Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 04:19
Behavioral task
behavioral1
Sample
JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe
-
Size
1.3MB
-
MD5
32bfa32ad28293732fa4c3712e56c857
-
SHA1
5cfef9c2e7b3dd57a6c27af58427aa006bb9bde9
-
SHA256
c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0
-
SHA512
212f48691bf91a702b1c1c1d95230258e61816b6270e47e85d9eebe3785394c61d16c95e3985bbd659edd3c0a1371a8752afeb9fdb96d0018d8c4f086beab742
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1944 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 1944 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000190c6-9.dat dcrat behavioral1/memory/2924-13-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2316-143-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/1712-202-0x00000000012B0000-0x00000000013C0000-memory.dmp dcrat behavioral1/memory/2116-321-0x0000000000060000-0x0000000000170000-memory.dmp dcrat behavioral1/memory/3064-381-0x0000000000D80000-0x0000000000E90000-memory.dmp dcrat behavioral1/memory/2532-441-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2104-501-0x0000000001030000-0x0000000001140000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2724 powershell.exe 2688 powershell.exe 1212 powershell.exe 1364 powershell.exe 2452 powershell.exe 2616 powershell.exe 1520 powershell.exe 1608 powershell.exe 2868 powershell.exe 2892 powershell.exe 2588 powershell.exe 1560 powershell.exe 2580 powershell.exe 2552 powershell.exe 2680 powershell.exe 2712 powershell.exe 2092 powershell.exe 2564 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2924 DllCommonsvc.exe 2316 wininit.exe 1712 wininit.exe 1052 wininit.exe 2116 wininit.exe 3064 wininit.exe 2532 wininit.exe 2104 wininit.exe 2352 wininit.exe 876 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2852 cmd.exe 2852 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\DVD Maker\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\27d1bcfc3c54e0 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\PCHEALTH\ERRORREP\dllhost.exe DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\5940a34987c991 DllCommonsvc.exe File created C:\Windows\ModemLogs\wininit.exe DllCommonsvc.exe File created C:\Windows\ModemLogs\56085415360792 DllCommonsvc.exe File created C:\Windows\twain_32\spoolsv.exe DllCommonsvc.exe File created C:\Windows\twain_32\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1544 schtasks.exe 1696 schtasks.exe 1628 schtasks.exe 2772 schtasks.exe 2776 schtasks.exe 2764 schtasks.exe 1928 schtasks.exe 2840 schtasks.exe 2436 schtasks.exe 1200 schtasks.exe 1704 schtasks.exe 1508 schtasks.exe 1640 schtasks.exe 2164 schtasks.exe 2832 schtasks.exe 2692 schtasks.exe 2364 schtasks.exe 1664 schtasks.exe 2160 schtasks.exe 2460 schtasks.exe 760 schtasks.exe 1760 schtasks.exe 2064 schtasks.exe 672 schtasks.exe 572 schtasks.exe 468 schtasks.exe 476 schtasks.exe 2212 schtasks.exe 840 schtasks.exe 2192 schtasks.exe 1716 schtasks.exe 1052 schtasks.exe 1044 schtasks.exe 2880 schtasks.exe 2920 schtasks.exe 1524 schtasks.exe 2512 schtasks.exe 2016 schtasks.exe 2984 schtasks.exe 1676 schtasks.exe 1576 schtasks.exe 2904 