Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:50
Behavioral task
behavioral1
Sample
JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe
-
Size
1.3MB
-
MD5
5062614a06b3e5793522dbc1119a643b
-
SHA1
6b97b6d548e8cdb9ed861b707ad336562974928a
-
SHA256
5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11
-
SHA512
8ba800b02de0295f1ff11e8e0fb660bd322515773a3064df497e383b6ef2974d96a9f5d3e89a5cd76e8035adb2aa7eec06f3e571959a9e95a1ca54d3582f70cf
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2836 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2836 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00060000000186dd-12.dat dcrat behavioral1/memory/2880-13-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2672-56-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat behavioral1/memory/1164-197-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/2136-257-0x0000000000AE0000-0x0000000000BF0000-memory.dmp dcrat behavioral1/memory/696-317-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/2796-495-0x00000000011F0000-0x0000000001300000-memory.dmp dcrat behavioral1/memory/2928-674-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/2888-734-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1584 powershell.exe 2124 powershell.exe 2904 powershell.exe 1692 powershell.exe 3016 powershell.exe 1780 powershell.exe 2804 powershell.exe 2540 powershell.exe 1576 powershell.exe 2772 powershell.exe 2912 powershell.exe 1760 powershell.exe 2968 powershell.exe 2216 powershell.exe 1620 powershell.exe 2908 powershell.exe 2180 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2880 DllCommonsvc.exe 2672 cmd.exe 1164 cmd.exe 2136 cmd.exe 696 cmd.exe 1452 cmd.exe 2032 cmd.exe 2796 cmd.exe 1408 cmd.exe 1872 cmd.exe 2928 cmd.exe 2888 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2888 cmd.exe 2888 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 15 raw.githubusercontent.com 26 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\ScanFile\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\fr-FR\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\ScanFile\dwm.exe DllCommonsvc.exe File opened for modification C:\Windows\SoftwareDistribution\ScanFile\dwm.exe DllCommonsvc.exe File created C:\Windows\Speech\Common\ja-JP\dwm.exe DllCommonsvc.exe File created C:\Windows\fr-FR\taskhost.exe DllCommonsvc.exe File created C:\Windows\CSC\v2.0.6\cmd.exe DllCommonsvc.exe File created C:\Windows\ja-JP\spoolsv.exe DllCommonsvc.exe File created C:\Windows\ja-JP\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 800 schtasks.exe 2660 schtasks.exe 2592 schtasks.exe 804 schtasks.exe 2276 schtasks.exe 2500 schtasks.exe 2312 schtasks.exe 2140 schtasks.exe 980 schtasks.exe 2056 schtasks.exe 2436 schtasks.exe 2032 schtasks.exe 2596 schtasks.exe 2092 schtasks.exe 1176 schtasks.exe 1744 schtasks.exe 2480 schtasks.exe 1940 schtasks.exe 1992 schtasks.exe 2496 schtasks.exe 344 schtasks.exe 2228 schtasks.exe 2020 schtasks.exe 2472 schtasks.exe 300 schtasks.exe 1888 schtasks.exe 592 schtasks.exe 2704 schtasks.exe 1684 schtasks.exe 3048 schtasks.exe 1884 schtasks.exe 2292 schtasks.exe 772 schtasks.exe 1660 schtasks.exe 2672 schtasks.exe 2920 schtasks.exe 1892 schtasks.exe 2236 schtasks.exe 272 schtasks.exe 2188 schtasks.exe 2988 schtasks.exe 304 schtasks.exe 1376 schtasks.exe 1384 schtasks.exe 988 schtasks.exe 2360 schtasks.exe 2136 schtasks.exe 1712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2968 powershell.exe 1692 powershell.exe 1780 powershell.exe 2124 powershell.exe 2540 powershell.exe 2904 powershell.exe 3016 powershell.exe 2772 powershell.exe 2180 powershell.exe 1584 powershell.exe 2908 powershell.exe 2912 powershell.exe 2216 powershell.exe 2672 cmd.exe 2804 powershell.exe 1576 powershell.exe 1620 powershell.exe 1164 cmd.exe 2136 cmd.exe 696 cmd.exe 1452 cmd.exe 2032 cmd.exe 2796 cmd.exe 1408 cmd.exe 1872 cmd.exe 2928 cmd.exe 2888 cmd.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2880 DllCommonsvc.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2672 cmd.