Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:40
Behavioral task
behavioral1
Sample
JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe
-
Size
1.3MB
-
MD5
b3f1e2d771d3a289db9e796f07ce13ed
-
SHA1
cd9676fe6b6a69709b31fc302993afc7c047a731
-
SHA256
3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc
-
SHA512
07a495edd762db87ffa0c8ec2aba82405e4cbdd7d67a2d34b9fd0cf0fc1081b0db0543f17e9c4ed7028be6ca8e22a210fc5e3c5ea9d97ba7738d5a77621b765d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2980 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2980 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000015d59-10.dat dcrat behavioral1/memory/2244-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp dcrat behavioral1/memory/2684-88-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/2228-197-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1888-257-0x0000000000C20000-0x0000000000D30000-memory.dmp dcrat behavioral1/memory/2524-317-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/2136-377-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1276 powershell.exe 1592 powershell.exe 1584 powershell.exe 2292 powershell.exe 1620 powershell.exe 1688 powershell.exe 1728 powershell.exe 2992 powershell.exe 536 powershell.exe 1384 powershell.exe 2092 powershell.exe 1588 powershell.exe 1712 powershell.exe 2128 powershell.exe 1600 powershell.exe 1708 powershell.exe 1924 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2244 DllCommonsvc.exe 2684 WmiPrvSE.exe 2228 WmiPrvSE.exe 1888 WmiPrvSE.exe 2524 WmiPrvSE.exe 2136 WmiPrvSE.exe 2116 WmiPrvSE.exe 2268 WmiPrvSE.exe 1740 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2360 cmd.exe 2360 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 22 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\lsass.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\fr-FR\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\DVD Maker\fr-FR\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\lsass.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Vss\Writers\Application\56085415360792 DllCommonsvc.exe File created C:\Windows\Fonts\sppsvc.exe DllCommonsvc.exe File created C:\Windows\Fonts\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\Tasks\lsass.exe DllCommonsvc.exe File created C:\Windows\Tasks\6203df4a6bafc7 DllCommonsvc.exe File created C:\Windows\Vss\Writers\Application\wininit.exe DllCommonsvc.exe File opened for modification C:\Windows\Vss\Writers\Application\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2684 schtasks.exe 2172 schtasks.exe 2504 schtasks.exe 1972 schtasks.exe 676 schtasks.exe 2596 schtasks.exe 2640 schtasks.exe 1140 schtasks.exe 2600 schtasks.exe 2436 schtasks.exe 628 schtasks.exe 1524 schtasks.exe 880 schtasks.exe 2444 schtasks.exe 3064 schtasks.exe 3020 schtasks.exe 2688 schtasks.exe 2676 schtasks.exe 1224 schtasks.exe 2200 schtasks.exe 2480 schtasks.exe 2268 schtasks.exe 1932 schtasks.exe 2608 schtasks.exe 2452 schtasks.exe 2428 schtasks.exe 2784 schtasks.exe 2216 schtasks.exe 936 schtasks.exe 1920 schtasks.exe 2556 schtasks.exe 2920 schtasks.exe 1960 schtasks.exe 960 schtasks.exe 1788 schtasks.exe 1420 schtasks.exe 1684 schtasks.exe 1172 schtasks.exe 876 schtasks.exe 988 schtasks.exe 1660 schtasks.exe 1664 schtasks.exe 1448 schtasks.exe 1884 schtasks.exe 844 schtasks.exe 2352 schtasks.exe 2636 schtasks.exe 1028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2244 