Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:00
Behavioral task
behavioral1
Sample
JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe
-
Size
1.3MB
-
MD5
b4a64835e237a2cfe228b6d0076cded0
-
SHA1
f5bc681b4af045ea898f3638c9b003b882e4b5e2
-
SHA256
4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498
-
SHA512
deee9d6ef85c02dcda12bb98e8acc00c454e9fa0f3d9b324ad0040dbcaff81dfff98f031333b965e3f543f95cdcb4bb2f77d7b0f45fb053086589613e5120d11
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2572 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2572 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016031-10.dat dcrat behavioral1/memory/2704-13-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/1820-64-0x0000000001020000-0x0000000001130000-memory.dmp dcrat behavioral1/memory/952-241-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2732-301-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/1480-361-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/952-481-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/2732-541-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2492-720-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2576 powershell.exe 2820 powershell.exe 2540 powershell.exe 2760 powershell.exe 2536 powershell.exe 2408 powershell.exe 2564 powershell.exe 2560 powershell.exe 828 powershell.exe 2548 powershell.exe 2900 powershell.exe 2360 powershell.exe 2036 powershell.exe 2720 powershell.exe 2696 powershell.exe 3056 powershell.exe 2700 powershell.exe 2896 powershell.exe 2924 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2704 DllCommonsvc.exe 1820 winlogon.exe 2700 winlogon.exe 952 winlogon.exe 2732 winlogon.exe 1480 winlogon.exe 1460 winlogon.exe 952 winlogon.exe 2732 winlogon.exe 2408 winlogon.exe 828 winlogon.exe 2492 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2248 cmd.exe 2248 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 27 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\nl-NL\Idle.exe DllCommonsvc.exe File created C:\Windows\System32\nl-NL\6ccacd8608530f DllCommonsvc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\en-US\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\en-US\56085415360792 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\cmd.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\SIGNUP\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\SIGNUP\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\diagnostics\index\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2492 schtasks.exe 1116 schtasks.exe 2120 schtasks.exe 1776 schtasks.exe 1920 schtasks.exe 2860 schtasks.exe 1656 schtasks.exe 2984 schtasks.exe 1928 schtasks.exe 3024 schtasks.exe 1212 schtasks.exe 1712 schtasks.exe 2980 schtasks.exe 1720 schtasks.exe 276 schtasks.exe 2828 schtasks.exe 2672 schtasks.exe 2076 schtasks.exe 2940 schtasks.exe 2164 schtasks.exe 1496 schtasks.exe 1884 schtasks.exe 532 schtasks.exe 900 schtasks.exe 832 schtasks.exe 3068 schtasks.exe 872 schtasks.exe 264 schtasks.exe 2632 schtasks.exe 888 schtasks.exe 1192 schtasks.exe 1844 schtasks.exe 2888 schtasks.exe 1860 schtasks.exe 2864 schtasks.exe 2836 schtasks.exe 2092 schtasks.exe 1644 schtasks.exe 2424 schtasks.exe 3060 schtasks.exe 1840 schtasks.exe 748 schtasks.exe 1288 schtasks.exe 1984 schtasks.exe 2276 schtasks.exe 2376 schtasks.exe 280 schtasks.exe 2168 schtasks.exe 2288 schtasks.exe 1216 schtasks.exe 440 schtasks.exe 2412 schtasks.exe 1500 schtasks.exe 2096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2704 DllCommonsvc.exe 2896 powershell.exe 2536 powershell.exe 2696 powershell.exe 2900 powershell.exe 2820 powershell.exe 2720 powershell.exe 2540 powershell.exe 828 powershell.exe 2560 powershell.exe 2924 powershell.exe 2576 powershell.exe 2564 powershell.exe 2408 powershell.exe 2700 powershell.exe 2360 powershell.exe 3056 powershell.exe 2548 powershell.exe 2036 powershell.exe 2760 powershell.exe 1820 winlogon.exe 2700 winlogon.exe 952 winlogon.exe 2732 winlogon.exe 1480 winlogon.exe 1460 winlogon.exe 952 winlogon.exe 2732 winlogon.exe 2408 winlogon.exe 828 winlogon.exe 2492 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2704 DllCommonsvc.