Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:43
Behavioral task
behavioral1
Sample
JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe
-
Size
1.3MB
-
MD5
af97c7cb6f68b54d290f6505d168790d
-
SHA1
d947292a9d35d50ecfacb8169cb08e093fcb9d4f
-
SHA256
fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b
-
SHA512
4e6014a9c2d20fddfe70c49707e787c55c857a0ecbc8e1ab3b81f62b9da9f998eb98453bd9c634e71c8e1fa9eee073926108ed265d4926ce04b52284235e6bc5
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2516 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2516 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015cda-9.dat dcrat behavioral1/memory/2920-13-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/544-61-0x0000000000F20000-0x0000000001030000-memory.dmp dcrat behavioral1/memory/692-253-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2016-314-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2832-374-0x0000000000040000-0x0000000000150000-memory.dmp dcrat behavioral1/memory/2224-434-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2028-494-0x0000000001050000-0x0000000001160000-memory.dmp dcrat behavioral1/memory/2500-614-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2700-674-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1980-734-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1680 powershell.exe 1672 powershell.exe 2200 powershell.exe 2156 powershell.exe 1064 powershell.exe 1752 powershell.exe 2472 powershell.exe 2612 powershell.exe 2632 powershell.exe 876 powershell.exe 2296 powershell.exe 2276 powershell.exe 2428 powershell.exe 2024 powershell.exe 1568 powershell.exe 2648 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2920 DllCommonsvc.exe 544 WmiPrvSE.exe 2452 WmiPrvSE.exe 692 WmiPrvSE.exe 2016 WmiPrvSE.exe 2832 WmiPrvSE.exe 2224 WmiPrvSE.exe 2028 WmiPrvSE.exe 1368 WmiPrvSE.exe 2500 WmiPrvSE.exe 2700 WmiPrvSE.exe 1980 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2792 cmd.exe 2792 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 37 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\images\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Google\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\images\audiodg.exe DllCommonsvc.exe File opened for modification C:\Program Files\Internet Explorer\images\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Google\services.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Migration\WTR\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\winlogon.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\lsm.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\101b941d020240 DllCommonsvc.exe File created C:\Windows\Migration\WTR\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1100 schtasks.exe 1772 schtasks.exe 572 schtasks.exe 2692 schtasks.exe 1824 schtasks.exe 1884 schtasks.exe 2412 schtasks.exe 944 schtasks.exe 2976 schtasks.exe 3004 schtasks.exe 704 schtasks.exe 2876 schtasks.exe 1624 schtasks.exe 2016 schtasks.exe 2184 schtasks.exe 2356 schtasks.exe 2444 schtasks.exe 804 schtasks.exe 796 schtasks.exe 2720 schtasks.exe 2336 schtasks.exe 2228 schtasks.exe 1976 schtasks.exe 1728 schtasks.exe 2548 schtasks.exe 2700 schtasks.exe 3056 schtasks.exe 404 