Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 02:07
Behavioral task
behavioral1
Sample
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe
-
Size
1.3MB
-
MD5
f6011a9af3bb76cebd2a579ef81b4dd2
-
SHA1
887ba1dd251ff6270adfd66f305d9c6eb6e4bcda
-
SHA256
af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760
-
SHA512
7931a81e030fb51170e895d3170b8f30de6b9cbfb83c5201266b613a6a5747f71d930c2097af6d7f4f79b42c444ab5def0256fd9060fb4a65d225081fd652aa5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2764 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016edc-9.dat dcrat behavioral1/memory/828-13-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/2576-59-0x0000000000F30000-0x0000000001040000-memory.dmp dcrat behavioral1/memory/2420-191-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/1600-252-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2096-313-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/2212-374-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat behavioral1/memory/3040-553-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1760 powershell.exe 2476 powershell.exe 2516 powershell.exe 1600 powershell.exe 1440 powershell.exe 484 powershell.exe 540 powershell.exe 1700 powershell.exe 884 powershell.exe 1588 powershell.exe 1152 powershell.exe 680 powershell.exe 2148 powershell.exe 1864 powershell.exe 1596 powershell.exe 1192 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 828 DllCommonsvc.exe 2576 sppsvc.exe 2420 sppsvc.exe 1600 sppsvc.exe 2096 sppsvc.exe 2212 sppsvc.exe 2960 sppsvc.exe 1932 sppsvc.exe 3040 sppsvc.exe 2216 sppsvc.exe 1572 sppsvc.exe 2828 sppsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2856 cmd.exe 2856 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Vss\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Vss\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1932 schtasks.exe 2392 schtasks.exe 2120 schtasks.exe 940 schtasks.exe 1940 schtasks.exe 2128 schtasks.exe 1516 schtasks.exe 2268 schtasks.exe 2412 schtasks.exe 2012 schtasks.exe 2016 schtasks.exe 2648 schtasks.exe 1952 schtasks.exe 1764 schtasks.exe 1320 schtasks.exe 2668 schtasks.exe 2004 schtasks.exe 3052 schtasks.exe 1784 schtasks.exe 1256 schtasks.exe 2284 schtasks.exe 2216 schtasks.exe 2564 schtasks.exe 1244 schtasks.exe 2796 schtasks.exe 2952 schtasks.exe 1972 schtasks.exe 2864 schtasks.exe 2884 schtasks.exe 2908 schtasks.exe 2688 schtasks.exe 2664 schtasks.exe 2876 schtasks.exe 2536 schtasks.exe 2804 schtasks.exe 1704 schtasks.exe 1088 schtasks.exe 1344 schtasks.exe 1224 schtasks.exe 2600 schtasks.exe 856 schtasks.exe 1808 schtasks.exe 1720 schtasks.exe 908 schtasks.exe 2432 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