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 1820 winlogon.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2700 winlogon.exe Token: SeDebugPrivilege 952 winlogon.exe Token: SeDebugPrivilege 2732 winlogon.exe Token: SeDebugPrivilege 1480 winlogon.exe Token: SeDebugPrivilege 1460 winlogon.exe Token: SeDebugPrivilege 952 winlogon.exe Token: SeDebugPrivilege 2732 winlogon.exe Token: SeDebugPrivilege 2408 winlogon.exe Token: SeDebugPrivilege 828 winlogon.exe Token: SeDebugPrivilege 2492 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2696 2636 JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe 31 PID 2636 wrote to memory of 2696 2636 JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe 31 PID 2636 wrote to memory of 2696 2636 JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe 31 PID 2636 wrote to memory of 2696 2636 JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe 31 PID 2696 wrote to memory of 2248 2696 WScript.exe 32 PID 2696 wrote to memory of 2248 2696 WScript.exe 32 PID 2696 wrote to memory of 2248 2696 WScript.exe 32 PID 2696 wrote to memory of 2248 2696 WScript.exe 32 PID 2248 wrote to memory of 2704 2248 cmd.exe 34 PID 2248 wrote to memory of 2704 2248 cmd.exe 34 PID 2248 wrote to memory of 2704 2248 cmd.exe 34 PID 2248 wrote to memory of 2704 2248 cmd.exe 34 PID 2704 wrote to memory of 2548 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2548 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2548 2704 DllCommonsvc.exe 90 PID 2704 wrote to memory of 2408 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2408 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2408 2704 DllCommonsvc.exe 91 PID 2704 wrote to memory of 2700 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2700 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2700 2704 DllCommonsvc.exe 92 PID 2704 wrote to memory of 2760 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2760 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2760 2704 DllCommonsvc.exe 93 PID 2704 wrote to memory of 2696 2704 DllCommonsvc.exe 94 PID 2704 wrote to memory of 2696 2704 DllCommonsvc.exe 94 PID 2704 wrote to memory of 2696 2704 DllCommonsvc.exe 94 PID 2704 wrote to memory of 2576 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 2576 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 2576 2704 DllCommonsvc.exe 95 PID 2704 wrote to memory of 2900 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 2900 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 2900 2704 DllCommonsvc.exe 96 PID 2704 wrote to memory of 2564 2704 DllCommonsvc.exe 97 PID 2704 wrote to memory of 2564 2704 DllCommonsvc.exe 97 PID 2704 wrote to memory of 2564 2704 DllCommonsvc.exe 97 PID 2704 wrote to memory of 2820 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2820 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2820 2704 DllCommonsvc.exe 98 PID 2704 wrote to memory of 2540 2704 DllCommonsvc.exe 99 PID 2704 wrote to memory of 2540 2704 DllCommonsvc.exe 99 PID 2704 wrote to memory of 2540 2704 DllCommonsvc.exe 99 PID 2704 wrote to memory of 2536 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2536 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2536 2704 DllCommonsvc.exe 100 PID 2704 wrote to memory of 2560 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2560 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2560 2704 DllCommonsvc.exe 101 PID 2704 wrote to memory of 2360 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 2360 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 2360 2704 DllCommonsvc.exe 102 PID 2704 wrote to memory of 3056 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 3056 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 3056 2704 DllCommonsvc.exe 103 PID 2704 wrote to memory of 828 2704 DllCommonsvc.exe 104 PID 2704 wrote to memory of 828 2704 DllCommonsvc.exe 104 PID 2704 wrote to memory of 828 2704 DllCommonsvc.exe 104 PID 2704 wrote to memory of 2036 2704 DllCommonsvc.exe 105 PID 2704 wrote to memory of 2036 2704 DllCommonsvc.exe 105 PID 2704 wrote to memory of 2036 2704 DllCommonsvc.exe 105 PID 2704 wrote to memory of 2896 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2896 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2896 2704 DllCommonsvc.exe 106 PID 2704 wrote to memory of 2720 2704 DllCommonsvc.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bf5deca12fa559d56ae9070c9bcb1b3b6225581ce78c2d61dc4218f4c7f8498.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\nl-NL\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"6⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2412
