Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:50
Behavioral task
behavioral1
Sample
JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe
-
Size
1.3MB
-
MD5
a69f14f077c0fc7eaabbce7419127e0c
-
SHA1
391baf1ebb7a52986f8553c66a8fc6ef16fe3f17
-
SHA256
92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5
-
SHA512
1a9d4f5a2f4b6a0ca5dae08aedd24b534f81141ef3414aecb16d6fa04ad223ca3214491839d9b2ad04ddf027eca6d0b4faa47d956921dfd7768b57378b85ac10
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2696 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2696 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0006000000019570-9.dat dcrat behavioral1/memory/2812-13-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2260-150-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/876-209-0x0000000001170000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/604-623-0x0000000000120000-0x0000000000230000-memory.dmp dcrat behavioral1/memory/2680-683-0x0000000001050000-0x0000000001160000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2148 powershell.exe 2604 powershell.exe 2768 powershell.exe 2944 powershell.exe 2724 powershell.exe 2824 powershell.exe 2788 powershell.exe 2792 powershell.exe 1700 powershell.exe 2624 powershell.exe 2184 powershell.exe 2664 powershell.exe 1580 powershell.exe 2928 powershell.exe 2736 powershell.exe 2600 powershell.exe 2932 powershell.exe 2804 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2812 DllCommonsvc.exe 2260 cmd.exe 876 cmd.exe 920 cmd.exe 2812 cmd.exe 2840 cmd.exe 2288 cmd.exe 1496 cmd.exe 872 cmd.exe 604 cmd.exe 2680 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2360 cmd.exe 2360 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\lv-LV\smss.exe DllCommonsvc.exe File created C:\Windows\System32\lv-LV\69ddcba757bf72 DllCommonsvc.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Windows Mail\en-US\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\cmd.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2020 schtasks.exe 1216 schtasks.exe 1424 schtasks.exe 600 schtasks.exe 1144 schtasks.exe 1568 schtasks.exe 964 schtasks.exe 1496 schtasks.exe 1640 schtasks.exe 1376 schtasks.exe 2424 schtasks.exe 976 schtasks.exe 1744 schtasks.exe 1896 schtasks.exe 908 schtasks.exe 1552 schtasks.exe 2364 schtasks.exe 1592 schtasks.exe 1720 schtasks.exe 1672 schtasks.exe 2508 schtasks.exe 2116 schtasks.exe 2392 schtasks.exe 1788 schtasks.exe 860 schtasks.exe 1088 schtasks.exe 1960 schtasks.exe 2964 schtasks.exe 580 schtasks.exe 1236 schtasks.exe 1768 schtasks.exe 2252 schtasks.exe 320 schtasks.exe 1576 schtasks.exe 2496 schtasks.exe 2764 schtasks.exe 1908 schtasks.exe 2856 schtasks.exe 620 schtasks.exe 2872 schtasks.exe 980 schtasks.exe 1944 schtasks.exe 1880 schtasks.exe 1956 schtasks.exe 2332 schtasks.exe 2000 schtasks.exe 1988 schtasks.exe 1436 schtasks.exe 2104 schtasks.exe 2312 schtasks.exe 1548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2812 DllCommonsvc.exe 2932 powershell.exe 2928 powershell.exe 2824 powershell.exe 2148 powershell.exe 2664 powershell.exe 2184 powershell.exe 2724 powershell.exe 2600 powershell.exe 2768 powershell.exe 2604 powershell.exe 1580 powershell.exe 2624 powershell.exe 2788 powershell.exe 2736 powershell.exe 2792 powershell.exe 2804 powershell.exe 2944 powershell.exe 1700 powershell.exe 2260 cmd.exe 876 cmd.exe 920 cmd.exe 2812 cmd.exe 2840 cmd.exe 2288 cmd.exe 1496 cmd.exe 872 cmd.exe 604 cmd.exe 2680 cmd.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2812 DllCommonsvc.