Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 01:31
Behavioral task
behavioral1
Sample
JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe
-
Size
1.3MB
-
MD5
b2b879fa7242ede0a01b6865ca28e841
-
SHA1
4fbd613e93e66cf7dcee2b7ae1c5c242ef24cdb0
-
SHA256
8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa
-
SHA512
a599ad89d5718ca7f13491041052dd88bc158e752007de71067ff570dba7d94156c57c374a08994145b800e26d8a64d2c1db2ccbefff16e391e708e326b53b30
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2936 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2936 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016b47-9.dat dcrat behavioral1/memory/2056-13-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2212-69-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2476-250-0x0000000001160000-0x0000000001270000-memory.dmp dcrat behavioral1/memory/1076-310-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat behavioral1/memory/2992-548-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2400-608-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2568-668-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/2464-728-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/1752-789-0x0000000000090000-0x00000000001A0000-memory.dmp dcrat behavioral1/memory/2124-849-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2952 powershell.exe 2848 powershell.exe 2880 powershell.exe 2704 powershell.exe 1752 powershell.exe 2796 powershell.exe 2988 powershell.exe 2948 powershell.exe 2196 powershell.exe 2844 powershell.exe 2892 powershell.exe 1748 powershell.exe 1728 powershell.exe 820 powershell.exe 1220 powershell.exe 2376 powershell.exe 2116 powershell.exe 844 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2056 DllCommonsvc.exe 2212 services.exe 1028 services.exe 2476 services.exe 1076 services.exe 3052 services.exe 2568 services.exe 1728 services.exe 2992 services.exe 2400 services.exe 2568 services.exe 2464 services.exe 1752 services.exe 2124 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2620 cmd.exe 2620 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 33 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 36 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\lsass.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\DigitalLocker\en-US\wininit.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\en-US\56085415360792 DllCommonsvc.exe File created C:\Windows\PCHEALTH\smss.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\Setup\State\wininit.exe DllCommonsvc.exe File created C:\Windows\Setup\State\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1480 schtasks.exe 1288 schtasks.exe 1612 schtasks.exe 1920 schtasks.exe 2136 schtasks.exe 1820 schtasks.exe 2344 schtasks.exe 2148 schtasks.exe 340 schtasks.exe 1724 schtasks.exe 852 schtasks.exe 1096 schtasks.exe 1600 schtasks.exe 2360 schtasks.exe 2964 schtasks.exe 1356 schtasks.exe 1240 schtasks.exe 3044 schtasks.exe 2728 schtasks.exe 2252 schtasks.exe 2748 schtasks.exe 1336 schtasks.exe 1672 schtasks.exe 408 schtasks.exe 1028 schtasks.exe 1700 schtasks.exe 1504 schtasks.exe 1876 schtasks.exe 1544 schtasks.exe 2388 schtasks.exe 632 schtasks.exe 1364 schtasks.exe 536 schtasks.exe 2912 schtasks.exe 1508 schtasks.exe 2712 schtasks.exe 2980 schtasks.exe 2260 schtasks.exe 912 schtasks.exe 3052 schtasks.exe 1796 schtasks.exe 2612 schtasks.exe 2504 schtasks.exe 2688 schtasks.exe 2560 schtasks.exe 1044 schtasks.exe 2336 schtasks.exe 1076 schtasks.exe 2456 schtasks.exe 2724 schtasks.exe 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2056 DllCommonsvc.exe 2796 powershell.exe 844 powershell.exe 