Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:07
Behavioral task
behavioral1
Sample
JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe
-
Size
1.3MB
-
MD5
978655e8b9ea7854362a7e86acb751fa
-
SHA1
2a013b5deb208f90ff1eb6f964967d65e38f2c79
-
SHA256
ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b
-
SHA512
0b6cff9ba54e7dc6e5f26a30a0ff17d2e819d81d75249f4670eb0b5040f3900fd85b9530ebf352665edb3242bb24fb0e6ce4f47fcecb86b54ea654e7b4061e4c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2804 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2804 schtasks.exe 36 -
resource yara_rule behavioral1/files/0x0008000000018c44-10.dat dcrat behavioral1/memory/2356-13-0x0000000000D00000-0x0000000000E10000-memory.dmp dcrat behavioral1/memory/2228-157-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/2052-276-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1236-336-0x0000000000C50000-0x0000000000D60000-memory.dmp dcrat behavioral1/memory/2624-396-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/1744-516-0x0000000001180000-0x0000000001290000-memory.dmp dcrat behavioral1/memory/2748-694-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/1656-754-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2872 powershell.exe 2816 powershell.exe 2796 powershell.exe 1940 powershell.exe 2772 powershell.exe 1744 powershell.exe 2768 powershell.exe 856 powershell.exe 1928 powershell.exe 1732 powershell.exe 2660 powershell.exe 2736 powershell.exe 2664 powershell.exe 2688 powershell.exe 2668 powershell.exe 292 powershell.exe 2712 powershell.exe 1848 powershell.exe 1888 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2356 DllCommonsvc.exe 2228 dllhost.exe 328 dllhost.exe 2052 dllhost.exe 1236 dllhost.exe 2624 dllhost.exe 1652 dllhost.exe 1744 dllhost.exe 2064 dllhost.exe 2388 dllhost.exe 2748 dllhost.exe 1656 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2728 cmd.exe 2728 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 22 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Mail\en-US\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\LiveKernelReports\System.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\Tasks\csrss.exe DllCommonsvc.exe File created C:\Windows\Tasks\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3020 schtasks.exe 1424 schtasks.exe 3044 schtasks.exe 1672 schtasks.exe 2236 schtasks.exe 1804 schtasks.exe 2188 schtasks.exe 1656 schtasks.exe 1496 schtasks.exe 1800 schtasks.exe 1636 schtasks.exe 1368 schtasks.exe 2868 schtasks.exe 3000 schtasks.exe 2432 schtasks.exe 1588 schtasks.exe 2932 schtasks.exe 780 schtasks.exe 1704 schtasks.exe 2148 schtasks.exe 1664 schtasks.exe 2792 schtasks.exe 1040 schtasks.exe 2884 schtasks.exe 2284 schtasks.exe 2008 schtasks.exe 1720 schtasks.exe 1884 schtasks.exe 1236 schtasks.exe 1540 schtasks.exe 1552 schtasks.exe 696 schtasks.exe 3008 schtasks.exe 1692 schtasks.exe 1116 schtasks.exe 1872 schtasks.exe 1256 schtasks.exe 2572 schtasks.exe 2600 schtasks.exe 1740 schtasks.exe 1976 schtasks.exe 888 schtasks.exe 2140 schtasks.exe 2376 schtasks.exe 2184 schtasks.exe 2108 schtasks.exe 1492 schtasks.exe 2176 schtasks.exe 2544 schtasks.exe 1428 schtasks.exe 2436 schtasks.exe 960 schtasks.exe 2440 schtasks.exe 892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2356 DllCommonsvc.exe 2664 powershell.exe 292 powershell.exe 2736 powershell.exe 2660 powershell.exe 1744 powershell.exe 1928 powershell.exe 2796 powershell.exe 856 powershell.exe 2712 powershell.exe 2816 powershell.exe 2772 powershell.exe 1732 powershell.exe 2872 powershell.exe 1888 powershell.exe 2688 powershell.exe 1848 powershell.exe 2668 powershell.exe 2768 powershell.exe 1940 powershell.exe 2228 dllhost.exe 328 dllhost.exe 2052 dllhost.exe 1236 dllhost.exe 2624 dllhost.exe 1652 dllhost.exe 1744 dllhost.exe 2064 dllhost.exe 2388 dllhost.exe 2748 dllhost.exe 1656 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2356 DllCommonsvc.