af8422d108cdbcd7edfda886232
-
Filesize
203B
MD5957cbc30e60bee4a269d619b1ff43cd1
SHA15e979b60897cfad1533912bbba37f13abd94bab7
SHA256e8a2537e5438f3a75a7a41756963254e7649bea195c0c3038423461ddc3ee7ce
SHA512ed2b524a6f62bb4698c0260c228c5d8bb56de4c945acf1afdb898572dece46e1465833ff503b8d91aee67c3859851ed50cd5c31f40a0344c129fde4f62a81a1c
-
Filesize
203B
MD53fddd002eb987e1fa84414b7f52b8b24
SHA1e7d8d5369c9e41c6afc8e89160bb6cc144708c96
SHA2568cf5b60033bc6227c4294e4f28d4e74a1b3362ae5af7459bfc106e2f84251b11
SHA51222755156aabb58fcdcdde1bf054c873c70b66dcd1c7ed89e61b3ef873e2aafe5aa2ddc18da0b22ee10119967118b18f0d3428168c925439df5b16f2a1ea9ec50
-
Filesize
203B
MD55c8a8187e687c3a4fb5fdcbaca0ca52d
SHA1018998e17af078a61a297d2a0dbd87a3ce3b1a42
SHA25619aa7fb8177588bc87604487c841880a987e7b5fa3d69436755438cdc7e5ccc6
SHA512c980546bd729047c459492ca6bc2e0193a1a92282bfaffb59066df6fa1cab308698bb3e7b28a71855028af5895fc8f735a2ad71c8d09f3b305323ca740791d74
-
Filesize
203B
MD560bd3673a30c6f4cf0419515630903bd
SHA127ab88692d8fbe200505aa07e85d44ada3f504d7
SHA2568d109c79095f1df911b3c0d8f4e5a8c77a8cbc58a74324c5952b4235cb8c909e
SHA51271a3cd07a757456b2a6d23dc60a28276609063f9e7b550064844dc8b035924027545c7c31114472f301c174bec26240acc262bd33a155f832e67d62ed2e22d66
-
Filesize
203B
MD547e992d0e150790e627f8e84c57c9de7
SHA1e81b4612270aa6328e5ae50f8cc6e9f82298e6aa
SHA25625148984e3baa8e275e23b9e1c2706b67e9ef9bc90b405b3aca7141cf4d6834f
SHA512014c67f005702f5f5dc326495abf7730316e92e9258057ae666d21c9468f709e2ae51ec774399f5e32fdcff9be9eb37ec16b1941582e6f9c166f4783300335d9
-
Filesize
203B
MD580e5c6b451efeda5c607b7119d424828
SHA1b4bc1184e1ffd81745c78356a505b14be50d2687
SHA256c818911ba443bbc6e5158ee05309f576418e7ade167a71ebbea1ea4ebdb65a05
SHA512fdc14b677bc6646d7a49499d962e5bc01ba3836ac19a8863fabbd6e5b701ba6a11e0e599c8cb24aeb6c4479d23b95f081ac233846d1f6dc583844cacf7070430
-
Filesize
203B
MD5acce966c328f54f40a521f8b7780f0e5
SHA14f7ac8730bf5c4670968a7eb20f4f87e3966191e
SHA256e6367b2b1a7394c132a705699caf1423f4f29ebd20abfb60e69764bb15c26040
SHA512cf99033841f088416f84214d502c6645d9cc18b152e9d26f0ae5fabbfb654306931ca49109cd663a7a78dbf5747a58808874682872c4373d9070245419dfcf5a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD522611e1827a0b5eb4f77e7aac9d1f2ca
SHA1cb6698ade5e5b1e61cc10e182a387bcdaa4e98e8
SHA2565ada2df28413f0492a07ea85338fd221998d6051c28c72e4989b539a5b38650b
SHA5122215cc0e6f72f790e83dca7c61c2ec9c2ee81b35e1ef7804ea577c0bdafa8d81c06b1ec06e4d17b1da7457c2ec25830e4c79bc3ad931d7c3663484190f5225a3
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478