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 2260 cmd.exe Token: SeDebugPrivilege 876 cmd.exe Token: SeDebugPrivilege 920 cmd.exe Token: SeDebugPrivilege 2812 cmd.exe Token: SeDebugPrivilege 2840 cmd.exe Token: SeDebugPrivilege 2288 cmd.exe Token: SeDebugPrivilege 1496 cmd.exe Token: SeDebugPrivilege 872 cmd.exe Token: SeDebugPrivilege 604 cmd.exe Token: SeDebugPrivilege 2680 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2944 2184 JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe 30 PID 2184 wrote to memory of 2944 2184 JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe 30 PID 2184 wrote to memory of 2944 2184 JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe 30 PID 2184 wrote to memory of 2944 2184 JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe 30 PID 2944 wrote to memory of 2360 2944 WScript.exe 31 PID 2944 wrote to memory of 2360 2944 WScript.exe 31 PID 2944 wrote to memory of 2360 2944 WScript.exe 31 PID 2944 wrote to memory of 2360 2944 WScript.exe 31 PID 2360 wrote to memory of 2812 2360 cmd.exe 33 PID 2360 wrote to memory of 2812 2360 cmd.exe 33 PID 2360 wrote to memory of 2812 2360 cmd.exe 33 PID 2360 wrote to memory of 2812 2360 cmd.exe 33 PID 2812 wrote to memory of 2788 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2788 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2788 2812 DllCommonsvc.exe 86 PID 2812 wrote to memory of 2792 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 2792 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 2792 2812 DllCommonsvc.exe 87 PID 2812 wrote to memory of 2804 2812 DllCommonsvc.exe 88 PID 2812 wrote to memory of 2804 2812 DllCommonsvc.exe 88 PID 2812 wrote to memory of 2804 2812 DllCommonsvc.exe 88 PID 2812 wrote to memory of 2824 2812 DllCommonsvc.exe 90 PID 2812 wrote to memory of 2824 2812 DllCommonsvc.exe 90 PID 2812 wrote to memory of 2824 2812 DllCommonsvc.exe 90 PID 2812 wrote to memory of 2184 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 2184 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 2184 2812 DllCommonsvc.exe 91 PID 2812 wrote to memory of 2736 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 2736 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 2736 2812 DllCommonsvc.exe 93 PID 2812 wrote to memory of 2724 2812 DllCommonsvc.exe 94 PID 2812 wrote to memory of 2724 2812 DllCommonsvc.exe 94 PID 2812 wrote to memory of 2724 2812 DllCommonsvc.exe 94 PID 2812 wrote to memory of 2932 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2932 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2932 2812 DllCommonsvc.exe 96 PID 2812 wrote to memory of 2928 2812 DllCommonsvc.exe 97 PID 2812 wrote to memory of 2928 2812 DllCommonsvc.exe 97 PID 2812 wrote to memory of 2928 2812 DllCommonsvc.exe 97 PID 2812 wrote to memory of 2944 2812 DllCommonsvc.exe 98 PID 2812 wrote to memory of 2944 2812 DllCommonsvc.exe 98 PID 2812 wrote to memory of 2944 2812 DllCommonsvc.exe 98 PID 2812 wrote to memory of 2664 2812 DllCommonsvc.exe 99 PID 2812 wrote to memory of 2664 2812 DllCommonsvc.exe 99 PID 2812 wrote to memory of 2664 2812 DllCommonsvc.exe 99 PID 2812 wrote to memory of 2600 2812 DllCommonsvc.exe 100 PID 2812 wrote to memory of 2600 2812 DllCommonsvc.exe 100 PID 2812 wrote to memory of 2600 2812 DllCommonsvc.exe 100 PID 2812 wrote to memory of 2768 2812 DllCommonsvc.exe 101 PID 2812 wrote to memory of 2768 2812 DllCommonsvc.exe 101 PID 2812 wrote to memory of 2768 2812 DllCommonsvc.exe 101 PID 2812 wrote to memory of 2604 2812 DllCommonsvc.exe 103 PID 2812 wrote to memory of 2604 2812 DllCommonsvc.exe 103 PID 2812 wrote to memory of 2604 2812 DllCommonsvc.exe 103 PID 2812 wrote to memory of 2624 2812 DllCommonsvc.exe 104 PID 2812 wrote to memory of 2624 2812 DllCommonsvc.exe 104 PID 2812 wrote to memory of 2624 2812 DllCommonsvc.exe 104 PID 2812 wrote to memory of 1580 2812 DllCommonsvc.exe 106 PID 2812 wrote to memory of 1580 2812 DllCommonsvc.exe 106 PID 2812 wrote to memory of 1580 2812 DllCommonsvc.exe 106 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 107 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 107 PID 2812 wrote to memory of 1700 2812 DllCommonsvc.exe 107 PID 2812 wrote to memory of 2148 2812 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92038f82cda94090e81ba09567c3d9020ed50c7f0638db98b4af832466764eb5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\lv-LV\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nu0dZGzkqU.bat"5⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3044
