Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:54
Behavioral task
behavioral1
Sample
JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe
-
Size
1.3MB
-
MD5
051c01aa289ed91f7871067c6cd6b6f2
-
SHA1
64ad1a3288999320173e619a8892ae1e00ee8a03
-
SHA256
a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c
-
SHA512
350424ccf62d593bbfbe731523437faa5590088ba08f09f9a0a2e69dddbea77017cd7f58c98bd491e11a9d356429b1238ecd88e9991a54f8b3dd1eb69e6afe21
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2520 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2520 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016621-9.dat dcrat behavioral1/memory/2912-13-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2620-137-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/2548-196-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/1032-256-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2432-316-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/2544-376-0x0000000000F70000-0x0000000001080000-memory.dmp dcrat behavioral1/memory/1348-436-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/2336-497-0x0000000000B70000-0x0000000000C80000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2852 powershell.exe 3036 powershell.exe 2924 powershell.exe 1592 powershell.exe 2944 powershell.exe 2792 powershell.exe 2936 powershell.exe 2888 powershell.exe 2812 powershell.exe 856 powershell.exe 1568 powershell.exe 1596 powershell.exe 3056 powershell.exe 2932 powershell.exe 2872 powershell.exe 2244 powershell.exe 2684 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2912 DllCommonsvc.exe 2620 audiodg.exe 2548 audiodg.exe 1032 audiodg.exe 2432 audiodg.exe 2544 audiodg.exe 1348 audiodg.exe 2336 audiodg.exe 2380 audiodg.exe 2324 audiodg.exe 2984 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 cmd.exe 2704 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 36 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\7-Zip\explorer.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\wininit.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\tracing\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\diagnostics\index\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\twain_32\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\twain_32\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\tracing\winlogon.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\24dbde2999530e DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\explorer.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\7a0fd90576e088 DllCommonsvc.exe File created C:\Windows\CSC\v2.0.6\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1088 schtasks.exe 2040 schtasks.exe 2600 schtasks.exe 1744 schtasks.exe 1816 schtasks.exe 1476 schtasks.exe 1944 schtasks.exe 1652 schtasks.exe 1712 schtasks.exe 1112 schtasks.exe 2304 schtasks.exe 3052 schtasks.exe 1920 schtasks.exe 1084 schtasks.exe 828 schtasks.exe 1956 schtasks.exe 2456 schtasks.exe 432 schtasks.exe 2164 schtasks.exe 2396 schtasks.exe 264 schtasks.exe 2764 schtasks.exe 1192 schtasks.exe 1344 schtasks.exe 1860 schtasks.exe 2572 schtasks.exe 1500 schtasks.exe 2052 schtasks.exe 3024 schtasks.exe 1792 schtasks.exe 868 schtasks.exe 2992 schtasks.exe 1424 schtasks.exe 2460 schtasks.exe 2552 schtasks.exe 2508 schtasks.exe 604 schtasks.exe 572 schtasks.exe 2612 schtasks.exe 568 schtasks.exe 2432 schtasks.exe 2420 schtasks.exe 1964 schtasks.exe 2044 schtasks.exe 1040 schtasks.exe 1796 schtasks.exe 2532 schtasks.exe 2556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2912 DllCommonsvc.exe 2936 powershell.exe 2244 powershell.exe 1568 powershell.exe 2812 powershell.exe 2888 powershell.exe 1596 powershell.exe 2872 powershell.exe 2944 powershell.exe 2932 powershell.exe 3036 powershell.exe 2684 powershell.exe 2852 powershell.exe 2792 powershell.exe 3056 powershell.exe 1592 powershell.exe 2924 powershell.exe 2620 audiodg.exe 2548 audiodg.exe 1032 audiodg.exe 2432 audiodg.exe 2544 audiodg.exe 1348 audiodg.exe 2336 audiodg.exe 2380 audiodg.exe 2324 audiodg.exe 2984 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2912 DllCommonsvc.