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 2228 dllhost.exe Token: SeDebugPrivilege 328 dllhost.exe Token: SeDebugPrivilege 2052 dllhost.exe Token: SeDebugPrivilege 1236 dllhost.exe Token: SeDebugPrivilege 2624 dllhost.exe Token: SeDebugPrivilege 1652 dllhost.exe Token: SeDebugPrivilege 1744 dllhost.exe Token: SeDebugPrivilege 2064 dllhost.exe Token: SeDebugPrivilege 2388 dllhost.exe Token: SeDebugPrivilege 2748 dllhost.exe Token: SeDebugPrivilege 1656 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1732 2012 JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe 32 PID 2012 wrote to memory of 1732 2012 JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe 32 PID 2012 wrote to memory of 1732 2012 JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe 32 PID 2012 wrote to memory of 1732 2012 JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe 32 PID 1732 wrote to memory of 2728 1732 WScript.exe 33 PID 1732 wrote to memory of 2728 1732 WScript.exe 33 PID 1732 wrote to memory of 2728 1732 WScript.exe 33 PID 1732 wrote to memory of 2728 1732 WScript.exe 33 PID 2728 wrote to memory of 2356 2728 cmd.exe 35 PID 2728 wrote to memory of 2356 2728 cmd.exe 35 PID 2728 wrote to memory of 2356 2728 cmd.exe 35 PID 2728 wrote to memory of 2356 2728 cmd.exe 35 PID 2356 wrote to memory of 1732 2356 DllCommonsvc.exe 91 PID 2356 wrote to memory of 1732 2356 DllCommonsvc.exe 91 PID 2356 wrote to memory of 1732 2356 DllCommonsvc.exe 91 PID 2356 wrote to memory of 1744 2356 DllCommonsvc.exe 92 PID 2356 wrote to memory of 1744 2356 DllCommonsvc.exe 92 PID 2356 wrote to memory of 1744 2356 DllCommonsvc.exe 92 PID 2356 wrote to memory of 292 2356 DllCommonsvc.exe 94 PID 2356 wrote to memory of 292 2356 DllCommonsvc.exe 94 PID 2356 wrote to memory of 292 2356 DllCommonsvc.exe 94 PID 2356 wrote to memory of 2816 2356 DllCommonsvc.exe 95 PID 2356 wrote to memory of 2816 2356 DllCommonsvc.exe 95 PID 2356 wrote to memory of 2816 2356 DllCommonsvc.exe 95 PID 2356 wrote to memory of 2736 2356 DllCommonsvc.exe 96 PID 2356 wrote to memory of 2736 2356 DllCommonsvc.exe 96 PID 2356 wrote to memory of 2736 2356 DllCommonsvc.exe 96 PID 2356 wrote to memory of 2660 2356 DllCommonsvc.exe 97 PID 2356 wrote to memory of 2660 2356 DllCommonsvc.exe 97 PID 2356 wrote to memory of 2660 2356 DllCommonsvc.exe 97 PID 2356 wrote to memory of 2712 2356 DllCommonsvc.exe 98 PID 2356 wrote to memory of 2712 2356 DllCommonsvc.exe 98 PID 2356 wrote to memory of 2712 2356 DllCommonsvc.exe 98 PID 2356 wrote to memory of 2872 2356 DllCommonsvc.exe 99 PID 2356 wrote to memory of 2872 2356 DllCommonsvc.exe 99 PID 2356 wrote to memory of 2872 2356 DllCommonsvc.exe 99 PID 2356 wrote to memory of 2688 2356 DllCommonsvc.exe 101 PID 2356 wrote to memory of 2688 2356 DllCommonsvc.exe 101 PID 2356 wrote to memory of 2688 2356 DllCommonsvc.exe 101 PID 2356 wrote to memory of 2664 2356 DllCommonsvc.exe 103 PID 2356 wrote to memory of 2664 2356 DllCommonsvc.exe 103 PID 2356 