1752 powershell.exe 1748 powershell.exe 2212 services.exe 2116 powershell.exe 2704 powershell.exe 2844 powershell.exe 2952 powershell.exe 2848 powershell.exe 2892 powershell.exe 2376 powershell.exe 820 powershell.exe 2880 powershell.exe 1220 powershell.exe 2196 powershell.exe 2988 powershell.exe 2948 powershell.exe 1728 powershell.exe 1028 services.exe 2476 services.exe 1076 services.exe 3052 services.exe 2568 services.exe 1728 services.exe 2992 services.exe 2400 services.exe 2568 services.exe 2464 services.exe 1752 services.exe 2124 services.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2056 DllCommonsvc.exe Token: SeDebugPrivilege 2212 services.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1028 services.exe Token: SeDebugPrivilege 2476 services.exe Token: SeDebugPrivilege 1076 services.exe Token: SeDebugPrivilege 3052 services.exe Token: SeDebugPrivilege 2568 services.exe Token: SeDebugPrivilege 1728 services.exe Token: SeDebugPrivilege 2992 services.exe Token: SeDebugPrivilege 2400 services.exe Token: SeDebugPrivilege 2568 services.exe Token: SeDebugPrivilege 2464 services.exe Token: SeDebugPrivilege 1752 services.exe Token: SeDebugPrivilege 2124 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2476 2312 JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe 30 PID 2312 wrote to memory of 2476 2312 JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe 30 PID 2312 wrote to memory of 2476 2312 JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe 30 PID 2312 wrote to memory of 2476 2312 JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe 30 PID 2476 wrote to memory of 2620 2476 WScript.exe 31 PID 2476 wrote to memory of 2620 2476 WScript.exe 31 PID 2476 wrote to memory of 2620 2476 WScript.exe 31 PID 2476 wrote to memory of 2620 2476 WScript.exe 31 PID 2620 wrote to memory of 2056 2620 cmd.exe 33 PID 2620 wrote to memory of 2056 2620 cmd.exe 33 PID 2620 wrote to memory of 2056 2620 cmd.exe 33 PID 2620 wrote to memory of 2056 2620 cmd.exe 33 PID 2056 wrote to memory of 844 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 844 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 844 2056 DllCommonsvc.exe 87 PID 2056 wrote to memory of 2116 2056 DllCommonsvc.exe 88 PID 2056 wrote to memory of 2116 2056 DllCommonsvc.exe 88 PID 2056 wrote to memory of 2116 2056 DllCommonsvc.exe 88 PID 2056 wrote to memory of 2376 2056 DllCommonsvc.exe 89 PID 2056 wrote to memory of 2376 2056 DllCommonsvc.exe 89 PID 2056 wrote to memory of 2376 2056 DllCommonsvc.exe 89 PID 2056 wrote to memory of 2796 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 2796 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 2796 2056 DllCommonsvc.exe 92 PID 2056 wrote to memory of 1748 2056 DllCommonsvc.exe 93 PID 2056 wrote to memory of 1748 2056 DllCommonsvc.exe 93 PID 2056 wrote to memory of 1748 2056 DllCommonsvc.exe 93 PID 2056 wrote to memory of 2892 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 2892 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 2892 2056 DllCommonsvc.exe 94 PID 2056 wrote to memory of 2844 2056 DllCommonsvc.exe 95 PID 2056 wrote to memory of 2844 2056 DllCommonsvc.exe 95 PID 2056 wrote to memory of 2844 2056 DllCommonsvc.exe 95 PID 2056 wrote to memory of 2848 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 2848 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 2848 2056 DllCommonsvc.exe 96 PID 2056 wrote to memory of 1752 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 1752 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 1752 2056 DllCommonsvc.exe 98 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 