schtasks.exe 1564 schtasks.exe 492 schtasks.exe 2536 schtasks.exe 2792 schtasks.exe 684 schtasks.exe 1624 schtasks.exe 2000 schtasks.exe 2076 schtasks.exe 2156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2924 DllCommonsvc.exe 2924 DllCommonsvc.exe 2924 DllCommonsvc.exe 1608 powershell.exe 2616 powershell.exe 1520 powershell.exe 2452 powershell.exe 2564 powershell.exe 2580 powershell.exe 2724 powershell.exe 2092 powershell.exe 2688 powershell.exe 2868 powershell.exe 1560 powershell.exe 2680 powershell.exe 2588 powershell.exe 2892 powershell.exe 1212 powershell.exe 2552 powershell.exe 2712 powershell.exe 1364 powershell.exe 2316 wininit.exe 1712 wininit.exe 1052 wininit.exe 2116 wininit.exe 3064 wininit.exe 2532 wininit.exe 2104 wininit.exe 2352 wininit.exe 876 wininit.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2924 DllCommonsvc.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 2316 wininit.exe Token: SeDebugPrivilege 1712 wininit.exe Token: SeDebugPrivilege 1052 wininit.exe Token: SeDebugPrivilege 2116 wininit.exe Token: SeDebugPrivilege 3064 wininit.exe Token: SeDebugPrivilege 2532 wininit.exe Token: SeDebugPrivilege 2104 wininit.exe Token: SeDebugPrivilege 2352 wininit.exe Token: SeDebugPrivilege 876 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2712 2708 JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe 30 PID 2708 wrote to memory of 2712 2708 JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe 30 PID 2708 wrote to memory of 2712 2708 JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe 30 PID 2708 wrote to memory of 2712 2708 JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe 30 PID 2712 wrote to memory of 2852 2712 WScript.exe 31 PID 2712 wrote to memory of 2852 2712 WScript.exe 31 PID 2712 wrote to memory of 2852 2712 WScript.exe 31 PID 2712 wrote to memory of 2852 2712 WScript.exe 31 PID 2852 wrote to memory of 2924 2852 cmd.exe 33 PID 2852 wrote to memory of 2924 2852 cmd.exe 33 PID 2852 wrote to memory of 2924 2852 cmd.exe 33 PID 2852 wrote to memory of 2924 2852 cmd.exe 33 PID 2924 wrote to memory of 2868 2924 DllCommonsvc.exe 86 PID 2924 wrote to memory of 2868 2924 DllCommonsvc.exe 86 PID 2924 wrote to memory of 2868 2924 DllCommonsvc.exe 86 PID 2924 wrote to memory of 2724 2924 DllCommonsvc.exe 87 PID 2924 wrote to memory of 2724 2924 DllCommonsvc.exe 87 PID 2924 wrote to memory of 2724 2924 DllCommonsvc.exe 87 PID 2924 wrote to memory of 2688 2924 DllCommonsvc.exe 88 PID 2924 wrote to memory of 2688 2924 DllCommonsvc.exe 88 PID 2924 wrote to memory of 2688 2924 DllCommonsvc.exe 88 PID 2924 wrote to memory of 2680 2924 DllCommonsvc.exe 89 PID 2924 wrote to memory of 2680 2924 DllCommonsvc.exe 89 PID 2924 wrote to memory of 2680 2924 DllCommonsvc.exe 89 PID 2924 wrote to memory of 2712 2924 DllCommonsvc.exe 90 PID 2924 wrote to memory of 2712 2924 DllCommonsvc.exe 90 PID 2924 wrote to memory of 2712 2924 DllCommonsvc.exe 90 PID 2924 wrote to memory of 2892 2924 DllCommonsvc.exe 91 PID 2924 wrote to memory of 2892 2924 DllCommonsvc.exe 91 PID 2924 wrote to memory of 2892 2924 DllCommonsvc.exe 91 PID 2924 wrote to memory of 2092 