wrote to memory of 2664 2356 DllCommonsvc.exe 103 PID 2356 wrote to memory of 2768 2356 DllCommonsvc.exe 105 PID 2356 wrote to memory of 2768 2356 DllCommonsvc.exe 105 PID 2356 wrote to memory of 2768 2356 DllCommonsvc.exe 105 PID 2356 wrote to memory of 2796 2356 DllCommonsvc.exe 106 PID 2356 wrote to memory of 2796 2356 DllCommonsvc.exe 106 PID 2356 wrote to memory of 2796 2356 DllCommonsvc.exe 106 PID 2356 wrote to memory of 1848 2356 DllCommonsvc.exe 108 PID 2356 wrote to memory of 1848 2356 DllCommonsvc.exe 108 PID 2356 wrote to memory of 1848 2356 DllCommonsvc.exe 108 PID 2356 wrote to memory of 2668 2356 DllCommonsvc.exe 111 PID 2356 wrote to memory of 2668 2356 DllCommonsvc.exe 111 PID 2356 wrote to memory of 2668 2356 DllCommonsvc.exe 111 PID 2356 wrote to memory of 1928 2356 DllCommonsvc.exe 112 PID 2356 wrote to memory of 1928 2356 DllCommonsvc.exe 112 PID 2356 wrote to memory of 1928 2356 DllCommonsvc.exe 112 PID 2356 wrote to memory of 856 2356 DllCommonsvc.exe 114 PID 2356 wrote to memory of 856 2356 DllCommonsvc.exe 114 PID 2356 wrote to memory of 856 2356 DllCommonsvc.exe 114 PID 2356 wrote to memory of 1888 2356 DllCommonsvc.exe 115 PID 2356 wrote to memory of 1888 2356 DllCommonsvc.exe 115 PID 2356 wrote to memory of 1888 2356 DllCommonsvc.exe 115 PID 2356 wrote to memory of 2772 2356 DllCommonsvc.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff90c45bdc5a2af542143e7857a726fe60d182f113a188fb77a6380fbc15500b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat"5⤵PID:1096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2912
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"7⤵PID:1240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2660
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"9⤵PID:996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2004
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"11⤵PID:1016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1512
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"13⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2532
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"15⤵PID:2944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1292
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"17⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2872
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"19⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2836
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"21⤵PID:2252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2816
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"23⤵PID:1368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1612
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"25⤵PID:604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2568
-
-
C:\MSOCache\All Users\dllhost.exe"C:\MSOCache\All Users\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"27⤵PID:2368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505c2038729e29a9d25052218bcc35406
SHA167df81f6759569bacce4827204159816229e5488
SHA256bfd3559bb3cfa911741420be9250aca301d991fc0dc8825813718d24b7f39d9e
SHA512687b615065323cd68f45398b6578510c48d3ee79ef07b5410288c6d21a376ff70407d7652fbadb6f0424e1af3f69b7497913f01e380f59192d8baddb6e959cbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD595f6fb483c2795bb54335b6c6695907d
SHA13863d1c57184e20b1a15dee37f4cc39ccdbfa6b7
SHA2569e86d19e6a2be64b65275b704cf4b6de6b5103223828c75b3afd85c55a5e7812