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"8⤵PID:2536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1676
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"10⤵PID:1776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:664
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"12⤵PID:2936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1628
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"14⤵PID:1648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2120
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"16⤵PID:1192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1496
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"18⤵PID:1236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2644
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"20⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1960
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"22⤵PID:1520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1428
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"24⤵PID:1824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2784
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e3f1d933b19ee79e8b21b4d02c05401
SHA15464334beebf9a0cff4a10918b6421e464ea48c8
SHA25655eedd7eaa701f61d34b8533fb20bb200b0b69ae4dee0e4152362ea30725764a
SHA512ee38e6817966374520e4b053fb7a00a92d00b8667dc3c39a939f1b963ba5a037fd74967af5be5f2d7533a2f1358d2a2582867564121e2c5b66e588bf1e74307c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584682a741cdce003768b8b3b85adde83
SHA1044208506fe790b4fcfeb525032ebd4b7e432d13
SHA256cb8d758a6fe41e99f873b1184259e2e4aa627b5149acd4d541058e8fb3baa225
SHA512fd36381354d2cb2b3f3444e86500461bcc5a62acafd519a2e835908db220aecff381b78dfa5d658b4e55b755737c4be959f5027a1036683e565bc7bd973f0c57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef894f572a2a32f8d6cc67683395bf33
SHA129e0373abf996a56a5993ab5ceabcce18f32c3f2
SHA2568c76e06440dcaf6bef9f6901e1e1ff103bea7ecc5182a1fbda3c55f8a5749499
SHA5120f2f1f9002355f21385416cdeda3d540df1eb080d44fd802d632aa77cbd0d5ed09834c956133cec764d50a95a227dbab26fb7a187ff6c5caaf1a96980652b592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d577db00d65081a36cd334b0b8471b6
SHA1bd0263459791e794cd04b8eb85adab966115a5ab
SHA256252483572ecaad507880f13a8efc1d2d8a5776b27723e4c7b124e706cdcf1359
SHA51233aff0384afe2a2fc8b9c13e01dbc481b10bae3a14bfd48a512eea98cd9911d8666866b6f72124df0fc7e59828745e552212abd14a38db7b3a4c2afdf5d2a4f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56da5249bc35290f49733a6dcf7982a09
SHA13d63054a3b1eb9076fd94c4dd453e8605c9c3e47
SHA256a695aa39c937379338c48d32560935ee576164c789f06eb39419ed7be8e47435
SHA512ce3eb60f9d234ec53143636439bde16a86e42d3912346ff8f0b0650c0f4f2227fa031828e6d02be84c3322c40d1348daff4cae7b4b0be75aaca6dc8594f968e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592d133cd9258bf33fbd9d9640893e392
SHA1d9ae423cbced1f1b2343787629f862f6bc8d58d6
SHA256e3ac070d84ed230d3b283d75447f538ddf5d773960106f9380091df43e9ac61f
SHA512ad55a2fe32835547f2e58dd1581a8be6caadce71467e334ffc30b78623f44fde6dd59fe52a977859a95ec39480b536b8bd30454bb6a8c78ec22a88a9786825a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50804c1ad787db49238f6908264abcc51
SHA173593a532f9aa13ca52c206540831742e808cc2b
SHA256612530f685b3a16036cc36d66f7eed3f2451a83e64c81e86773ccdbb7240c6fd
SHA512ced73aa88d4f1a28d968daee63cec409048eadae7a2414d4cccd5395d455cad48c5660ac3ad282c51ff906f84b9e01a5e701d034cf0799ee77434db1bf2e162c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544ca3c0a8b977d3e543763804768b05f