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2620 audiodg.exe Token: SeDebugPrivilege 2548 audiodg.exe Token: SeDebugPrivilege 1032 audiodg.exe Token: SeDebugPrivilege 2432 audiodg.exe Token: SeDebugPrivilege 2544 audiodg.exe Token: SeDebugPrivilege 1348 audiodg.exe Token: SeDebugPrivilege 2336 audiodg.exe Token: SeDebugPrivilege 2380 audiodg.exe Token: SeDebugPrivilege 2324 audiodg.exe Token: SeDebugPrivilege 2984 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2684 2884 JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe 30 PID 2884 wrote to memory of 2684 2884 JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe 30 PID 2684 wrote to memory of 2704 2684 WScript.exe 31 PID 2684 wrote to memory of 2704 2684 WScript.exe 31 PID 2684 wrote to memory of 2704 2684 WScript.exe 31 PID 2684 wrote to memory of 2704 2684 WScript.exe 31 PID 2704 wrote to memory of 2912 2704 cmd.exe 33 PID 2704 wrote to memory of 2912 2704 cmd.exe 33 PID 2704 wrote to memory of 2912 2704 cmd.exe 33 PID 2704 wrote to memory of 2912 2704 cmd.exe 33 PID 2912 wrote to memory of 856 2912 DllCommonsvc.exe 83 PID 2912 wrote to memory of 856 2912 DllCommonsvc.exe 83 PID 2912 wrote to memory of 856 2912 DllCommonsvc.exe 83 PID 2912 wrote to memory of 1568 2912 DllCommonsvc.exe 84 PID 2912 wrote to memory of 1568 2912 DllCommonsvc.exe 84 PID 2912 wrote to memory of 1568 2912 DllCommonsvc.exe 84 PID 2912 wrote to memory of 1596 2912 DllCommonsvc.exe 85 PID 2912 wrote to memory of 1596 2912 DllCommonsvc.exe 85 PID 2912 wrote to memory of 1596 2912 DllCommonsvc.exe 85 PID 2912 wrote to memory of 1592 2912 DllCommonsvc.exe 87 PID 2912 wrote to memory of 1592 2912 DllCommonsvc.exe 87 PID 2912 wrote to memory of 1592 2912 DllCommonsvc.exe 87 PID 2912 wrote to memory of 2936 2912 DllCommonsvc.exe 88 PID 2912 wrote to memory of 2936 2912 DllCommonsvc.exe 88 PID 2912 wrote to memory of 2936 2912 DllCommonsvc.exe 88 PID 2912 wrote to memory of 2872 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2872 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2872 2912 DllCommonsvc.exe 89 PID 2912 wrote to memory of 2944 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2944 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2944 2912 DllCommonsvc.exe 90 PID 2912 wrote to memory of 2924 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2924 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2924 2912 DllCommonsvc.exe 92 PID 2912 wrote to memory of 2812 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2812 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2812 2912 DllCommonsvc.exe 93 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 2888 2912 DllCommonsvc.exe 95 PID 2912 wrote to memory of 2932 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 2932 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 2932 2912 DllCommonsvc.exe 96 PID 2912 wrote to memory of 3036 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 3036 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 3036 2912 DllCommonsvc.exe 97 PID 2912 wrote to memory of 2244 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 2244 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 2244 2912 DllCommonsvc.exe 98 PID 2912 wrote to memory of 3056 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 3056 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 3056 2912 DllCommonsvc.exe 99 PID 2912 wrote to memory of 2684 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 2684 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 2684 2912 DllCommonsvc.exe 100 PID 2912 wrote to memory of 2852 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 2852 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 2852 2912 DllCommonsvc.exe 101 PID 2912 wrote to memory of 2792 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 2792 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 2792 2912 DllCommonsvc.exe 102 PID 2912 wrote to memory of 2984 2912 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a489e434dc8a1798a11c2f3802faed22d0f0c15e14c520e9dff23337600c5c6c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ung0xN9T39.bat"5⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:284