pid Process 2420 sppsvc.exe 1600 sppsvc.exe 2096 sppsvc.exe 2212 sppsvc.exe 2960 sppsvc.exe 1932 sppsvc.exe 3040 sppsvc.exe 2216 sppsvc.exe 1572 sppsvc.exe 2828 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 828 DllCommonsvc.exe 828 DllCommonsvc.exe 828 DllCommonsvc.exe 2476 powershell.exe 2148 powershell.exe 1440 powershell.exe 540 powershell.exe 884 powershell.exe 1700 powershell.exe 1588 powershell.exe 484 powershell.exe 680 powershell.exe 1600 powershell.exe 1152 powershell.exe 1596 powershell.exe 1864 powershell.exe 1760 powershell.exe 2516 powershell.exe 1192 powershell.exe 2576 sppsvc.exe 2420 sppsvc.exe 1600 sppsvc.exe 2096 sppsvc.exe 2212 sppsvc.exe 2960 sppsvc.exe 1932 sppsvc.exe 3040 sppsvc.exe 2216 sppsvc.exe 1572 sppsvc.exe 2828 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 828 DllCommonsvc.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 680 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 2576 sppsvc.exe Token: SeDebugPrivilege 2420 sppsvc.exe Token: SeDebugPrivilege 1600 sppsvc.exe Token: SeDebugPrivilege 2096 sppsvc.exe Token: SeDebugPrivilege 2212 sppsvc.exe Token: SeDebugPrivilege 2960 sppsvc.exe Token: SeDebugPrivilege 1932 sppsvc.exe Token: SeDebugPrivilege 3040 sppsvc.exe Token: SeDebugPrivilege 2216 sppsvc.exe Token: SeDebugPrivilege 1572 sppsvc.exe Token: SeDebugPrivilege 2828 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2356 2848 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 31 PID 2848 wrote to memory of 2356 2848 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 31 PID 2848 wrote to memory of 2356 2848 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 31 PID 2848 wrote to memory of 2356 2848 JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe 31 PID 2356 wrote to memory of 2856 2356 WScript.exe 32 PID 2356 wrote to memory of 2856 2356 WScript.exe 32 PID 2356 wrote to memory of 2856 2356 WScript.exe 32 PID 2356 wrote to memory of 2856 2356 WScript.exe 32 PID 2856 wrote to memory of 828 2856 cmd.exe 34 PID 2856 wrote to memory of 828 2856 cmd.exe 34 PID 2856 wrote to memory of 828 2856 cmd.exe 34 PID 2856 wrote to memory of 828 2856 cmd.exe 34 PID 828 wrote to memory of 2148 828 DllCommonsvc.exe 81 PID 828 wrote to memory of 2148 828 DllCommonsvc.exe 81 PID 828 wrote to memory of 2148 828 DllCommonsvc.exe 81 PID 828 wrote to memory of 2476 828 DllCommonsvc.exe 82 PID 828 wrote to memory of 2476 828 DllCommonsvc.exe 82 PID 828 wrote to memory of 2476 828 DllCommonsvc.exe 82 PID 828 wrote to memory of 884 828 DllCommonsvc.exe 84 PID 828 wrote to memory of 884 828 DllCommonsvc.exe 84 PID 828 wrote to memory of 884 828 DllCommonsvc.exe 84 PID 828 wrote to memory of 1864 828 DllCommonsvc.exe 85 PID 828 wrote to memory of 1864 828 DllCommonsvc.exe 85 PID 828 wrote to memory of 1864 828 DllCommonsvc.exe 85 PID 828 wrote to memory of 680 828 DllCommonsvc.exe 86 PID 828 wrote to memory of 680 828 DllCommonsvc.exe 86 PID 828 wrote to memory of 680 828 DllCommonsvc.exe 86 PID 828 wrote to memory of 1760 828 DllCommonsvc.exe 87 PID 828 wrote to memory of 1760 828 DllCommonsvc.exe 87 PID 828 wrote to memory of 1760 828 DllCommonsvc.exe 87 PID 828 wrote to memory of 2516 828 DllCommonsvc.exe 88 PID 828 wrote to memory of 2516 828 DllCommonsvc.exe 88 PID 828 wrote to memory of 2516 828 DllCommonsvc.exe 88 PID 828 wrote to memory of 1152 828 DllCommonsvc.exe 89 PID 828 wrote to memory of 1152 828 DllCommonsvc.exe 89 PID 828 wrote to memory of 1152 828 DllCommonsvc.exe 89 PID 828 wrote to memory of 1440 