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1164 cmd.exe Token: SeDebugPrivilege 2136 cmd.exe Token: SeDebugPrivilege 696 cmd.exe Token: SeDebugPrivilege 1452 cmd.exe Token: SeDebugPrivilege 2032 cmd.exe Token: SeDebugPrivilege 2796 cmd.exe Token: SeDebugPrivilege 1408 cmd.exe Token: SeDebugPrivilege 1872 cmd.exe Token: SeDebugPrivilege 2928 cmd.exe Token: SeDebugPrivilege 2888 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2152 2744 JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe 30 PID 2744 wrote to memory of 2152 2744 JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe 30 PID 2744 wrote to memory of 2152 2744 JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe 30 PID 2744 wrote to memory of 2152 2744 JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe 30 PID 2152 wrote to memory of 2888 2152 WScript.exe 31 PID 2152 wrote to memory of 2888 2152 WScript.exe 31 PID 2152 wrote to memory of 2888 2152 WScript.exe 31 PID 2152 wrote to memory of 2888 2152 WScript.exe 31 PID 2888 wrote to memory of 2880 2888 cmd.exe 33 PID 2888 wrote to memory of 2880 2888 cmd.exe 33 PID 2888 wrote to memory of 2880 2888 cmd.exe 33 PID 2888 wrote to memory of 2880 2888 cmd.exe 33 PID 2880 wrote to memory of 1760 2880 DllCommonsvc.exe 83 PID 2880 wrote to memory of 1760 2880 DllCommonsvc.exe 83 PID 2880 wrote to memory of 1760 2880 DllCommonsvc.exe 83 PID 2880 wrote to memory of 2540 2880 DllCommonsvc.exe 84 PID 2880 wrote to memory of 2540 2880 DllCommonsvc.exe 84 PID 2880 wrote to memory of 2540 2880 DllCommonsvc.exe 84 PID 2880 wrote to memory of 1584 2880 DllCommonsvc.exe 85 PID 2880 wrote to memory of 1584 2880 DllCommonsvc.exe 85 PID 2880 wrote to memory of 1584 2880 DllCommonsvc.exe 85 PID 2880 wrote to memory of 1692 2880 DllCommonsvc.exe 86 PID 2880 wrote to memory of 1692 2880 DllCommonsvc.exe 86 PID 2880 wrote to memory of 1692 2880 DllCommonsvc.exe 86 PID 2880 wrote to memory of 1576 2880 DllCommonsvc.exe 87 PID 2880 wrote to memory of 1576 2880 DllCommonsvc.exe 87 PID 2880 wrote to memory of 1576 2880 DllCommonsvc.exe 87 PID 2880 wrote to memory of 2968 2880 DllCommonsvc.exe 88 PID 2880 wrote to memory of 2968 2880 DllCommonsvc.exe 88 PID 2880 wrote to memory of 2968 2880 DllCommonsvc.exe 88 PID 2880 wrote to memory of 2216 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 2216 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 2216 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 3016 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 3016 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 3016 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 1620 2880 DllCommonsvc.exe 91 PID 2880 wrote to memory of 1620 2880 DllCommonsvc.exe 91 PID 2880 wrote to memory of 1620 2880 DllCommonsvc.exe 91 PID 2880 wrote to memory of 1780 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 1780 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 1780 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 2772 2880 DllCommonsvc.exe 93 PID 2880 wrote to memory of 2772 2880 DllCommonsvc.exe 93 PID 2880 wrote to memory of 2772 2880 DllCommonsvc.exe 93 PID 2880 wrote to memory of 2124 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 2124 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 2124 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 2804 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 2804 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 2804 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 96 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 96 PID 2880 wrote to memory of 2904 2880 DllCommonsvc.exe 96 PID 2880 wrote to memory of 2908 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 2908 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 2908 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 2912 2880 DllCommonsvc.exe 98 PID 2880 wrote to memory of 2912 2880 DllCommonsvc.exe 98 PID 2880 wrote to memory of 2912 2880 DllCommonsvc.exe 98 PID 2880 wrote to memory of 2180 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 2180 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 2180 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 2672 2880 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c0e63d6e1c302991ee83f8d3dda67e76c43c480af0236cade9dda14b1eb6f11.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"6⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2688