SHA10567a776b2361af7a26c79d5179df64981d71ebc
SHA2568b30c166763e512260132d0b2aed0239b9996b10393a1b20b128ba6845cf7136
SHA512a42fbbb7a5f52fcad3c8fb38eed9e8e840a038243db4b3d22e2a1522867d958397ca39b119e071768af87415824a9996ec078fd3babda84ca3b14c2476bee04e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585028f0aee007b0624b53e489f0c627a
SHA1d32403bd9b8e177afdaacf17429cfafe79aa24a0
SHA2563db48ad23204845b391d90078c42f39851e473a699f3354859daaeb9442f800e
SHA5124bac137f8f7b86c277ceb3c5e6066919a7b1a216b1773bfcca076deeeedbf758169cc99ac585a4d6656de0f56bdf399d63581c51f8cbd0a1c94292054f37ac8e
-
Filesize
240B
MD557a92bb290ec40467b25985c6fc254ba
SHA1bcd6f982c497cf4ed8542111b8167b9b876253a3
SHA256d3ee7de20de33eb97ab34d027b9fc8f2dde3dc12f0514838e1c78cdbb8bad36d
SHA5120f31c92c3d48217ed31685b4922c660e37ededc6360d41429f30120c35f1e36d882ab78546e673ab82bb77622fd2a443126ceaa9c623e7cda978f53841079776
-
Filesize
240B
MD5903948d78f3d6cd4f0f34fddd1c8ab35
SHA15595b52f7d6f2e669fd856df96990749e12749ad
SHA25661b7672d679385cc033ece0c868908a25a5434af9f9eecbc201499ec080790ff
SHA512f5e4a9b984a27d427a10a0df4b2f7af17e40a90650e3f6f22cd82d325c8d8654e51e1189ae7d5022bf680624dd7f2c78c1a11730c80ee9b3ddb633df83b7518a
-
Filesize
240B
MD5e05a16b707d29bd25b1f0475ce006892
SHA193cf1d544b940cb4e590f682ee2cd941fd219989
SHA2567580ad266535b5d6bdf048f983efa7a58dd69d2d9e1e8f83467b2ba9e4529198
SHA5124357b1df337966bd9e0214e4fc123300a07fd4ae7bc657fba40587f85fbbc49803b1b09991a83b66775557af1c88caa2fbfb96990656c86c60dd84922ea3cba7
-
Filesize
240B
MD5803c798cf7f22a520b224126b0fdfe14
SHA175909f531df02eab68e02be2e44e77da74e17266
SHA256de2e4207e97f42af7182b00b03462f333f8d0985d697010c10d212314a4804d4
SHA51227e3158c0a0e5c2cf01419de5cbb82d5d2f04d113587b53e6fa089813d2b2a0a44f818db86f3b8cc87e6f49526c17a960c189b8b64754731b3d95c21d2412c7b
-
Filesize
240B
MD5770431f5ede239a9ed5f29a2e27838d3
SHA1317a98639cfd8c6a8e1a57d654cde3921acc9f42
SHA2563a57609593649a71c32fc018d4e29797506a25af851ae7b608378331285d553c
SHA512ec0b6f880b1bba59e93b5cae186cc52ed7691b7e2e0890eb7aa63e0ce3a4525650ae5c0006cb5ec5f601364150f13f1650e29d98f5b087c9f95cccf05ab8a7a6
-
Filesize
240B
MD5b7496c8e14ba125c884025f8f92e2418
SHA18ef70e53c322d80bd1f58eeb8d840a4d9859dc09
SHA256971121c599f199d8f8db29813668363f2d8f6aa634413ff47d4b90138574ab68
SHA5122be7466651911ea12ae5486590b82f9369ee533c7d0c0aae1191b670249ef5fab33839f7c2d97a2df7feeb0b465c810c7e9eb04b831d21582d636a874a77c155
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5ac88d33a17f3c1aec1f678aaf11c3612
SHA186110b4bba653c7259616b2db3b0197134899acc
SHA256a530c7953a98c226d6c64f0d2fb69247befce46dbdb0def1ef21b9e941b85a61
SHA512f6fbb72daaad9df4e9558d61a13b15b5175d5f9769ed12d148732049b393982d74ea585957351ce151509e0b9f65e89cd8dfae768ad3c21a664ed2665164c253
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5678ed96c58192a542fa0cdf74e6d6fb3
SHA15aabe747228d5de93a7aa7ef22ea64df58be3164
SHA256984fc46b41b93647da21d9b4c56954de4e82c1efc9b85f7e66171376aa10c12e
SHA512e6d822823457d6e4d248aec48d7879a50a66e9e29c56e32a41049400041d864823efb6420c0c95ce342c8e26e90bd86d2630835e87745baa22ede81914f84666
-
Filesize
240B
MD5d022a0c4ae11e1095681bfe4c2e622db
SHA1c52fe072d0aa3d002f283eeb3ba4625ccd12faaf
SHA256f0e21fe9e1a05b685695a0ddfc899fecb96d77e7081143e2d7f72174e174e373
SHA5126f4bcb90a348205d00486d4f765d6e01b5825a89adcb320e7390a982f34ae086f3b5cfab38bfdf9ffba19ca3edac4553181b4d7e04b7b900c439ab0156401b5f
-
Filesize
240B
MD5a0481a2b5fc36ed258de09a73d2f10af
SHA1f14e3dcb34f2b621044e8528fc5a1444e2517a40
SHA2564e66399bff6b6c57f2d9c9394d96228b61783c956a11b5911394e10d44a75159
SHA5121c321f592e6224b83f96783072fc639d2ca04663fff4491cff4d499b6eeb80dce54cf8ebf797de96f63b29fc7d6732467113ace629ddd7cf3fe6c296c42bf9fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD551621e12d62f8f49d652f8d22bbdb296
SHA1fa7749bf495b98e158a18b0fecbf04875cfbd122
SHA256f75f1a86b1175cce5cffd69eede317e8d6cc4097c6eae341ef1737414f4e7316
SHA512ae13e39ab4b26227b541748f90135795ba6906b029be05393956fe8d89317efddb86394e9e5b526e3f1e25923d7f36d740dd8ea999a5d0a7ef47ba05dcae0c3a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478