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"7⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1248
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"9⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:3020
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"11⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2576
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"13⤵PID:916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2012
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"15⤵PID:3068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2532
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"17⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:900
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"19⤵PID:2632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1688
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"21⤵PID:1568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:996
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"23⤵PID:3052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2304
-
-
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"25⤵PID:1640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580e6f7ceb7d8d0891cd014cc2bac213c
SHA10bd2eb91d3a82dbfd8f6134302b63a821a52f18c
SHA256986ee152d4b1584407146154cededa12b78ccb4d6ff6c72ff5cd3cb2e51a12e4
SHA512c57966bee6130eed1fb78672cc024d655fc903bdad3a6b6e2cdcddb4c53b83dec7e4d36b2137e6bee83049fb9b38c6d87e28245bbac3f0bc96a1087d186be3ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535d595bd1454205fcf529ae980c39333
SHA122e7d3e3d9f15b79306a5b3b7e424ef2f54bdb79
SHA2568aced618cae80983dda42ff3b9b0b695b716ee348ac2a59d7a77d856d4ae7c88
SHA512a8b3a9c0c0b11b891d2d688bcc082c30025163f461bdd04d8ed3dad869797d5b80dd082b592dda5f27d173faf6c6ac463b725af3ec5ed4c743cad85a7ab1900a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6df742bc93b94946dd4b2376232ded9
SHA1c9896274f1c892fafdd0028eec956f5bd414d8e9
SHA256e206d7ef84dc18650daf0c86efc16cc1cf0c27576882634637f67a9fac70ca5f
SHA512f485ee0f43843ebab7dbe8ca3343ce95c3416dbb3f4a3137316d32a3cb06a48f043c8100f3c7e5692f054cce1adafeb937f0065c4c7087e4d25dd729bf43c092
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5c9df780a5b70d4ab6c9106eed51ef8
SHA1021448a14af1f9cf7bc850c40fbf8347641f1bce
SHA2565fa67e35736cc79ec37085a808356863f15d227d6dbb973e2f949635ef274ba5
SHA51277eca4221385dc99dd3ea14d14654a3377443f7fa440b3fc90cce840779a32e2327481f71243d0f3bd7f8f2757918de70d0d7fe7880b56e206fe8198c256b77e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f8ac7cb0bbebe053ce0fd2d1289b22b
SHA1265168655d35e790d6cce8540e4bdf28ff35ef5b
SHA256d75f4ad9d3a013edc3256fc1d041ab341287103d190f8ddaf68b37e445a6169f
SHA5120d3e8cfcb08f02406378cbdf2e56aab74740b46674c5cd5fbcdeea68931e6fc99b0e5034dea01bf4ad8b135f798d8c599fb24bf5de3c990f361cec52a808d8e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1b6baa2659e0215eff85b8a0357c403
SHA15c0e06a51ac9a7752678146e33886d0ac474b025
SHA256f41ec0bacd36e9cb699818f0e12922500af24e4a36edb4f6bf05215eaec54e6b
SHA512e9d31d040357fb511f53cb3e7cc7dd9acfa48168fcf5caf98de48a35c092065cc120d8129f669848079199398e4069e4a5efd1c187a8c1c14a47f2edadd357b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce8d6307c2373574069f566f58b26dfe
SHA15095a96e23bea64276388b4ff69595b681192f80
SHA2568be09025f481a4c4fea8c93c2dfdede56616952ec955f7e4c72c9e16a59dc258
SHA512a7db5909e98b5e12c6915131e22c85c7c90d157cc66787ffb362909df79580857c6185e80c97cdf2f8e531fa60f3bf459d2388abb3efa37127c222eb3354acf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568460144e692c47f9fc951a3fb4ebf70
SHA1c0a155c6f826d30763cf0cf6973009c4f4402b79
SHA25622e5ed53e56f25481ff908fb5db401a486ede1c2fa5568419a7215c6b574999b
SHA512d901884851c0cfb5dc0becbb50bafee71a5b73bcf3b91e73bfb289675ac4f14b7c55bcb0ecbbf726213191b3c8e0b17c8ea1d8ed2a80360158641c06ca879ed9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529575d4ffd0fb2c79602285c69d2a6c9