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"8⤵PID:2152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1036
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"10⤵PID:1896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2804
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"12⤵PID:348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2276
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"14⤵PID:2968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1524
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"16⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1748
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"18⤵PID:616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2232
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"20⤵PID:2012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2312
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"22⤵PID:2340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3044
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"24⤵PID:2720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:536
-
-
C:\Users\Public\cmd.exe"C:\Users\Public\cmd.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\ScanFile\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d9e89cc4c166449b50794993a331de2
SHA1055711e76621504545ec6393e2442859625c6eef
SHA256919153e850156271ffae28e1d19b5bb09903215560f9923a9c470a510c7797d8
SHA51221f32f496e5c592d18454a1612c7dbfe8097cafbccbdba4a940fae0425621bd5d9a6627c5eac2d49b33779c092676ee59bb18ffd4e77c8f21d7800e6ea8707d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58855bdab34c3ff0beb01f575dc2d5831
SHA1eadeaf8fcfc91beca9cd62d34ccf85b3f996f12f
SHA256004c8b7d0a6130bae50edc7a0f520ef5585ff633cab3b9b1c3418c9a12268610
SHA5120e4d19a2143cc2a8ddb29639bcccaeffa101bb608140a56cd32ffd5cc86a7ecb066567e13bd8e304de58ff4ea2009d6504b06c0f073be37af320d6e20ac54407
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bca43b667dd0a0b41717edb126ce4dd3
SHA10268dfcd037ca8e4f590a267048e2d5685e57de3
SHA256a3a29875748d253bfa60f42624beced388fa345f6f34f9f86a69ec51a39e50c5
SHA51225f47cfe937055cd6ee684cb27adb6b0281c710b4daf1a1be2ef966c4b8277dd7c869e5a08ba60ad3297b8cb5eb19719afe8df44c0bb8ac0930f3970868081d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efd2a719bfe43d2eb88ce22d2ef4627b
SHA1d0d874980cbe7cbd8c5116306056dbef99c441f5
SHA256a575f92b3f47a1236ac409d776c18e0b420d3ed575b5736a7cc709c502eeadf5
SHA512ed5a08a4586b0295cc627369fb98c486d8cc880a7c703b9e4c67f993b05013324d1311619d3bad8555f8d8729855b610d92e5e3677779f9ff554fed74645e5f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD510bf5a844f970cb1893957f8f7238d2a
SHA16c06bde45bef1beb84a15b86b5314149c03875fb
SHA256c2558de9ac3d6e2f9f942f25d70fc91df52a14c3888642705f4354e2ad7117de
SHA5124fe816a8d133bd3add63f8512d6a79f7f7dec0e0b2e2ed62ad3099ba30ccfcede724495818e508e2ca7b94ac79a483d5595b2b869c39b568ce8fd0d5734b61ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df5e2878a605e90f52ba3bfa54b23c3a
SHA1519cc7d4efcaa8836084679ff6546c4335236f74
SHA256609ef1d2428617b26aec9311b0b207d9a183b45b0611c7dc49c2661faf1cb6e1
SHA512417d35f7a7b648352b5e252f4fb613bbb06a1fb87e0341e08a39252579a25cedc6dd5227a1ce7367456d701b67f89b0fac269c18364b37b641afc0256d1ebbb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b1f8ce64acc55d80c769f0c4d51ebd8
SHA130a0f69cd90d4ec48591ec1bfa36f690640b9fa2
SHA256d5b49ae7855b1c127d5ea7c93d58ebed2561d2f35eb71b96d6e486095ebdfdc6
SHA512ac69cafd953936f8a9e3dc10762a72887b5cfad86ddd988be9346342f2e499e0bef90bf2fe949f819bd5f0133be9f94215b92d2d6d0c4c030ff597bc177fd1a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d1249599ef27cfbdc9577f9b229e511
SHA1d77624f6401383bc755516009cd4cba30b3f60dc