100 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 100 PID 2056 wrote to memory of 2952 2056 DllCommonsvc.exe 100 PID 2056 wrote to memory of 2704 2056 DllCommonsvc.exe 101 PID 2056 wrote to memory of 2704 2056 DllCommonsvc.exe 101 PID 2056 wrote to memory of 2704 2056 DllCommonsvc.exe 101 PID 2056 wrote to memory of 2196 2056 DllCommonsvc.exe 104 PID 2056 wrote to memory of 2196 2056 DllCommonsvc.exe 104 PID 2056 wrote to memory of 2196 2056 DllCommonsvc.exe 104 PID 2056 wrote to memory of 2880 2056 DllCommonsvc.exe 107 PID 2056 wrote to memory of 2880 2056 DllCommonsvc.exe 107 PID 2056 wrote to memory of 2880 2056 DllCommonsvc.exe 107 PID 2056 wrote to memory of 1728 2056 DllCommonsvc.exe 108 PID 2056 wrote to memory of 1728 2056 DllCommonsvc.exe 108 PID 2056 wrote to memory of 1728 2056 DllCommonsvc.exe 108 PID 2056 wrote to memory of 2948 2056 DllCommonsvc.exe 109 PID 2056 wrote to memory of 2948 2056 DllCommonsvc.exe 109 PID 2056 wrote to memory of 2948 2056 DllCommonsvc.exe 109 PID 2056 wrote to memory of 2988 2056 DllCommonsvc.exe 110 PID 2056 wrote to memory of 2988 2056 DllCommonsvc.exe 110 PID 2056 wrote to memory of 2988 2056 DllCommonsvc.exe 110 PID 2056 wrote to memory of 1220 2056 DllCommonsvc.exe 111 PID 2056 wrote to memory of 1220 2056 DllCommonsvc.exe 111 PID 2056 wrote to memory of 1220 2056 DllCommonsvc.exe 111 PID 2056 wrote to memory of 820 2056 DllCommonsvc.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fca83ffdd848257f7ac63b792b29fabadd655e38301af88e3dca6a3ac5b58aa.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"6⤵PID:1484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1480
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"8⤵PID:1052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2148
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"10⤵PID:2636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1728
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"12⤵PID:1724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2092
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"14⤵PID:700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1068
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"16⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2476
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"18⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2152
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"20⤵PID:1364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2932
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"22⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1004
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"24⤵PID:2260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2216
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"26⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2024
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"28⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2520
-
-
C:\Users\Default User\services.exe"C:\Users\Default User\services.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Setup\State\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ce1674d5c98e8e39e04d8dde2a2dca8
SHA1915fab0c352fb2bc5a6ea0c3163d9a975959dfd1
SHA2564746b3f5ca9c3fe81762802512be531398b04206e3efbca22bc25bef4d79710e
SHA5122216f2a220526a0dd12da76fff0529a6016e0dd8f6a3fffb86a34ef48d64ff82dbeeaede5ed2c1ee1c690fcab2e6b8bdfc059c0e666197d4f7a8bed40833837f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba86ed7b05734073fd5b968b98467c9d
SHA156ea6bdd088ff9ae3162735e6b81f9d462cc666e
SHA2568beae219590162a119e5412a3a0f5fb9f3d6168f7369de87630b2492e24b2e01