2924 DllCommonsvc.exe 92 PID 2924 wrote to memory of 2092 2924 DllCommonsvc.exe 92 PID 2924 wrote to memory of 2092 2924 DllCommonsvc.exe 92 PID 2924 wrote to memory of 2588 2924 DllCommonsvc.exe 93 PID 2924 wrote to memory of 2588 2924 DllCommonsvc.exe 93 PID 2924 wrote to memory of 2588 2924 DllCommonsvc.exe 93 PID 2924 wrote to memory of 2564 2924 DllCommonsvc.exe 94 PID 2924 wrote to memory of 2564 2924 DllCommonsvc.exe 94 PID 2924 wrote to memory of 2564 2924 DllCommonsvc.exe 94 PID 2924 wrote to memory of 1560 2924 DllCommonsvc.exe 95 PID 2924 wrote to memory of 1560 2924 DllCommonsvc.exe 95 PID 2924 wrote to memory of 1560 2924 DllCommonsvc.exe 95 PID 2924 wrote to memory of 2580 2924 DllCommonsvc.exe 96 PID 2924 wrote to memory of 2580 2924 DllCommonsvc.exe 96 PID 2924 wrote to memory of 2580 2924 DllCommonsvc.exe 96 PID 2924 wrote to memory of 2616 2924 DllCommonsvc.exe 97 PID 2924 wrote to memory of 2616 2924 DllCommonsvc.exe 97 PID 2924 wrote to memory of 2616 2924 DllCommonsvc.exe 97 PID 2924 wrote to memory of 2452 2924 DllCommonsvc.exe 98 PID 2924 wrote to memory of 2452 2924 DllCommonsvc.exe 98 PID 2924 wrote to memory of 2452 2924 DllCommonsvc.exe 98 PID 2924 wrote to memory of 1608 2924 DllCommonsvc.exe 100 PID 2924 wrote to memory of 1608 2924 DllCommonsvc.exe 100 PID 2924 wrote to memory of 1608 2924 DllCommonsvc.exe 100 PID 2924 wrote to memory of 1520 2924 DllCommonsvc.exe 102 PID 2924 wrote to memory of 1520 2924 DllCommonsvc.exe 102 PID 2924 wrote to memory of 1520 2924 DllCommonsvc.exe 102 PID 2924 wrote to memory of 1364 2924 DllCommonsvc.exe 104 PID 2924 wrote to memory of 1364 2924 DllCommonsvc.exe 104 PID 2924 wrote to memory of 1364 2924 DllCommonsvc.exe 104 PID 2924 wrote to memory of 1212 2924 DllCommonsvc.exe 107 PID 2924 wrote to memory of 1212 2924 DllCommonsvc.exe 107 PID 2924 wrote to memory of 1212 2924 DllCommonsvc.exe 107 PID 2924 wrote to memory of 2552 2924 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c935bdc5b2ba98b71ad55a6be639723e1b1dda100f3a1dfd4ddf2c74112b63e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z82BQHe7H8.bat"5⤵PID:2412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1348
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"7⤵PID:1180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:760
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"9⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2304
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"11⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1976
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"13⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2612
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"15⤵PID:2368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2000
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"17⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1432
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"19⤵PID:3012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2064
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"21⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2724
-
-