SHA2566daedf425526e319d7c094705487813cc858c4088c3ec38ebb9b07695d9bbc8f
SHA512f7c73033e4588953501d9aefd39349a920dd8c28342a42f8a67430aaa1a258888d6f83c202e5aa98a33cc41408f3bf7c71472f229bcf16597a7fa3af8a48c172
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5525aae4dd0fe5c78c967afbd15980d66
SHA16971312b46eb549aa0dec3d71c88c5da5da4f01c
SHA256a0e219835e349d93dd00647d4ecec7b9aa5008e3f9a6387f7803999f731ddf95
SHA512c0e743ba74f298175fdec5cde1f60f5a8bfee002c5141208b5e6e72a05a9f5e246040b2261caada4cd8c0ba8782a381f196dfb829ebda578df0dc6ca7c69e22d
-
Filesize
188B
MD5429c8b930545514f14b091f550b5bfd3
SHA1af3d2cc95c353cfcc2364c7f2098fcbc0fefd012
SHA25601c48ffc11e6054c3147ad7154b1ec8881e7b087748fe8eb9f3cf95d580e3556
SHA512959d8c3bbf6a5695fb22813a9288955293ea0432ff41db7337667cf45381f760649097aa67479c656a6abb258d62c6123c78b045a1ce3fdddc5c1039bd88ef43
-
Filesize
188B
MD5f71be3873c01c0d3cfc0a677c9298a47
SHA16a629fae6fa5b36b35e0691ccbfd75542a073742
SHA256a8bd017bde3c12e09bf210b7b2757e3ecfed44372ab1d2437734a333e0a765c7
SHA512bfbbfd415f68a4b17957c3b8ec70a762e97ca58091fb5dbb1fa03a79dc13f58b2c997bd0af2d5494ce961348f67102fd6188149dde08659ba188cc98b907bf8c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
188B
MD5eaae9407e0536922dddb39d4009a6436
SHA17585304ce0530bd0dab6b3dae2b56f33aaf5b6a2
SHA2568083180f922e5573a7840dae02fc1b01282843867f602fb2f32c2395549d5a10
SHA51233964e2c49371e4728cecb75f6bb03ab39c46f4db949affb4e0878959c3a7d454968ab28f211b3e4f08e43ca57cf8fe4c176525fbe09a636aa635fdb8ebb5b4c
-
Filesize
188B
MD5971bf380edad5494123e3270d227a736
SHA140219bbd7753228d0296c9e320ee11c657d140d3
SHA256c8eaaa1f74cf76679c7224a356c74e3626726d326d92befa6c9cf1469db7e7f9
SHA5126f29ef025d5f53078549ca28174524fc0a2356e0bbc7ab7c9a56b48065d19274b07d85ec261f0e5ce142f2ca5142d21ee94a824af90f6f18981027b039082a01
-
Filesize
188B
MD574a0aab2fe44d1bb9a14c3604e3e055b
SHA1f751c824e5bc883745575e86aaddf5a780e3ab70
SHA256379c647cae67fd3d97833689f24c1959f64dcd4275634121554dd2795688dc75
SHA51247e355b0d55246fc7b960ba4e2fd870efbfb3dabc9d20f1eff9211382f1087be45fc0392b816bb06c31b6263286fbae7611cdb99754ee32a138a929e8ced6b3f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
188B
MD5e61ae54a4a27f6346381d5e2e02b279d
SHA13d6efe71fa7f3e3b1e1b1ff30920b70ce78a889c
SHA25603f7fabe710173cd15fc1a709ceb5cdf44d5cb87c8f9917175b581a2d4e02b4e
SHA512fb676826f44d20f7192d396768a1689cdbc88c67df1b45c8ee2d19730c83615dc4498a1fe25f652311b36b93049bf1357329631f55fd3fc17f9d69490fc632e3
-
Filesize
188B
MD531b0ee83f04ed132f4ab906869afb989
SHA176b527df15986d6007b43d446674e476a281e667
SHA2565fe4b578af003399cd6ade33022c898ea3577a6bd6fbcbedf38a5345d5d5800b
SHA512fa036e92b818570ceca3238628b7c65e917be41a081721a208d0558ff8ff8775a285fa9435efe3fbfa5c61a6179bfe690777a4edc159f70a8826ba035cad0331
-
Filesize
188B
MD5c5f923a4b37de138f98072acfc5b2934
SHA16a055347e2d4a25ab080ed9354e4ff1b31a4865d
SHA25664dc1b1002e3d5a737b33e6ff13a02df75bfbf5e643091b21e232000ca6914d2
SHA512e8c0670acbc6fec49edc2d0fdc01c0cd0d6f48ef7f3807289b472acd6b94c075f6bde21979db0b9dc6822296438383e304936325f5d495026a17bcd796ad17cf
-
Filesize
188B
MD53942212c5c50a72364cafbd5052eb9fa
SHA186bb427acd6d541ba707e168f86a5711854cd942
SHA2565192f8691137af9f571eba6795a57c695fadba0ebaf2b0be0d1c3ba771a85149
SHA5126aa5260019fc7e0ed3d9d30448671275ccefa41d328d00f96414c36d909d6c1ee924d1bcdf189f3fc91fe820cf4f56984cb355d24961550ff5e41bbb3d448f68
-
Filesize
188B
MD55200b24564022580a23a45e724f1a0b7
SHA19ea07b172d29f02c7be00877b924783caededd00
SHA256ad32fce11865e2501a360703bfe990dea3b3718f7d3d547005b2df06a4e94950
SHA5123679c80d97d71f249157a90d657d64b16dd508fbf9cd643ed8bcab7fac9854ed932fa0f2c043bc69f86afa6e8ff276b87b57141f75501cb7655d57073c6b40ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5486d4cd85822358786f60abf8181d372
SHA1bb5f368f6f91824072ef2bcfd48fa5d47343f202
SHA2561056ac94a03b432c22b351edfd285fc5e9228634d28a1b8bcdf0f34b328c0a3d
SHA5126cfd365c419abacfab623b9e4b1b1e0fbbc8fb547f7c340a88bbb222a2d9765bb271ba3241f6f0005fdf53be6379d5e82c3844e4345f71c9c12af355531e919c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478