SHA5125a4cf2159e0e23a6f29ad73ebbe7947d90f567554aa1a537a34786b4c819df0f692c967b380eb3bc874cb8406fd78e31b6bc581c15c262ff1def17502eb053ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5840e2e84b7bc2951f3e9cbeaaff778fe
SHA11ec90caf1a7f3fd7d4c8d7db7260c3272d3dce63
SHA25652c135b21906d3671d81d3907e7c948d043807198b3c48f9553a5a87e5097c47
SHA51201cbdcd478086918bc1d46b1ab6a192b485a7d1c7a52a3631e996d656a0863105205b57b94bc65bbd498c3a759978002982604a256bf99aaf75c764f7f49e057
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ed9bccba39958f8d036e4dbce44e6be
SHA1cf5f58fbf4fe24277b23969cc205e630a080d25b
SHA256a184a9fc5db603557bd64b4a867e9c260d72e58810aa702684e0fd2c08bfb7bd
SHA512f6b3b7e820ff8118e2c4d7603f5eda82486b955eabb0b1d7fc7902e79546fff17e46696b1b233c9189dc607f77e65b88b80c3c0453a73ab340d20e9d96250e41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e28abeb8a76a1b66bf968bd85141eb7d
SHA127831b0df15c83991a67a4d7ce42748cfd8f4df4
SHA256399ad964a815bb6d77bc519aeb5a7a6415e114d94ba8e2467d574f365ef61deb
SHA5129fdcf21bb6d6dd16a4b80a1bbccd0a2d8b5ab92ebb111b26c216f824c4990c23d50f57c836dc1ebf4e920b55ad9bc7f45d0f788cf97d4fd550f2e4565ae7663a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5090c6ce9a9c0dc49c2448ba1b191ab75
SHA15836629a45860b9057135d13413429072b3b33b6
SHA25688d346c74e4a1937b6f48b8ea60855591a53cf05cabbead72f56fde83e0dfd69
SHA512d90ce6abba9ad5136ed3cd64fabc08a96c19b8a59daad3e3ac66027a4c7dc7cbec3f68f87433689df6bc50b400bbe6a7fd91d1454e42234e334357ed249c4cba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dbb85c78a89cb8f81ee345151ede384d
SHA1ec99be69a312af3b494556ec90176ce518a896f9
SHA256b1f2569261bfa24f955db5190643818991b155f749d488f8e2103504c968f0bc
SHA51216a00f4da480890b4238bedc6635b536e3be612299098b46e649f1670d05de832895ea2de32d01dccea9dc3927e0919eb1d111816d3f6cd69c211a62f883b4f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae1a992f853b7a48bfd6ee0a2b0817c6
SHA1b0d2802f0086a67e8aedb67d56f59382b2352598
SHA256414b946f3fe541958897df4c260badb613b40806dff7f10788369925037b7357
SHA512dcf2909f4eb8600d1402773111ee3eb78984d8f5a6a96be5171d7f2138e9b712640c63ad5aa5cde2cb8cc7f70f2ea19b3871f25e397f5daf9b6851329bb487a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b776e4c83176a18f781dec320674a1eb
SHA10587b38e8d8424ae4449e3b4725d14c59757d518
SHA2569c67315bbf715e70f732a224643371e8e6034118f7d3419767467977c92dbc21
SHA512685f4da4f93cbaca2b39a88024f523af657ad0016a3d7a4eb07113bb86a5adc88602b62d4d9afb682075ce7e274d6e05c5a85805ecf262d1af84072d37045d1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bdc2dadbf42b1bf07c9eb3fae852acb0
SHA12d80893092206d711a1669ada2de4cb0c96a18fc
SHA2564b8bebd6f39f255d7f094547290269ad1cdc809b4ca354948790acf78f730221
SHA512ef1c86b03a024ff8e8bbd830a5315ae29cdc11bd9060c940e86a51906ff70e48b414ef1fb1986a48c9cf0ec218fccad5712b8d66f874633f5bac205aff3c1de9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ef0c914d70efcc0272fb0e58267c357
SHA158348e265fc09986dbb5fd66d762244d3bef34d3
SHA256518abc965c74f7f257013adf95486a4aaa75d735bc4ef40a5e9ae6499bcd424d
SHA512b1cfb4c83dae3da123d224e6de3716190fd255b4b7c7a37125aef8ffede7fa9a8fbb98f58678a456e35c7cd8598da19d18e908a445027281368b36ac39d853d2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD51e133599b5530089c5d8208e2ca1d819
SHA17a172570daf92262bc43984eff5d71e8f1b6fa41
SHA256e4620203ef06a5c872eeee40f613a647c14bf06f2e76a5c2b1602e2b5f49258c
SHA512a0baa48a77da71f6aad40573d530e314634afe26312093ba2e89fd83869b6e32d05e704d619bff30d3b9d3e582c6baf837cbc6362e25acd965da791f64b6958d
-
Filesize
199B
MD5e58d825e875c7c668cf6a9407c6f9263
SHA1b68f8f2627ed9c0a4d7d259d40c83c4b05d0efae
SHA25615f208ce3935806e3a4487549e102155bbe30a0dedb74c02849efc0284a4b5d5