DllCommonsvc.exe 1600 powershell.exe 1588 powershell.exe 1276 powershell.exe 1584 powershell.exe 1620 powershell.exe 2092 powershell.exe 2992 powershell.exe 1924 powershell.exe 536 powershell.exe 1688 powershell.exe 2292 powershell.exe 2128 powershell.exe 1708 powershell.exe 1384 powershell.exe 1712 powershell.exe 1592 powershell.exe 2684 WmiPrvSE.exe 2228 WmiPrvSE.exe 1888 WmiPrvSE.exe 2524 WmiPrvSE.exe 2136 WmiPrvSE.exe 2116 WmiPrvSE.exe 2268 WmiPrvSE.exe 1740 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2244 DllCommonsvc.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 2684 WmiPrvSE.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2228 WmiPrvSE.exe Token: SeDebugPrivilege 1888 WmiPrvSE.exe Token: SeDebugPrivilege 2524 WmiPrvSE.exe Token: SeDebugPrivilege 2136 WmiPrvSE.exe Token: SeDebugPrivilege 2116 WmiPrvSE.exe Token: SeDebugPrivilege 2268 WmiPrvSE.exe Token: SeDebugPrivilege 1740 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 1672 2584 JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe 30 PID 2584 wrote to memory of 1672 2584 JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe 30 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 1672 wrote to memory of 2360 1672 WScript.exe 31 PID 2360 wrote to memory of 2244 2360 cmd.exe 34 PID 2360 wrote to memory of 2244 2360 cmd.exe 34 PID 2360 wrote to memory of 2244 2360 cmd.exe 34 PID 2360 wrote to memory of 2244 2360 cmd.exe 34 PID 2244 wrote to memory of 1276 2244 DllCommonsvc.exe 84 PID 2244 wrote to memory of 1276 2244 DllCommonsvc.exe 84 PID 2244 wrote to memory of 1276 2244 DllCommonsvc.exe 84 PID 2244 wrote to memory of 2992 2244 DllCommonsvc.exe 85 PID 2244 wrote to memory of 2992 2244 DllCommonsvc.exe 85 PID 2244 wrote to memory of 2992 2244 DllCommonsvc.exe 85 PID 2244 wrote to memory of 1728 2244 DllCommonsvc.exe 86 PID 2244 wrote to memory of 1728 2244 DllCommonsvc.exe 86 PID 2244 wrote to memory of 1728 2244 DllCommonsvc.exe 86 PID 2244 wrote to memory of 2292 2244 DllCommonsvc.exe 88 PID 2244 wrote to memory of 2292 2244 DllCommonsvc.exe 88 PID 2244 wrote to memory of 2292 2244 DllCommonsvc.exe 88 PID 2244 wrote to memory of 1584 2244 DllCommonsvc.exe 90 PID 2244 wrote to memory of 1584 2244 DllCommonsvc.exe 90 PID 2244 wrote to memory of 1584 2244 DllCommonsvc.exe 90 PID 2244 wrote to memory of 1592 2244 DllCommonsvc.exe 91 PID 2244 wrote to memory of 1592 2244 DllCommonsvc.exe 91 PID 2244 wrote to memory of 1592 2244 DllCommonsvc.exe 91 PID 2244 wrote to memory of 1688 2244 DllCommonsvc.exe 92 PID 2244 wrote to memory of 1688 2244 DllCommonsvc.exe 92 PID 2244 wrote to memory of 1688 2244 DllCommonsvc.exe 92 PID 2244 wrote to memory of 1588 2244 DllCommonsvc.exe 93 PID 2244 wrote to memory of 1588 2244 DllCommonsvc.exe 93 PID 2244 wrote to memory of 1588 2244 DllCommonsvc.exe 93 PID 2244 wrote to memory of 2092 2244 DllCommonsvc.exe 94 PID 2244 wrote to memory of 2092 2244 DllCommonsvc.exe 94 PID 2244 wrote to memory of 2092 2244 DllCommonsvc.exe 94 PID 2244 wrote to memory of 1924 2244 DllCommonsvc.exe 95 PID 2244 wrote to memory of 1924 2244 DllCommonsvc.exe 95 PID 2244 wrote to memory of 1924 2244 DllCommonsvc.exe 95 PID 2244 wrote to memory of 1708 2244 DllCommonsvc.exe 96 PID 2244 wrote to memory of 1708 2244 DllCommonsvc.exe 96 PID 2244 wrote to memory of 1708 2244 DllCommonsvc.exe 96 PID 2244 wrote to memory of 1620 2244 DllCommonsvc.exe 97 