SHA512df68e851a27f2ad6f3781451638906e0b629cbb13cc7ae11de0dae468de25900bea34514abdc2ed74228ef2f461ad17c7b7cf7045d004385ab5407de88a77ae1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0fb6800ecf0345ba020e7a4c4c72749
SHA1c63a8a90e52c2d4419bdfb85e388540ca52d303e
SHA2561306bdad0add015aa2c9a304f35c9d54b2602a132661c43770fbf5686924d6ec
SHA51244463d46d161ab6d46ff95596d09ef8abf2e1e4713c9700f1b269a10683dad4b481f186cadc4154c0dcd7644f829103e7b8927aa060577de8d90fe711d12e755
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546c5d5be3946689434d34288c5e80020
SHA1cdf7765fd2c65aafcae20ef19605bd531cd03001
SHA256582e034f9fffd4cc23a646ecb30f89c7d1c868fbf5a1c7a74924a3544e66f8a0
SHA512bf0e686f1c3d89a4fa1fee61d8d1c1272118c09cf70229837343cf260679640dda717286cf230627f800cd58e76fa77bfcc61bfcb77cfccea35f23ccf8c4fdd3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57be106d23c30b2da02feb1e4d94b4c53
SHA1f076ad12ac7ab6191673a3ce50d946e7e379e297
SHA256b289a8b5ae78872acc69a5c54dbcf05f98013ded0f4d5eee1068632a95bf0c15
SHA512fb95bb6a45835d90d91ea027c292c6c34e8f587af0d5ad1ee9d1d8193d3775a39989ed748c23e0a04a20705a8030e7bc8cf83b26e98aeb911145b2668f011b7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a53faa7d9f5f3d0cab8814484afcf7c
SHA1acdae32b6060532764328cd0bad770069381c8e1
SHA2564e5d9bc1270121c0f26229c7487b1e6d9e11661baa3fc152ef6b4992ad06aa7c
SHA512ff650ea45db9ac4a9af102b62c7834956f9654ba61e334412d67bb6d0875d8736dae26d2015b699999b2e4c92a74f7eca637a70547f3ee7b5ceb13f27674dc4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54511d1de8c6e67576adf97b009f6d065
SHA16fe313c2503609df742244fbb7ef548f25c2f794
SHA2566472b377b17818912161da0a988bfa2706ad4ffd79c06ed169838dff05b4896b
SHA512c7f865e28a108681bdae91060c2dbd228211914517857302c81b0a69bfedab2987640ae87f8f6231a20827c28dbae8408eae9da9166bba71f58936f06daf237a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b92b9fbe478c6f25c51805fdf897ee38
SHA13aa1e557e2adc44fb2fe552a748b890b9a6dedb8
SHA25613a37741d20a9f292f95d372bc874c05da35d68546a4a9c86b4e71b5e8888fc1
SHA5127b35ca2b9d0f68ec26acc22c2ff18bae376cd887d3929d40cab43decd09c8f9e280c5c5296c76b1653adc6961a7ea18536cedb7f3d03dc26698f89b47ec1e29a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d93a74eef29e869fafbff175b1938c11
SHA1eab5d1bfa83c484d48dac66e8bb432df5cabfb7a
SHA2562916b953a9a3d0ef85dd3139d5f9ebfca5277eef63f926692768e3aeac896dac
SHA5125cd020a38fffccc61488044562ebbc26951efcea71f4f69d8dcc0e919f5be01baf45c83134bcd6eb108e69bc8347098986aba9bb1cad9e4d9f0ad6dd2022822e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568bcd693be3ee11478eb6a1e1c8f693e
SHA1a670d3e27f33e89f5b1701e388e0dece5de4938e
SHA256d1844a2af1f908790e05762a2bf99dc53c745900e6b5f0c315a0215e9af6055b
SHA5124cd61233e8635da481436fee8c5b8b89f4e8a17fb293db59e0b0e06428875add61943262e6a641ccdae390ccb659dbdf27ab5d3e5d1f8cf8902bf82acbe513d9
-
Filesize
198B
MD5bdbe4275d20295818ad3a2dd0ef353c8
SHA11dde07811188b5b5da7407ec3e820b89ca1df5ee
SHA2561051f048530ba62689e7bdee85392f9756ea49825e9c87650490b35632dd5e75
SHA5126259b73c836841989e2f497107bbde658068a0029c4b050f8c9cd2cb9fb1d97f233a98347f7f0c99a48ee1cc77a56822680d7c216ac038956ee64fb00655d938
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
198B
MD5392c310a182f393aafaf36fd3fefb772
SHA1bd399226b2b21b9b342280bc55fa340113d7136c
SHA256b54100cb6c815bf414362455160ca3a808c9aa9ea3ca19b763ae4ebd3a576bf5
SHA5126a35ac2100ac97873cd75d6be76b09e70a43b363fd0b91b51ab3d472dee6cd0b233fdc49e633891440d14628cd409a54117beb7f43e6059adee33ccb35739ed2