C:\Windows\ModemLogs\wininit.exe"C:\Windows\ModemLogs\wininit.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"23⤵PID:2580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e916044882ac777c97f20c1f6185bd6c
SHA128586cc56df0ee477930dc36de175c885f768bf0
SHA25696f694531bc801e1a87e854f79440a4009fba64bf566d28cac5d88897f3683ea
SHA5120e39d676b95ea2d77174173b078079a3b614f77e0855dbc8fde9565c011ed28b9130a1e685dd1ad796d71c97158f06bd48597c6853c6fa97b11186498f39730a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea653018111342954e8b82b8ac7419fb
SHA13940395bf84a9de79ce956d62b378492b1d38a6b
SHA256745f445bcc97953a6971e4b7eef88ea68a2c58d2b02b4c800f2b32c2b07e4d7c
SHA512a304b58d21dfbc7e91721fd3ec584c57db77ce46c24d55f56fe4609da3dd56f94705c1ce61627723f4aaabff0585d5655bd91473b8edce13f1fe1ee07259f251
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb6e1b8683644141d3b6c0108f8ba5c6
SHA15cb4081f4705219416f5416e623cedff2300408d
SHA2565269974ec50aec674a93bcb27f9657d1e3422be993361a992d82a1151e6eb88c
SHA512b5a1903454eb1a6ec54aea8914e51c16ed22949f7bbb802cb01828744038bb5608629768a59a788e41fd1bc6ec3605c63f798e7dc55436203018a6717fc94fcc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5327b03de87c974914537e4a2a5375720
SHA146471352cb81d69fef69a38f1017ee30353d355f
SHA256830ab804a8a495414efc346fa35a9867a9a0899a13bee87f6c9090ae60634008
SHA5126cffae699872e7a44d7f8c3c6e8f34eff0c2bb28429c2490503fd160960580cd56230df8f01176f1f60af0100bd338c23e01ec33018928d6437e11c0152f3803
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb37641ddff883afe5281b67e5410ebe
SHA1eb078fe6101238dc6e9920478144a5e6398dd33e
SHA256eb5b3de6480009596077b010cdb2ad1d61f15d945120a1adc3b1d8ecc4ce6c58
SHA512be08605f2a6b6179bd301f3343a6522a004a289b10d625642be36c84c9b2ff409b4ccfe471fdbd8423da1f12bbd606be6c659cfc2481d3bcc45820ff662ecd8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57422932cffb9e90386585765ca6b1887
SHA187023d4fb8d360f7ec19c099744639de6421bdfa
SHA2563b44dceca642e59a0a13fd79b23448de75a26613dc8710e23502b872fcdd8448
SHA512d1d1660ec6a82bc00e4f96cb61b3f3221c3a2d80e0552d25552e39335df0a88b042af851b2d2e54f4f342d2cbbb077dcdfd9b6d680817aacfa47aa11085b1b4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50240dc3fefe024fb2c5306b8da5f5b33
SHA185ee3e1e9e3d2c6357f7800f4655b84f55e2efa9
SHA256b0ef529d561b0cf42dc8b01ecd934792db004e42c3e74c3bd33788588945dfd2
SHA5125723a6c89732545c703f708a800a1398bca82d8bef3213298022c717e1ef9bd910e4220bb28ff567171f64708f70227c0e9b7cfbd0b4a05ed679319fee1f3124
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ec88f6229677d76ffd92ece3b52591d
SHA1db48b878e44e86b85025ef3c3078bc9fb24662cc
SHA2563034e89176eb82c7b3ff6dfd153d0637cb69b20abff8747b0c6947cbeee57c0e
SHA512b7d222a598d9455548354a9fa0ab9eff5fa0d8af805394ca6cd0048a9377e8cc02770611f5b5d640cb0b6e8147d0e2c36837caef293c9b217513fbcabc326ec3
-
Filesize
197B
MD5d2650772484e96e7e9afa9609b2df591
SHA19eb268700dc9e988f65f474cdd444e38d13f254b
SHA2567694b71d1ec4857d7d4d0202598aa76682b03ac77a4414e7d3a9ad0c504547a3
SHA512b7b74f767b0c5d9f9dc106437de4ada8c7f7cfd5897c2053c82ceb18224564cca05f91b62c2795a6054d4951c108d061a88dd18490fcf36a5640407f7f0aa92d
-
Filesize
197B
MD5ad2d421ee90f37e11a03ea3c0f8d17d2