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"7⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2212
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"9⤵PID:2604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1724
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"11⤵PID:2484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2500
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"13⤵PID:1060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1444
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"15⤵PID:2064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1952
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"17⤵PID:2504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2700
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"19⤵PID:2980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:280
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"21⤵PID:2576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1004
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"23⤵PID:2096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3048
-
-
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"25⤵PID:540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\lv-LV\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\lv-LV\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\lv-LV\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f345a0aceb7658592e2ec4651ffb2e59
SHA19dfecd77879e8a36915ba3044aa127b865a683f6
SHA256c8822b27042a22278de9dc8ab52e1a6521c7531bd62654f3136039f3196d0d45
SHA512e42a7dde5d2a3afba2e998958eaa32777383c5f07502aa0411ad56da2a627ea6ac32c4da64e73ea57e95099a4721146b702ec73972ade0210e7074d012304609
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1e76115dcc7ee4517b96dc9fa6dd28f
SHA1211a56a5d5aa54cc76fc470af3195a989033c948
SHA256274f630049bc32c8ae25052b42218a11fa340e747de4b28af83faea16eee997e
SHA512a03ed2d96d288b3ef08cadc14b3ebf64184daca4f1ff208c77840e8528a9244851e2cd8a954923c3a09ef5bc5555f343ef3152bc58da3bb33325414c10302f92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1fe0c5cc61ca4763c96c3289acc4656
SHA1aae799cf44e295c62e77f99cd162d2a4ea74bff6
SHA2560ae359766aa56195475e9e2344029633f65cf8f0e2bfff0943c6808f6d4a7cd1
SHA51229a94a3e1294caadc6940af26da300184699f9470e6302d4225f2a3213f6a3f3acfb14d04b24a7b2dafb95966a3cbebb4ff4d3bdcb4b32c67ebb6cfa7778d56c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e54103b60bf72cf0ef4a646c279a0379
SHA160ed5417c521f600137807a10956de49fce359e6
SHA256f5d45c10115ffedc430a920f9d068db343a0bcd580bddbae83421c50241c031d
SHA512567fb6310da2db8f6bf495b427c255b83cb62084499271e7edca95fb18927bb20bbcdd031e55c785fdf00cf755deba5cd7d93edce854f06360c04feb6a78e18e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53340054f8fd5c3b0b12b6ab0e7de002c
SHA1f1ff0bb6bd134a48d90a8f7c60a6841a7d4cd68e
SHA256857aff3a96bc181563146306774333584085f151308198ab67cf34049222bdab
SHA5121afc9fbdf678414c6f9b534dd6f3bcbd10da4b958f8a5157aedd41c846ed61c22e6b168bfb0ace4468e4f6d0404041cc9f29bfb04a9f77f31fe337ea586ddeed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c82ea2c117a52738557072959fb3560b
SHA134e4d7c861f588b6f8f922208264e5d55dde32ed
SHA256c3119407da4fd81a6f6e3cee095f382f35d9bfc956752287a4a8480d66a317dc
SHA51282d5f896acf7f1c9fba906c5f7233d7850ddc5f1138a4efb26419d7cd668017a186867469d0a03fe85051250cd5c82d071915dceec47b79db0339eff9f8b3add
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530ad3926f1776eabdfcbc7fe154b947a
SHA108cceb91471f1bd1d1cb7584b2cf5135de1a45f7
SHA25616bd4989507b57638656701284f0689be6c276c20fe09c86dad4d91e9bf9f3a1
SHA512e1c0d828f1a0f13eb65ce3098bfba30f079fedd5e6bb5f8971989d2bfb6653f11b9a78f32fd54225c9e15a544af9fd8e8d37be0f133dc4483634c2299d9df5cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0e32dead5ef6bae8136d14386f26a39
SHA18cab6b3130d3adcc61688562ad680278b993544f
SHA25647ff532f34d1c8812eb0b57bc13274871f199a222f625cc37bdafae10a24863c