schtasks.exe 1520 schtasks.exe 376 schtasks.exe 1292 schtasks.exe 2484 schtasks.exe 2180 schtasks.exe 1740 schtasks.exe 748 schtasks.exe 2460 schtasks.exe 1644 schtasks.exe 2404 schtasks.exe 2824 schtasks.exe 688 schtasks.exe 1524 schtasks.exe 1180 schtasks.exe 2476 schtasks.exe 1964 schtasks.exe 1496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2920 DllCommonsvc.exe 2920 DllCommonsvc.exe 2920 DllCommonsvc.exe 1064 powershell.exe 2296 powershell.exe 876 powershell.exe 2648 powershell.exe 1680 powershell.exe 1752 powershell.exe 1568 powershell.exe 1672 powershell.exe 2428 powershell.exe 2612 powershell.exe 2472 powershell.exe 2156 powershell.exe 2024 powershell.exe 2632 powershell.exe 2276 powershell.exe 2200 powershell.exe 544 WmiPrvSE.exe 2452 WmiPrvSE.exe 692 WmiPrvSE.exe 2016 WmiPrvSE.exe 2832 WmiPrvSE.exe 2224 WmiPrvSE.exe 2028 WmiPrvSE.exe 1368 WmiPrvSE.exe 2500 WmiPrvSE.exe 2700 WmiPrvSE.exe 1980 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2920 DllCommonsvc.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 544 WmiPrvSE.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2452 WmiPrvSE.exe Token: SeDebugPrivilege 692 WmiPrvSE.exe Token: SeDebugPrivilege 2016 WmiPrvSE.exe Token: SeDebugPrivilege 2832 WmiPrvSE.exe Token: SeDebugPrivilege 2224 WmiPrvSE.exe Token: SeDebugPrivilege 2028 WmiPrvSE.exe Token: SeDebugPrivilege 1368 WmiPrvSE.exe Token: SeDebugPrivilege 2500 WmiPrvSE.exe Token: SeDebugPrivilege 2700 WmiPrvSE.exe Token: SeDebugPrivilege 1980 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2748 2200 JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe 30 PID 2200 wrote to memory of 2748 2200 JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe 30 PID 2200 wrote to memory of 2748 2200 JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe 30 PID 2200 wrote to memory of 2748 2200 JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe 30 PID 2748 wrote to memory of 2792 2748 WScript.exe 31 PID 2748 wrote to memory of 2792 2748 WScript.exe 31 PID 2748 wrote to memory of 2792 2748 WScript.exe 31 PID 2748 wrote to memory of 2792 2748 WScript.exe 31 PID 2792 wrote to memory of 2920 2792 cmd.exe 33 PID 2792 wrote to memory of 2920 2792 cmd.exe 33 PID 2792 wrote to memory of 2920 2792 cmd.exe 33 PID 2792 wrote to memory of 2920 2792 cmd.exe 33 PID 2920 wrote to memory of 1064 2920 DllCommonsvc.exe 80 PID 2920 wrote to memory of 1064 2920 DllCommonsvc.exe 80 PID 2920 wrote to memory of 1064 2920 DllCommonsvc.exe 80 PID 2920 wrote to memory of 2296 2920 DllCommonsvc.exe 81 PID 2920 wrote to memory of 2296 2920 DllCommonsvc.exe 81 PID 2920 wrote to memory of 2296 2920 DllCommonsvc.exe 81 PID 2920 wrote to memory of 1752 2920 DllCommonsvc.exe 82 PID 2920 wrote to memory of 1752 2920 DllCommonsvc.exe 82 PID 2920 wrote to memory of 1752 2920 DllCommonsvc.exe 82 PID 2920 wrote to memory of 876 2920 DllCommonsvc.exe 83 PID 2920 wrote to memory of 876 2920 DllCommonsvc.exe 83 PID 2920 wrote to memory of 876 2920 DllCommonsvc.exe 83 PID 2920 wrote to memory of 1680 2920 DllCommonsvc.exe 85 PID 2920 wrote to memory of 1680 2920 DllCommonsvc.exe 85 PID 2920 wrote to memory of 1680 2920 DllCommonsvc.exe 85 PID 2920 wrote to memory of 2472 2920 DllCommonsvc.exe 