-
Filesize
198B
MD56f746b844b3b37e3900ab75b63fca00b
SHA1ba8147b9a617af4db8488fcc60fefb9398fea5cc
SHA256a3b96afd533be06e4e059d096dd6261ce7e474410bb58b810f05d9ee0f6c9c53
SHA512f06f578c23150061e7a26fde52d070982867c7ea8d10c051611a5a9872a4546bc7b329176cefc833b2b6e8b272664e75f06e6bd88fddf96d07062dc0b8b91785
-
Filesize
198B
MD5c8dc90fe8692eb9cb2f3c981f3e19a01
SHA1907fec1163b3d02abc16ec4a82273c1b0ad0016f
SHA256e0ea01ffa81e8258f949f3c2c2d0f0ea4a81c8e4ef012353178f403725523636
SHA5120d95164e8ff55cf0b7c68e1a7c05472836f0af3ab7f6ff05e5e2c2ef6675a18a22cd519acd7f63c786d01669dd5ba34f6d31ffd2703e15d0258db2e6eb892c7a
-
Filesize
198B
MD5445672a14d8acfb6926803f490580e2d
SHA1f1e76d778fbd9b8784ef5e712458ba9f42006c5a
SHA25689984305242ff00a60612e8d478750fb6dd2bd8a15866bda48b315718d5e0815
SHA512b0e918e36a3cc46c221f83399f03f2d09157c796d15998afae325719056f26d9257c19a26c280a87f1a189cef70c2be950a76186c1dbbef1658bd5e5c9968f60
-
Filesize
198B
MD5569b0fa6ee93d5396f4fbf88e3193767
SHA124c28b1dd609dc0580c87e874bd3c8e969226e35
SHA256caf3204c48439aca99797daa605050826a39e07dee881e5caed4d33e07cd34a3
SHA5127eafbddda95835173fb70ba8f34a7c1abd25b971948c384d6cb91982cb1c5e1ee427f6dd80dfb60b1f00f2c0a9b5f1529afce82dc04cbe3e8b4715d2ae7d28af
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD59105c62578497d2c107074c831f39966
SHA15e9f2d0ca15f7de51a4fb33c87763a5a39b00000
SHA256cc55c4f4592d173903726ee622377ce5ed81d61d0f163f4ea077ac823d5982e2
SHA512b7ffe977c2e94ea689cb215c1ecfb391f67efcb637b8e818ff455f0c7ad8cb79db02b85ae5501bcc626e77d03a5d990c3b50dd9ace6e39ac8b520091448611f9
-
Filesize
198B
MD569877d72551af3a73293f83f739edb2a
SHA10c98ba648dd204391779f5526499ad6aa57ebc49
SHA256e9ab1d40021280acf40898db98395cc7b8c0928578c7141c4f2268c098df34e2
SHA5120d4c9adde491122bc19a58f522f7497648105becee6f457cf44e86124e3b65fafa506788e5eaab670222f2dec31b3b4e1c4ab0ee4f5fd95e72cbddfd4c7bdb92
-
Filesize
198B
MD54e73d9303677d40192ec11098dfb59da
SHA104925320aaffe005bab556683914b6096ca8967f
SHA2566303e501fda193489b52ade1b2a559d4fbb6acb775658a6211c9b91bf0271035
SHA512e627be47c11d505372637a0a34b3097bbe7304f17dce11191afb00316c3cd2fdee0e5767e58945780f23232d0754d71b3bdc540060fcc56c07c78e99ad99c71f
-
Filesize
198B
MD50639fc178ff4b329d484949ca47caba8
SHA1adfb69159a1391f4e5683d72ad2a77639f919b47
SHA2561141e434a711b0f54421e98bc18260a9877202f326628f145e8cfa3c0b70c7af
SHA51201c8d00528c26e9362d011cc82ebd4697895810c7cd382bb0d3b8ae1350e9e956d985dab0556ea1535574a196fa5abcb5d85721dd4693cba7b5e875192b25b7d
-
Filesize
198B
MD54904da82a1e0223df7f193105dd4116f
SHA1e74c5db1def156f27ce34ad8d52caf4c34854cdb
SHA256f843538f3e79954758bc49a3f44cbe993e9711c689a46976d5c1271933222ffe
SHA5123ac3b7950da20ae332c55b20b666e7c449dc55652f3ab123621fbd94625aa49b803755dae5c4942167f3f6bce386cb48645c8aae8e13c8cd03050c07dbb47170
-
Filesize
198B
MD5b6bd2c710f77c71d896da6adbfeb10ef
SHA1a597d837e933e17c743e02283a07dc89be694a12
SHA2564f9149dd2cb51c8af268cc9a0bf862705342085f69cd687eef815cc0183ced41
SHA512aeee31bd9f965fea07f1f8862c71cbfb905377381a47e35aa93589ecd90797f6cca21aab7508574468b279a3477138dfd77e471e41e3054d58ad1ebd61a7a980
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54b1be4aff8d6b302ba95fa623fd5d3b8
SHA14b2b680d868533afbb29394e6c86dde4f12ef583
SHA256777ca6e0cce8bf02e9d544c2a9672a08c591206a5d9bfe36d46c1c06c59db470
SHA5129338f47d25316608e7d809da0b235622d3441a871edb81d8c075c0596ac57456e62697be7173612b637d13f728b8fd7e6d89515e700433575febcd92085855d2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478