SHA1a2b551fce6d414b56eec9715a0b54c4c22e9b9bf
SHA256876da498d8fcf1bb4b9ffffc54a4e97a7b14e5643f3af4b21d6cf60c3a313f40
SHA51261e5bc587e7d820abedd12924ed70f17014b1a42c28e94c8305035774dcd3814fe2b3073c30c65826b4d2960d4a83282a78259efed3bfa758a0348ce9ff9720b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD505aafb58ba7d6630e14cfe4dba7c64c1
SHA15cd3c912851a229104e2e9c2ccbcfbab3a8e486d
SHA256dce98ca7a765bb8d3bee92ff91d99bd3c8654a2ea1739823fcfd75b9e0611457
SHA51298fc9bdffbbbd217bd561892c60b265ae8a9d5ee8a3e485a2929578e362806c976bdb8c400235c3f546e158cd37650a56399856e15acdb3d593bbbbf096aa922
-
Filesize
197B
MD5523620981a71735aec0921d34f92f2f4
SHA1e43c764a1a1d31d7a2f4ec545f495603ed6a968c
SHA25600e1dc7fce0dd9bc0074267afefe962b5ba810af6151c013c070ee9d262e89bb
SHA51252a8e4cf08023ec10594236214ce1438f5b5a5ca448cf0b1b93fe8b04205a984719d6ce6a47f8e90cf4529ca84657587453a093713a7bae5704f9e52d854cb76
-
Filesize
197B
MD57a2d698230f96317b39631e559e9d3be
SHA15c309e5c395f4f033bb9e9314d267d2db78103bc
SHA256e57f891785fc4b2e8b6e82eeae6bef96333fc34352224b982913a2c9b178a494
SHA5124a03e3c5ff6f1583ea7bd422b55f1fa4b08f62f6db2b24c84a1265f11e8f84a329a7d99e04c956464b0670c06284c491e0bcd8395c80aba852c46d1287ecf0a3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD59c63f07a1bbf46edc0960c464c4afcec
SHA13f5d78a28dca9ac97d860cb8512c63c6c7b2c11a
SHA256978e547ad80c3614fafacf3be384cb25fdbfdca5174c1e97c87aebd5092f753a
SHA51288a9bd754c586b8b1a7e50ebe0068003229fbf8171fda227cf6b2dd50d9c1da464469e37270beea512e5b7dd5d4dbefd45d5ce5e3b826d315231edc521e5f6ba
-
Filesize
197B
MD5d6f9ed498789dcd2b4be56638a3fd985
SHA1e563952d59639e72a25a1f38fc18fb7b2a44d3ec
SHA25675e81dc0a5c9e67a2459df376f887fb14a81a4ad99a2eede94f7605b4c5fc022
SHA512e245ed80ab180b25e4e1a7dcca60f4c93048cb1d81449a5fcab70c3d405fe3dffc001b16439eb1c3642303097d1b11a5a175880260d849d6f6ba306a36238c3d
-
Filesize
197B
MD5ae576b4af81545ed144cb893f224162a
SHA15520aa127dfa9e67c73f2d90abd3c91a2a965348
SHA256fadf738d06d14daf654648bbd805b256e7661bdc0696a4a5c52777ecb79f09e6
SHA512227741d843b10153473d00937610d9c3d2001f2d20feb6342c3fc57c0912815c8ca0a1925b3bce25b75ab8f5bf9a5df3302553d05880c2321b4509b48f01c04c
-
Filesize
197B
MD5cafec672f0d016907e056b6aabc01855
SHA1bf108d76e24caf5c0a7de2c36c75b00bd1a85179
SHA25627909b03f5e13b8397c93d250d11eef2db439a3cbc03950a198b0bc9ac05658b
SHA51262bed726eca450c9f5debe971da7d2d47f9eaec964d2c8c094ee848627d1b8b7240907926f2bf4cbf8fc8f619eba9af77e4f0d53a2b3f1147cdd5972dc5a4983
-
Filesize
197B
MD582bf7a2669e4375142c573bb7ba704f0
SHA18176e6300da59f5410e4147b3c3f08de36a424f5
SHA2568854d715fef058fcdee722ff6baa7e869534b7c3782b6508a0a1d3137b23adea
SHA512f4b3bb9c08b232fed66a0193efae0fa3f05647027aee360ccf2fc89e55be4a452708f02008c9b061cc3024bcc0878c87aec380fbb7f1ad8d9b12c41af8cffcf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57bfff8a9dbf9b971de82054c64be5ddd
SHA1c9faf26411f296acb16044714e004c7263533230
SHA256c1593d4ee69ccafdd6ef6ae915aa9d5f4052e964741f9cb37df3dd80960ceab8
SHA512312f3b648ba00c1c6dab3c43b79cedf080e21ebe9e1d98ff4b490330cc683447c66743ee0b2d1ecdeaf9222a879cd907c742e1a4840b9c19823a4073c1f90a2d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394