86 PID 2920 wrote to memory of 2472 2920 DllCommonsvc.exe 86 PID 2920 wrote to memory of 2472 2920 DllCommonsvc.exe 86 PID 2920 wrote to memory of 2276 2920 DllCommonsvc.exe 87 PID 2920 wrote to memory of 2276 2920 DllCommonsvc.exe 87 PID 2920 wrote to memory of 2276 2920 DllCommonsvc.exe 87 PID 2920 wrote to memory of 1568 2920 DllCommonsvc.exe 90 PID 2920 wrote to memory of 1568 2920 DllCommonsvc.exe 90 PID 2920 wrote to memory of 1568 2920 DllCommonsvc.exe 90 PID 2920 wrote to memory of 1672 2920 DllCommonsvc.exe 91 PID 2920 wrote to memory of 1672 2920 DllCommonsvc.exe 91 PID 2920 wrote to memory of 1672 2920 DllCommonsvc.exe 91 PID 2920 wrote to memory of 2156 2920 DllCommonsvc.exe 93 PID 2920 wrote to memory of 2156 2920 DllCommonsvc.exe 93 PID 2920 wrote to memory of 2156 2920 DllCommonsvc.exe 93 PID 2920 wrote to memory of 2024 2920 DllCommonsvc.exe 94 PID 2920 wrote to memory of 2024 2920 DllCommonsvc.exe 94 PID 2920 wrote to memory of 2024 2920 DllCommonsvc.exe 94 PID 2920 wrote to memory of 2612 2920 DllCommonsvc.exe 95 PID 2920 wrote to memory of 2612 2920 DllCommonsvc.exe 95 PID 2920 wrote to memory of 2612 2920 DllCommonsvc.exe 95 PID 2920 wrote to memory of 2648 2920 DllCommonsvc.exe 96 PID 2920 wrote to memory of 2648 2920 DllCommonsvc.exe 96 PID 2920 wrote to memory of 2648 2920 DllCommonsvc.exe 96 PID 2920 wrote to memory of 2632 2920 DllCommonsvc.exe 98 PID 2920 wrote to memory of 2632 2920 DllCommonsvc.exe 98 PID 2920 wrote to memory of 2632 2920 DllCommonsvc.exe 98 PID 2920 wrote to memory of 2200 2920 DllCommonsvc.exe 99 PID 2920 wrote to memory of 2200 2920 DllCommonsvc.exe 99 PID 2920 wrote to memory of 2200 2920 DllCommonsvc.exe 99 PID 2920 wrote to memory of 2428 2920 DllCommonsvc.exe 100 PID 2920 wrote to memory of 2428 2920 DllCommonsvc.exe 100 PID 2920 wrote to memory of 2428 2920 DllCommonsvc.exe 100 PID 2920 wrote to memory of 544 2920 DllCommonsvc.exe 112 PID 2920 wrote to memory of 544 2920 DllCommonsvc.exe 112 PID 2920 wrote to memory of 544 2920 DllCommonsvc.exe 112 PID 544 wrote to memory of 1888 544 WmiPrvSE.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb0ed5adb2db85894e9e02c58c49a01983ffb3ae3d74c6ad03376d2e883bb74b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"6⤵PID:1888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:748
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"8⤵PID:444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2676
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"10⤵PID:2796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1676
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"12⤵PID:544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:748
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"14⤵PID:2452
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2560
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"16⤵PID:704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2924
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"18⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:540
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"20⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:800
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"22⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1540