PID 2244 wrote to memory of 1620 2244 DllCommonsvc.exe 97 PID 2244 wrote to memory of 1620 2244 DllCommonsvc.exe 97 PID 2244 wrote to memory of 1600 2244 DllCommonsvc.exe 98 PID 2244 wrote to memory of 1600 2244 DllCommonsvc.exe 98 PID 2244 wrote to memory of 1600 2244 DllCommonsvc.exe 98 PID 2244 wrote to memory of 536 2244 DllCommonsvc.exe 99 PID 2244 wrote to memory of 536 2244 DllCommonsvc.exe 99 PID 2244 wrote to memory of 536 2244 DllCommonsvc.exe 99 PID 2244 wrote to memory of 1712 2244 DllCommonsvc.exe 100 PID 2244 wrote to memory of 1712 2244 DllCommonsvc.exe 100 PID 2244 wrote to memory of 1712 2244 DllCommonsvc.exe 100 PID 2244 wrote to memory of 1384 2244 DllCommonsvc.exe 102 PID 2244 wrote to memory of 1384 2244 DllCommonsvc.exe 102 PID 2244 wrote to memory of 1384 2244 DllCommonsvc.exe 102 PID 2244 wrote to memory of 2128 2244 DllCommonsvc.exe 104 PID 2244 wrote to memory of 2128 2244 DllCommonsvc.exe 104 PID 2244 wrote to memory of 2128 2244 DllCommonsvc.exe 104 PID 2244 wrote to memory of 2684 2244 DllCommonsvc.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"6⤵PID:1768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3056
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"8⤵PID:2036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1792
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"10⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2232
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"12⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1968
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"14⤵PID:1584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2628
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"16⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2900
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"18⤵PID:2132
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2532
-
-
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fea94048937e5f1345d0910b673f409
SHA13080be1beb862e927db301e0dfadf02dcc2b3f20
SHA256164f2d45fc01a9488968e07b89604d9dbcb18cc358b3988067624fddb14f4955
SHA5127928f179b4ae7fce25a27a7a188a4ea4b1bf0c551cb20fb1f39e5ee5fdd4dc68b57756efcc8bdce1003bcfedc6cce57e2772cf61f8e700728e4b718c9c56f803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d3f1053f7cb682050e8829f37e7ab96
SHA1e355783e69dd6eb1d811246674a258cf0dc1fe6d
SHA25654cc7db34c1c6dd8122e39d2f7ccd2c1965beb87366cc6c1492ba5f3a00dadd2
SHA51255011ebfec7223bb903ab976f0999ac24a62d6173902c3bcd964a14247a4456e4f07b5f0cac20f14ed29a1fb695e9d73315fdfed71a051383bceda510b5383d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c0890cd93f942141bcc906a4550a332
SHA12842a5033e6e077ce88ced02d0c20f1769f2f0a3
SHA2565257e779ea12f8e1e3f1eb0ae2cc70d42209b5ef40c5492ddbe34f9b068f35e0
SHA512ac4f10d482e0a51a035233b2fe21e371b013ab32a69b4710d005df5f33987310f00247fbae463087c28430ee55c2effa9bf4c61a91e30791442d1674a43eb428
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4b644c2f965e892119d7e1e8e797f83
SHA1b7ded42ced95d6bc98d7481cb50715e0d50fc819
SHA2569315a82b2612b585724bdb8fe190a1fef1f591e615e47b722229836d79f15b51
SHA5127ef9dd0bb326e3a2a0a3289cabda1e57afcf995616e8c5ef8398f8cd011f9d9d8fbaa40cabbf7a4efdc736c9c5a69bb81c0baa2b630107daecb52b11bd4e03fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51908e1b42457e04b278eba34ed200453
SHA19fa8f62134c87d88dcbfd2b840ef82c55b0f91db
SHA256da3e552a54ba5773b02f25d0d02cfb64781d7a40c0128cf07eaac2991b51bd09