SHA130f99df8c72ad145db3a0cfaec955f34a24ac996
SHA2567fcceed16f8afa1a5ec289c3e051b34027b5df413ae61a9f0ff772d3000dcfdd
SHA512ec568d9087da686d4dd9d7547627d1b7991dbdb5ba60dbb0e535142be1f43cbf83e863556b4beb24b94c68f9cd94372be0729fc578b736dea65a6526fa393e7a
-
Filesize
225B
MD51308853102bddeed5b0190739a5c4996
SHA1111be41841298a52df9f731330a9092485059346
SHA25634d912de4abe3d7ab905b434b9ea0f2f2152887f522e515051fe070d65e05850
SHA512c07df167e56db4d532bbdf312e84e6b1eba9a6e148c017f615f5aec4ed59e21f1a2e78f150a7848681f7c4965872b10d96d5d8ad07adf97e4e7306fc62ca83f1
-
Filesize
225B
MD5ca4afeb48dfe16d1a81c8646d125d022
SHA1bb9b4df18f989a1bf791bc6a9a98dc44399810a7
SHA256a3a265e318e3a31f0c8183710edd5a7cb74ea677b60e24097d05bcc4d7f688e7
SHA512947596ebcc7cc1a67d0dd86527060f56d928d1c9c9e80d01bcae356d2f3901bad7f391bbc6137065965aba8a8061f384fdf0284f97c1fca1138218ff986dc06b
-
Filesize
225B
MD5910bb16f25777a4b006d99111c152d52
SHA19f5829965af2eca460b5f146b83426a26d8bc253
SHA2564d916eca17829d626a68532c0c7b1e7b9913db6b3925ea4541b62e901521e0d5
SHA512ce0c65817323fed8d6413e46d1aa9d424e08fc113058db574223acb4b83dc972089e7f2254a717f8f4b4e8057b2820ebfbe3b0349b64ec3d2668499b58da681f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
225B
MD5e2e972a52ee6db3e3cb7af892b4b97ca
SHA1236a08ae56a805fe1b7d26e75707762daa04d019
SHA256597434cb8deba0139167591b475195dc43f59a1cb357f20c00e115666b03846a
SHA5128cf85bf0000502d22cca29668af3ca78e8ce49bb4d34933652abf5a65c2ddd6dc3cba32ef8eebd2855349992fe3dd586de42630d25e970ff4e7fd84a8e15ad83
-
Filesize
225B
MD5b188023c467da29e8f2358f7d696e706
SHA1b06357063059c11009eeced0a2ff9cc0c5ead85a
SHA2560700db77735f0d02e12266053e9b0b01baa7b3797bc52e9d20dc9fdbf5d69db3
SHA512ceda8c4ecce1eeda00cd9e5a05af93f082ce6fd0553f2ba437b4b8490108b790e3a9470d0a3bc82bbda2b701fb35960084396f748bf0db431ecdd6ce3ff946cc
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD547d76902344a2b66701e13b2a64ad8c9
SHA1c9d5ac41a60c4032b028c7761f3ac838571b74f3
SHA256fa128e297a5f028d56a2ca67e9dd73d28bc337e7a8937975338b60417cd5efb8
SHA5125cabb0d87ac7dd3f4ea5cabcfd277468c7455c2d20c97a997e652c124eb53ff9d983aa2c28739156ee463f45e460efda81680ab292d0cc31d1f1dacb5d99d37f
-
Filesize
225B
MD5ca7bf7418dee52772b30bbcc3840bd47
SHA1dd0cfd8a09e5cd47865394b56df7fabd6b60e135
SHA256547a2fae378d4ef7c5f469d6c752b156a951d9c93fa1bd5b577ea802dd974d18
SHA5127019cf2b6b8dcfa0a81b34123c49f9a2ce130a88c2c68d475d94ad39a3d9e56c33e183b3a6708a8691286c65f468e166700982f557a4369abbf0f09a0e3a56da
-
Filesize
225B
MD53976d0ae35b53ea58c1834968fef9ca9
SHA1291cc71bf1c8bb266d7460dac2fbc7c8776a72e3
SHA2560790ff0cbfc8104e2866c3f667229ac7d173df0477a2d291d0d10f06a23171a3
SHA5120ff89264ed85e9888daa0e3ba97dfa182465314774fd6c2b83d9f764a192e4689848fcb5964c0bc3e719b7a1eb703f0fc6d623737a8f414abed86c8117aecb11
-
Filesize
225B
MD5f08c9e00d70640ace9e8d278af4a3f23
SHA182943251da01fc313ab2be2f37c0ab64f54ea436
SHA256d43536164566374f684863eb6e491aa5a527dd28065fac67e1bf775101ce45b4
SHA512176ed606367987afaf7f5c75ef6cdb6341bc31d83e847c5c07ca88e398b71fffc5b74b6bd5f06845e6f7607f090cafecf65b8c25fb78a7fd139286940c396d00
-
Filesize
225B
MD5fbd43f66dbd352233470cb5211b74d58
SHA12173e7406f24d18ae7f5549273ee0a4f87e24525
SHA25609c3286b3021fa92747b924b220cac7e2b193ce84820434c1cec97750f24addb
SHA512adf2af76d0e3d7923fb897dabc59d8482303501f5e5675ea27cfb39aca87caa811d78757025ae92e44c6bae74bb62dde0df999fa0d45e8ba73bf05c3bdcbe2b2
-
Filesize
225B
MD56bc9a8d4445e6015c6a773f71ffe6deb
SHA1689bf9cffe0eea503d26294ee7653446147466da
SHA25663e4ed5f97ad59b76bf823937e25bae190d948857a20364231e0fca9579d91b5
SHA512012b0d3bee510166f77465a229da5caa46b36b6685df4ad97bc6a4b52713212b5594b696edee98de3db55f37a6e4332ead9628090ca6ffad62fcce1969f616f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50bacd44e70af1a8165f08e1177943e26
SHA1976559baafc79d616f3e7bdd896347ebcae3700d
SHA2563d19afd312b15e7873ac456bd32fb734526f9c0e13f761dadf2266aae3b1d34d
SHA512c7fd66c321f8f5fa6f5c7ff9265cb3d0784bee1723574278ebfdbab6c36f991e7b213bb4581c7d7a38b99e1eccf8215fec6d9a0695a88e7bb8396102d7b09d38
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394