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"24⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1700
-
-
C:\Users\Public\Favorites\WmiPrvSE.exe"C:\Users\Public\Favorites\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578929b7f8c5ee97352554f1bbb8c3b0b
SHA118e9b20888085afb6d665ec382f143611ac94ca0
SHA256abadd1773dfe8a34ec29623d5dd19b923eddf410e0da9be21456b09a4c61aa84
SHA512d86d74e26267a2c82c81385bf525a73e4ad70d547b19be61bde09697a9b7257757fec20e7bd8823af44df35098f2f54bbcbbdd227bdac9d805430837f2ca35d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52fa2b7bf72f1e88928016804ccefdde9
SHA1c4696e19d554d0e5533fc38f3187c04d47c68688
SHA256f97781c2bc5a81378794d9d71adae82c40c5f20eee598cf599925c51fc710a65
SHA512a99cba73c41bee2e49c4860de48ba7195b32cfd66e5480c4fed31e4d62c6c639e316803580090cf0d2a889e692333778b97d2997c3ba3b40979c89059a0d8117
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b37c7681264b6c9496b2428760e3641a
SHA15f7f299c04ed6f79939fa2a068599135c094bb30
SHA25645dd5a3239879cae318dcf0b665c77112b1f123f2742d216abb99c49a74656b9
SHA5126dedd876c960d16c2087621ce7f36af56e779e1390d42ba2ce6177f479e4315d09c088e5f509abb7c8cd152d303f56a5d688ade7ca5eaf41e14a57465c987d3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0d4c589dee72b02d6662f51bc6b6cde
SHA1bc72f1ff323d66b49de06cf7b56c86926709c94c
SHA25639856c27d31cda196b82955831eb99430606ad9f834d1827fb63b4db9ec3d3f8
SHA512ce58178ca27e2649ae4f7c133032e31e570dfc1f62294d8a067915afdb5cc27634dd03605a3bb998fbed88aaf1e23f5ca13f30e2d2360db5632d6eef6fe1c660
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c64ad84c4eab3fe0651330a265bdcb72
SHA19c1762129cea96c58713a199755243b93bec55a9
SHA256195a877fb0eb14761cef9f256425b0510fd62ca80a6981001d874228d7eb8080
SHA512ac47f233435180de964386ba94c46ea9f34afad3fdb3d07860de56666cfc06101013c480b33d5875f108e7ff97d2f89ce2be61921d9f109500bd489850f643a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5918b6e6edc79daa3d3e9881af5fc1a4c
SHA19aa5b376bc289ad145064df079338b2fad980655
SHA256f4f16044ee1920f5850a2fb242d8e825fd3a488447d81e5f932d7958a438cd36
SHA5123cbc9b54ad64d79d0ea805c99c83fe67b5a3ce144fc4ca035d1422ba3426a70eb42d848165213619a7ef6c01a895b527c015f6bacf6051c7ab5b1ca7d5bdc77b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500582bf29380336b81c5c4e0105022de
SHA1628e5550b7fe8d385c1a64699636c49266eda673
SHA256b212ef46cfdac7beb955c1e61f783834bde4b327443671fef977cf6483afb5a3
SHA512e2c21d29c1c2f9bf95972b87bbb92c3bbc1bc56305c1ebe1a8b999cb5409b37e4bc69e065bb903be92b739704e31a563983c840f9ad0486d7fd842cba6d83c23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d68a35a74cf00bafb5622374682cfc18
SHA1474104f959cc397bb3b5198d5dbd09f73884a24a
SHA256c226e7f83213afd85377144ee3c4d52e4406b9db22a955be9e742167418813eb
SHA5121ff4014cafbeaf22354d14eb09e7acbac764f29141bdf3446695a4be987707abfe1f840963583fb3c87ba2c658c5347b483031177a934d17fe9eae47b8f8454a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b174e45a8d35acc56c78989800919d6b
SHA1f21bc8878248651ec9625abdc0bd83564d4f03da
SHA2568d61091b50c03d789f1f873099946927ee9b7aacaf757b23211dad9c990089bd
SHA512e562b0562965734a180b03285adbfe7088dd059edf05eedb3f71a35ff65c4d4e3b708485dd79a340ef447189b136630c588fc2d37a13326efe5c553d41d41a3a