SHA51257017fc11ed24de7a9644be943ef145192987a0f8914b94d6700fbc6f35bb21a9be15cc4a813b7242c32903d5cc28003e8d155095700beb2ab6472512382cc69
-
Filesize
199B
MD5d667d452335fe6ce4a04a636e6390807
SHA1e4fcce2da04c183dbae2b42cf57ecfa4fd3ecb88
SHA256576d2e3bd77cffac7036fe178ab2f6465f572f3ff648aebef513fc17fc01a7bd
SHA5122a7c91f76ba5cc08e583b616db27a4fc37176789039d34291c7a14b506dc33ea06a3770622e321ac4e55a58335a07b70b630fbd76c048ef1ebfc917dbd1eb974
-
Filesize
199B
MD50077f1077b7c081a52e9c080d44c2f33
SHA1a8fc2b95f8fb4174517ff4cefe54663fdd35e839
SHA2564492f8762922e0650affa873af353baf4e4e10673120797c62a4cff8d3320059
SHA5128e048bace54ec4c9270c2c62a63d4e7d277b53a4716a8ada39b76343dc1537131f703cf7c215a7dda2248299b3a63cd46cdbc126b173fb225ba826dd10512c78
-
Filesize
199B
MD5c0b0ef910e1410f97c3d374bd343c52e
SHA1c83ec209329446b2b96486db359b62a8783e8ec9
SHA25656eafecb0fa50bd70d3bbeac3d2e516e69e9a540ef7935d910a6da46397798e7
SHA5124085a3e6db893bb18cd1dfb9d64968d6e329e806b750c494026a9eca80fc4fbd59ad0fdcf926b58f4fe85b1e4d1888ab1dbdb76a69e95f04bd9efdb9d840eed0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
199B
MD57e7870eaea70c974002ad74bd9a83806
SHA13c4505489b12eaef0685974045e977936959127c
SHA2564c230de684e425bce62e9aa76364cde5ca0ba3a1acaf62567dfb86150ef3e9a8
SHA5123206693f87f84ce930802fc8b7d787b79134b54c0f1f42bcc61842b115045baf27b7d944228af1a59e6e86056f5a0b918c543dc580bbd2a499e55b88fd04425e
-
Filesize
199B
MD50d4db9e3fabbaf0561b76361578a4c96
SHA1deabf29927190751a5752816c790a14bd028fe9d
SHA256a5201b1ed781241962adbdb02f8f9c26ad0a6cebef956c2f3e7436658203d839
SHA5121d7b162b7385d0bc2adea6f47e5fc943274a122893e16c0ab7b9890b3a57b783dae2657c2746009160e188a32cc96ba4bd199adc5ed68f86a38d5efd95675641
-
Filesize
199B
MD56bcdf532a9d59c8187cf955d7db257bf
SHA18d6ed4dfe9b7dcc39ef73900aabc5a81ff288962
SHA256a4b828852cc09abbc2b9af7f9fa996b415cb3edd16c3633f1be0dac75a3dae47
SHA5127d96569775e0c9e4d8afd1ae9a50d2901da95335566919b0f6c029a2bf3f75bb4d73a695265e20ae8125a7cea022ff1f70613e5f1eeef1a8f02ec22023237b4c
-
Filesize
199B
MD52655b0d498b50ce06d1a36d1433d5898
SHA1c3aef92e14aa625352ceb07b9428d7245db85956
SHA256ce573d9499b01387b585c0b706be79297c304edfae519e685d139bbdb881fef0
SHA512df1a8a8f0100a21d29f477f1cb96bc4007322d43c9fa58872537298603f448192aa53917e560ad456179e77bad3e343af9133f4404ebff007d2c912917552372
-
Filesize
199B
MD5b73a1f80e4a3fc8b29836497e12983a2
SHA1669707b7ca273f139c5ea149bd401db5490e746d
SHA2561ccb64cfaef861687652d427ecc48766a7c04b82441b1816239547a67e05ed56
SHA5127d88083b452d580d46a2bf28c6d57e2477dad5a4c7337b5bea8062b26e45cd40f7c7d96e87ec81c92549d9612e5663430a7a882bef3348fd4941eec9d1279d32
-
Filesize
199B
MD5804e7643ee2392c28eb191439fb4796e
SHA18425eae862e1a83560c8e5fb8b6fe59813fda70e
SHA256ed08d619a6532ed2584d54758d2b38ad69eaa21305fce491dde98ca01331ccf4
SHA5120ce7ec3d132c8ba40eef3a26dbe6a4d0c0c84366cfd725d2de660f9131bb8a2b1606606a45b13e83b2d27369e051ae7c1df2e3aa3ef3f2cf2549e4987535a756
-
Filesize
199B
MD5452a2e20a27f27482a2a21d43a946f3c
SHA1cbb9586d50bfb91150eee066cf1acb9564985d30
SHA25681a7e8d0899c8d85b2c56ba179f03a3e70ee21b655454ba1ab2e1db00b18099d
SHA5128f1c4d4ea18d450efcb2b585058e06ed4d2866aa8a2963df6f1fc14d2fd879dfee958d3e80c304b75f018573f2082741249ba85f8e56908441d4384f5d871065
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b47178d3226ef8c74367df6bbdc12372
SHA16225ae2a774e9019215cadebf9f3b9e1063406a4
SHA25674d6d3b0ad9ada6ab2706428098f89422dbeb8a8d48d311db7bbc5c91cd8ecdf
SHA512c042085ee42961146eba44e1e692d15ed4bba80e8089ca906072f9dd0e553174e9f4fb6b94f0f450150284bf75e8c5b48a0c128472ee894224bd942a34556118
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394