828 DllCommonsvc.exe 90 PID 828 wrote to memory of 1440 828 DllCommonsvc.exe 90 PID 828 wrote to memory of 1440 828 DllCommonsvc.exe 90 PID 828 wrote to memory of 1588 828 DllCommonsvc.exe 92 PID 828 wrote to memory of 1588 828 DllCommonsvc.exe 92 PID 828 wrote to memory of 1588 828 DllCommonsvc.exe 92 PID 828 wrote to memory of 1600 828 DllCommonsvc.exe 93 PID 828 wrote to memory of 1600 828 DllCommonsvc.exe 93 PID 828 wrote to memory of 1600 828 DllCommonsvc.exe 93 PID 828 wrote to memory of 1700 828 DllCommonsvc.exe 94 PID 828 wrote to memory of 1700 828 DllCommonsvc.exe 94 PID 828 wrote to memory of 1700 828 DllCommonsvc.exe 94 PID 828 wrote to memory of 1596 828 DllCommonsvc.exe 95 PID 828 wrote to memory of 1596 828 DllCommonsvc.exe 95 PID 828 wrote to memory of 1596 828 DllCommonsvc.exe 95 PID 828 wrote to memory of 1192 828 DllCommonsvc.exe 96 PID 828 wrote to memory of 1192 828 DllCommonsvc.exe 96 PID 828 wrote to memory of 1192 828 DllCommonsvc.exe 96 PID 828 wrote to memory of 540 828 DllCommonsvc.exe 98 PID 828 wrote to memory of 540 828 DllCommonsvc.exe 98 PID 828 wrote to memory of 540 828 DllCommonsvc.exe 98 PID 828 wrote to memory of 484 828 DllCommonsvc.exe 100 PID 828 wrote to memory of 484 828 DllCommonsvc.exe 100 PID 828 wrote to memory of 484 828 DllCommonsvc.exe 100 PID 828 wrote to memory of 2576 828 DllCommonsvc.exe 113 PID 828 wrote to memory of 2576 828 DllCommonsvc.exe 113 PID 828 wrote to memory of 2576 828 DllCommonsvc.exe 113 PID 828 wrote to memory of 2576 828 DllCommonsvc.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af899e7205e3f3e028ece1c6ce02888edc3a2118f1590e3bdff27ebaa812a760.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"6⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1052
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"8⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2676
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"10⤵PID:1308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:564
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"12⤵PID:2492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:852
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"14⤵PID:924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:844
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"16⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1600
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"18⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2740
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"20⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2144
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"22⤵PID:824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1164
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"24⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2484
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eab428c919e0308b3c6e46d21ec6f25d
SHA112a98d0938fd9ad20ae81ca8975822cb3d8c06a0
SHA256e0610cf3999eece8ebebf442f9808da192db11a0d352022a854f9f5b59a0186a