SHA512adea65d8a559f9fd01a15fc3358b6aed29f5b369f18693c13ae7436f4e9c7695f5cac6c112535693f448af66fee80864ac50c1a23b64b258194322c832742993
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527cf3bf299083306e747a9a54a328273
SHA15cec8e2c2f67a939274ec9b9aaa20035d728f40f
SHA25620f47e5d5e2497b8c26d5c8369d09e59051851851e048636f5876d569bb7b639
SHA512e6e0425ff495854cc111f6b5c8011fbad2a3e32a01343a3bbe3ea0632005659c77a170ad2685f061cc965d59b230b5fc74c5e7c328a91b2528451f420b915b67
-
Filesize
221B
MD59e4a6e85b1f46430dbd0b8f0757a445a
SHA1d8907603fe2355b68493570fb05e1fee6534cb13
SHA256af3c1c938a5bb99d05d36e932c2ffdbbe097f9bc6ccc8ab77ee3747e3ef93e68
SHA5126d46d16e3a9bd2548e1e9b3817b41ebe50a5ad1871e35cb5d4f561b30fb7a5c4085eb3e0fe2a363164619141fadd46f86c2f68bdda4bcf9c7b03ebe3f1b85904
-
Filesize
221B
MD5e105dc9f03e4f1749b7f4fdc51c8b5c9
SHA1108680c13d0ec1cfd4858d6e6848d2c39efbf91c
SHA2561544cb3b5547a194b5d0e4bb55dfc026bd47f6c5aab629ee58f38774ff2e7de8
SHA5127671170c90283b2d7648da9a3126908f2ee776346b7fb2735db33731cb37f97999d75e61f30b60454cc950f484ff22aab4f33062dbe0216640111da9db7b4c1e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5ca5b7d085c1e9955a8f301b4c64fa633
SHA161d9741ce64bb6f2eb8ca456c8b8a0e3a77da96a
SHA256d63d8c1f449e79c68b9c714cae9677b0cb487d952bb3ea0dfa518d734316c5fa
SHA512764f505c5759b52fc1db3a1993fbeb08092cdf1513ac36772feeb73e330dc68d4a0ff9cc7dac5f06732d15a207ce14b860774aa2998b94af62585511ba105e80
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD50ecda2793b451eca74e208c81e541006
SHA10f2d65561d9a4b48a867400f7b9ad07491e7e4d7
SHA256fad11691fa6ceb5d08745493c3521fe0fd8b2626fa8ba4d4934946ba9cf55e26
SHA512cf9b3ac8af6b458467ce1d66023b807e33fe76e38b185b6942ba718714d980d3c4c8348910794006e7b768e178bf92955d7891bd0730d8318d6d361f363a8bbb
-
Filesize
221B
MD53bc4c384228ac869a81b43f596bfeb39
SHA144fbc860bcb4954da838f45fcd8014c014dfa597
SHA256914581055857d2b580c114674d98fd4f852c6078ca1075e272115ac84dcb78ad
SHA5126a1864d3b4e6896f134679ade5f8ed9a6442ed02523415eea075a3bc67a7736e31bd92316494683b0d3d93eeec56cfdd9e775eaea7bcff3f4768874c97e863a5
-
Filesize
221B
MD54a27bd71b61c99e05a18777d3a0313f0
SHA10b11b39d3d51d1663d2dd861a1d265878dec47f1
SHA256a52ec51c4027aa6195a6801754625f49733d60c136c866d798cb7c5236295097
SHA5122c79420f5bf28c969d9dc0ad558517f21728b4e6dd2e37f8362dc3f6d34edc1828480c36b8e56ac40b9b76eed9f52a03a64b7ff64a8bcca2e7910e69630442f1
-
Filesize
221B
MD599ec9346d96bc7dd9511863adc3c3bfd
SHA1a985cdede74ec7554e354e7724d35442fce202b2
SHA25637760d4a2c9278f304466044c32277ea4f0d799e92195ff69ebd2188215be952
SHA51246f210b421b3d2b5e16f22cd595abf44f517b4dbb27baf0acce3603e9a0be9d3b099a9813ac0d3b5bf64f873d8139cf133ea4178894dc0c76554160e9a2c841a
-
Filesize
221B
MD5da5ba0334db0526fe9f3647bdea1930f
SHA1833a29eefd0cb4b70f4102b5fecba1df0c76741e
SHA256087efcb35fb47795d3e283f26ba25026ffc03ea5ca10f66c7fc55e0d7bf81ec3
SHA512ca3ff07340ea5ac007bcfcd8d82940da5cefc6d1e2a2bdf21a8afee895a059aaaff8f3d44eb3d35b190da6ff229e7c33fe21fd1de16c1003a20b5e3df3783e41
-
Filesize
221B
MD54e6c3daa5d606a3570c6a012c1da19b1
SHA1447156407ca562de318738e762cb9773d8dd5ba0
SHA256f066eec120ecafe083a45042ae8ccebffa7fd830748d4ce71bd16454ec6a4b01
SHA512da9ce939bd1c4260d5ce522bcba97c9c9e82f22d69c41c73f78d2412bae8b51a0db094f6a8aa34bccfca9d8c635171f0fbaf8e31129acc9a8e96219d9842ab98
-
Filesize
221B
MD53fead4ff7ba695d5b863ce5fd08f63f1
SHA102afcba3264fdb9e3c34c7b56a007edb9c0db19f
SHA2564e8d1cad83636e4d37ca90e4e26a8631dadd91de63ece97b9b12ca22e017b7a3
SHA512e00729f7118c9d4e873cd86a8bf32e5fb115c9a78a3d1b7fdbb65b91b5d3aac1161b06b1b5e62f0d2e57b0e51d11222729018f711efa4efdc1cebfbe2be65747
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bcb90f8e2f5d29f7a60abdda420673aa
SHA1765f2667dfa11a56b86cc179caeaac19cb77eb4f
SHA256e50037155cfe91506fc8966fd740e6141a951d13daa2b03859b1c756744c702f
SHA51277904c2b99ad1256defa378836c997c4cf00c2745297315ac1a8d93a4e9ebed618afdaef7be9bd4a26113572e99c9d39fc586a7eb2f948cc76c2518b84eade3c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394