-
Filesize
203B
MD5a18c5bd65af5aa03e1b939adf6aeb55a
SHA194740d5c6dfff90dc0733728cd7fd6c5222ca9ee
SHA2569cd5397e974d90e4f217103457cfd195a2c468e7057f5dc6bf10b13131ad2578
SHA512556a9dbcb15bc7dd91ec7a7c744ebf5c7675bbdebba4fe75d5f97dc5683906cfffcd6bbb6816df411eb395b4c10e90417fde64fd6dac89604feb1329ba855c36
-
Filesize
203B
MD58c8b8ffb18965c507bf21c61f53bbcdf
SHA1354b713615fc4c76c154aaf9cccc3669bd5c0f19
SHA2565f4633de4e1ffe965f7f09911455023fa0f240516223a59dcbcf071c3a600b66
SHA512d44237123f638e57e645ddae5aa77468288c9afea1b84b739cd9593cf359046f5288a4f9c02ea5e8c8b4fbc370ae580f0e953dcee1c7940ce708766cb8fb1fc6
-
Filesize
203B
MD575f5f8ed62bc480da8110cd1c73f17a1
SHA17c43e281b72b6ab11c6a58a834b5f195de5e82f3
SHA256b8e5347f2bac6059a265bcf151453fcdd0b104573cfcae6dc2cb82cbe434bcfc
SHA5127dac5b54b02ed095950d67361ba1d8142ed9dc7ec155ee00623c5d031668f6882deef72b77a55b6b93afc1e3eaddcb12407c476c2b6e22e4a56403b61b4d4e1c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
203B
MD555d3d224702b3b4e8b6e16a0ee6e87a3
SHA1347132fd60486892dc7c3205077290e07f8c0db1
SHA2564844380c4e3e79df5e25e5a67654996ff3c8f3cc25fa04da8bafc3507e8d93a4
SHA51247589e4367a57ea325d3f863527e4c35e666515202d1b57cd5e05c1da82a1dffe9d6232707b9e16dd87af3fe71554624f716531e7eb900a249b09c8111fa60d8
-
Filesize
203B
MD53a7d81a98d38d82dabdf1908b76d28fe
SHA178be118edaa1afa36635e551aa6516c6eee1f9a9
SHA256bf0728099f2c3c31138bdb5395fb9b9ed2df48b5b15f854b342c123b396f0480
SHA512b1ed3cb79cfe986fb1d7b29b7c13c58bb750e1372616dcd8a380bf3cb0a7fe48cba44517f05b53eaf03cdaece493b4f476e1eb64b0f960a95b3a13c3cf2bfaa9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
203B
MD59c6a4359e05e50845cfe51f21dd14d00
SHA1a7932f7fb955bbc4169f81ea98861017d2c50db9
SHA2567b47fc487b77c7e362b88e0e561e43c3419b24b607fde509e43eb928a2c2c4db
SHA512f1dd7906ddf32ff2b1629bc039e413ec91d56ee0d06ae8f4bae576822eb121d8db90f1ef5d7fc62d7e7dd84008b2ee7134e56d6800590425c72030de3f64f415
-
Filesize
203B
MD5516915faa4e042764d4d720d9a1a28f0
SHA10d7755677f5a6f489d55b0ed384cd1e2590d5e90
SHA256850ace7d0990fb68b5fbe9c6cb95711c0af7ff9c2fe6e54656a49adf2a05bb2d
SHA51211acd0fea59062df4603b94d2446db7f379d10aaf52d7ff5f8fdeeecf74930fed25eb37c5b3a20581d9c439c9906a0c859f3d58a38d690c5dbf724efc20b0b6c
-
Filesize
203B
MD5093abe1d95cdb3998bab2564cc2e1cac
SHA16541d2801a6e1b031df114624a37e41c40689791
SHA2567767bcee9ed87b643acc08f9da542e3b1972109368078c7f6f81cf6c311549dc
SHA512fde71e329de96fbecfd7391e73deb929c93ecbdd40698968fb586450b3c7ad781d81ebb48e85fc882c65222f6fe7067fe43b0727dcfc28f78eaf5dff4d481840
-
Filesize
203B
MD53214b5d1a1d41c0920bf73f0472fdce9
SHA163aaad6feacf4fa08d60f36d3e6c13670a89bc71
SHA256d1c65c16386c1a51ac50b3ade102aaf2300ee1b0cda9adfdf0a88f9c43a04b76
SHA5127a89254e09a8cefa45406b40da53933ddf6b3d2032857470258a5ee1623dc9250abef34df2d6d2ca5ea04819d504ebda19823e55537cac1812c91fb58da8bacc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50a2dbb8f0f138e303da902daa5dbf59a
SHA140ead8efa38248d53068f9bbb6e33946e24f813d
SHA25658263821c076998c7f515d4b3f97ca25249b260c7ff8ca9cad38d87238b04840
SHA51286fa1206f7d491795ecd5f470a3142d79773ef8c07f0513d547e2829d0f5a8c9bc731dfea4b67ca22f01802c9abba895705f598ba95ed0806d67e453649f6b52
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394