SHA5129906f6ceb0c13e5e95cbee31dcd257d26970e065dcad092660e35319cd9ef4bbaff47cf673875fbbdbb22c59a3a4f667c4744acd390f9f50e9b3f26bf5ddf2cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533c1c5ef1106a03edbc351cb07938e32
SHA1a912d0eee6cbc18649838408b3f959aeeea7a026
SHA256bb55bb98e2ed659f72cb610f2580028124cd7167aba962bd934aafe6d553dbd5
SHA512366bc9cc06a5edeae58c94a8e272d3830d2adcf4fe977d79148b3aaf52e485cf4dd1f38b8de99115860d750f3580b785126ea990337836b5cf030c0a51056256
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528906e5a9c6dd97c39d2723500109cb7
SHA10eadb4efd8fb9b066bb4a84d2fddec69141530b1
SHA256ec752c690cd3052c05d5dbd9a1ade43cab2f4222d65708b9b0da12ddf852079e
SHA512f4148ce35dff4f98829c253321d4c54f7acc52042a8c0485b471fafe7314732ce7d7e006a5e31d69e23a8b047f99b0c293bfa31458520c59622b46efbb11f160
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e3a7d0b5725bdfab5de64b8b7024bcb
SHA1696d614bab9120748096b3c26ec6795a8bb51647
SHA25637176dc13b3c4adb989238df6fa5a2fec29ffd605c0cfaca08e54ea5c28c6eb5
SHA512a91da15b3c73327310979263dd0d92284f484784ab29bb6d882206c9bbab3a8190ca5516f53fe50dc38beb6dc7b7b664cddf6c9c35f3a52116799cc2b6bbff78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556642974dc25e861891e788f45b6a583
SHA14b86ae19d6324f8d141a6641999b713def5fd0ce
SHA2562f482af1c0fc954ea84f4fa6e34cf51b65fd90d8e7f44e798cadebf6966c29f6
SHA5121eadf5a69be1ed72ddc0e120c39010af0105fba70e5b2f976f8976d6c0bff1cc9a48e7f804e31020d065d0485a4b15019d79ade84c8272cca30cfd9249e6bfeb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD512584a88f5e5e8afc7f1f92b17b63fb8
SHA1f45e6f26345ce02fa02ac8d966ff9bfd54fc37a4
SHA256bbc20dc14c217fd100b5685f537e0e47d31209d927e8792641858bfee3ad9031
SHA5123bd90ef7760c823b8e7139e06cc0ca53da87d6ccfae4ca3d31eebc0b4bd23bd74ffd55eea6b6da51a682461b26b13c5db59476cfb015cd16df858e17b6a3ca95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe6a0e1416cd1b183486c61df78d1857
SHA14a360e8a75e921ac844d14bb90331e97308e5052
SHA256bdd788f8afaaaa5252ec8a45cbab9de07997fb30ae65e2dfaf35dbcad2ecfac1
SHA5126e6293813a4dc0fabe16755d1e9ec30cb37e90b349de17647aac62fd995225b7520168f197812b16c43152df79078846b2fe77b1abd40914dd162cb06be59cf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3300ac68f272654cde18522d9d53b3b
SHA16ded9c01c18a4babb2ff776e74c3df0e60325baf
SHA256e80c29351b6c9c7b9368d7358b20a68868f6017d72c96fd8ee91fdd362dfb718
SHA51247003fd277e5e3bd697fdef44827692e0c05b2a104e71f5f207be522b5720e56b8f56227b78c8c66e883acaa3dd155d26f66f337e0328746512976b17c369581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f9a18b8954c0bf1e576b4c1f9d25f3e
SHA1cc2a4ed1dd0d88bf3faf5e1f534209b86e863491
SHA2564bed1985fa4f8054da240aa598146df0831e9543dfbaddfd02a75e5809bfabb9
SHA512f4bf435134b96dea096389aafb0cfb844e5c876edd157ad0bbc31bce1cccb64f00a771fe7784263fce62be36af08a550e9eac677f8891a109797902ab939ed54
-
Filesize
238B
MD57b6363c6a658f9cb9c8bd982ea281ac1
SHA14751628536502920b4bc9b450fdcf92e0ad78c52
SHA25607e1464186416ccd9d3de5af2d4b13c2da6644dd46a4c541b4cc7d0ecd349702
SHA512ce9fd421d0eb6d4dafac70fda8be79bf9f199c2584728bfadeefe649745586368b17dee6e8f02af3442f128356630ac17f8e7bb8d0f2d91bc3a1df9b45cad4e2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
238B
MD5c6ab3284d8b89f8ecd237cc82145d5cd