SHA5120bfebb6956a7367bb26a572a6e718043a12ee75483d4617b4dd01d85a83ebb8f18001ecd068882d162ea62a9a49318dbfe003d6015386586785de01298a3b93f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53102089699e93e666b1a1260fee87928
SHA1d1af01f4c6a5b0575cae661077ae4a9a7aa25091
SHA256070485a9603607d06bcb23d3cf23506eeda93e8a51a5cc9d702efb41229d2375
SHA51237d87f6c494f67134ad6d2fc2c95117ffcfa6825fff60253432887520e17214f60f6695577be51a0f3948fd566ba078891e77b344c8bba29dc8df9ebddd3a042
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50385e64679c6679cc32f863ef8f86a7a
SHA15d12cb2c1a138b5107e51e901ea76445f0ed9fec
SHA256d3e4249893a8dbf2cc4df39de91e6a56d485ae181d8ebf3c7c6ba5fc97202c78
SHA51205f5ac31bfb1e2095c2174e977bee01b66577f917a22f8246bcfcdc514b6ecd0a20ea4045276048ded0989ef7c0b25dbfa4b3b95cc14a020c4d8d34071704032
-
Filesize
193B
MD553fa7be9017937306f13eab549a47779
SHA19dc56684562277ac8c20feebbc4efde7591efff6
SHA256d4c4f884a71fa4b1c74189e0a17a161967c4e1b2bd10de380f3642764b376ef5
SHA51248e70a3b7c352cba63d8bdedc664729d1dda8d9d43e06d102ce4c211e7dc121867cfbfff89e3e247ff1804452436de5f976927e0c537bc2fba1ff33ecc41517c
-
Filesize
193B
MD5fbee62b3045dbfcc3ead55b74e39e51f
SHA17e6fe24e7fc881a62985ebea023f1530a50a7275
SHA25651831061ca271c72900fdaff50bf67ba5b91eb93115b46c791785d9b5cd5c200
SHA51203939b569a85ffe2d28ad264a30b0978bbf724fe27c7d6f1c7f37e15e92145ea55262d2e528f3e8076c7f3dd97c55b357fe499fb545748233ca2460b81a6873e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
193B
MD5f66a631ec3e33c61b397bc31c7362d06
SHA174a72a1913d2041735dc213675d5253e0325bb7d
SHA2568f37ee8e8c6bbc57af69e50f79e73d24f7e7e9cca92a86c24b2fa350f1b09cb8
SHA5122374e673920d7b15873e1a6b0c1327889c12a2e2b685d6fbf61dec75507a7eefb4f7e6c879c36aeb8eaf0e268a1b5dbe6100547f11f8487683a734d5d46c1aa4
-
Filesize
193B
MD5b512114eaa4e4664f4d60621aeea5f0e
SHA1deb5d08ac62a31c3e50c02774b477b789f9ce77b
SHA25667fcccfa5bd5d308fee7174c542212c45ce9e5f029f7c56809d7ac1544fd5670
SHA512458ecb4e17175b2a0cecff84597094214e5f84eefe7ff8ab580f83e37e86b4fd41f50fa651f0f9cd75e0f61ab461baa2b3b4d1825f628fd18efcc3891172ed76
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
193B
MD51e9fabd2ef53e9ad54fc6ca603642ffb
SHA12d46aa8a640f7ee2e9a499c267ebacf97e865eb2
SHA25609772d75eaf17fd2565aa1c63b95b5d58bcc02f8f52d00a9e4ab21c284b14d37
SHA51239822fb7dde32958825634a326b797f7027223b249930bcd2e9649bf7fb4e10276dc1f6b8a0d678b924c79e021655595c8d5d7001bf178e02ca310d54ef46b3b
-
Filesize
193B
MD5b70b3c1f5dfd2afe48533f96a979378c
SHA1c81efe6b834c7498a5fe252a7a53169f4fa618c0
SHA256bb18e160c53eabee4e65d11baf50cd177548cd2a438500264c5365abb14750c0
SHA512a015e40b9ff288047c9f081a5efabc07ee39535da4821df30b868b5ab98807aad4d630124642d8e7e01d3f751d09fcae7a942ae66ef386539a0669ec2d4c087a
-
Filesize
193B
MD5f8ecd3c429cbc3f9a08a9199f10ad09f
SHA181deb0293fb1ddfe3b3e77ff65c2a059c90daca4
SHA25684a43e2895592778e0526c108827e6216a92f22eca37e6a01d34397b0734ac85
SHA5121368230dd7e6928d11bebaacfcd6bc873ba5431971c1662c04a7ce6cea260c84068f7e266c48bf59b800b77a9200422fd328042e971006625b566e26ff5c0e17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55b4ca64cebde55358c9a980af37de488
SHA1a9288612d1a00e9314bdf827eb8e8aaa8c886654
SHA2566bca805af721fc2e054ec22a107a78dca19f1598161ed8faade618e8ebf6e95f
SHA51258d47deebf0f694727c4108b447c007b4a265b0ea344c0597f528f8f43866c4631147b89e86e890e9259b40563fa8bdc357181652c906973f2dd5fb77d64ad8e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478