SHA145a52cf05dcdb24a493e17b3e56210275e622522
SHA25668e3eea26a5df370686d7823430fe40a8a3c81f9986f790bd38a08baafb0a764
SHA512b478e1ced1f503f675eb2aad4501fe6187f17c910a90a8fc812adbf67ebbb191bd8b45c915e251556ee57fb881382e24e541762eae01fb6add3604bd88bd91aa
-
Filesize
238B
MD5b36998536f0a9d0a2753a03a5d7c0114
SHA19e326411aa2426171f885e332c97b48d246e39b8
SHA256ef45146a1911afe4b0869baa0399dae6621603a1a4ba9bddc8247e82267bcbfb
SHA5123182b86f8608fe7ec302ea28424cef1282b28a83fff9133848c41b064b98c7ca9b79badb5f79bea2f644daaddec40562fb980749511246d3ffdb2d975aa77bb6
-
Filesize
238B
MD5b27e6bc78ec6b07b70b4e7c3dd5d3892
SHA16281c17135cb5cb23de8eb1a68c17120b72f19a1
SHA25630e16c72ba8d713f961cf092e7ebfd8fa94befbc7af37192d1f8f421826926f7
SHA512f73ce6b83b882ef4d1d9058d2898c0f56fac3823ec285c97364805d30526ff491f96e64ce552ec6d12ac0d88791a085b7a73ba71857788a8a0c158e0b6d3efd9
-
Filesize
238B
MD53b6eaabdab0d8f7d09df9b51009f528e
SHA1eda6cfd9c9b8ee34bf45232fbc6af901d6a63464
SHA256cad48888c2d9545b0dfe01c1c18bbaea6abf5ebd4aea37ae71f29b3f44614112
SHA512d95333cea91165838e2446ceacdd1ac7bb12f6f1828052fc3976c5f425dde8310da9925cd0a7d638a4d1b1dc1f3590493d426d271a43109a47a6f570de514572
-
Filesize
238B
MD5c1fbf18cb868a78dd77063ab0090f560
SHA1801413d7e541f69c72cee2a94f2762aba44729b5
SHA256282af356dfec02877fd2c6d3fc89ef111d841e97bbaa1cc4fde23b2ca8e3347a
SHA51280a4c02370a2eba2df373bcfdb34bcec0a1b58d0ba3ef92fd2a94571d0894ff8a66bf9f8891279f285837d396ae1d0b7561282035d8849cbbb45ee834542b4c5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
238B
MD594410498a238785cb97b7b6b23a16662
SHA1657f06e98bdd30218b60c3e1b12e17e31ded7e10
SHA25689f433d1a63699b1138cc716fa66c608294462039c41cedc7ab9597b0e0d16d5
SHA512dabf5318647687c34a3b81c11542077e77dd5ca86ca3aa1c724dba614f51847cb29795631c7f3c934568894fde4721c749981d1989680c6180007c2f930c13e3
-
Filesize
238B
MD5824f2d44577742dd20bfaeb4d6b8f288
SHA10146b6d5668ec5a5430464fb296ca65db167e7de
SHA25692401afcf9860ecfd9bf6216c00575f4d4584e551a292f0d58579bf9a1c7272d
SHA51264dd14e6f0ce0d5e43e78c397daf80c4965e38ec93a79e9bfc6c9f3f2f7d74490f6fcae1c6138a643620f32b845bd1ef8cb6b292617370cb932fff3304c9939f
-
Filesize
238B
MD5da6422abc06418cf12e1b62fc870bcd3
SHA1c337a0fe47d8956c0fee01079cb7721ba1457c18
SHA2563b8137a5cf26cbe1c328abaddf5914f07cd84d7b9e1bf68592845e29ba3f67dd
SHA5128fb03d2a4dee75de2f5a07ca9fafc5a36ad1b86916c3d2c5843a52417c69562f65be22c5083cc87e7e2ca1b32c6383137560f0fac7be3f132fc8d30e1dd905cd
-
Filesize
238B
MD5f3d77612855f84f1e58adcff4d7104da
SHA109675f60999ab4b85c660202d45d75f3db64fcc6
SHA256b487475bd6a84a7f8682e022849d2a76f64249640885e62592e9a34d69b35aa0
SHA512e4b0e2c51f8d91ef4d01a2a18a72d4a5cad7756285e32bf7bde0e6ccbe3324b5c964878540d63938ec63adbadc16c18e3cb996879c33b555467d02b8e05a5f53
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD596a67736d745bb3b1e2927bb0badb7b7
SHA1e1728f6710ad7ffae95f4df5ba8533cd5aca7993
SHA2565bc3619b1c833c865a8106cf50d97187f63fbede4e3e20a8dbbcebf0ba42352c
SHA512864e3280a1af49582a782574845233e4fd998bf4c3e01b10860f12883220620abc2e3cf51a7d91ec880b264b2f226260172886bfc006660aea41402eb0e6cb45
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394