Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:51
Behavioral task
behavioral1
Sample
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe
-
Size
1.3MB
-
MD5
b0e7be27280e7a6e75df7c8590b35067
-
SHA1
e1331032a6911e4257c59a22850181bcaeb17a58
-
SHA256
375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923
-
SHA512
1bdc408beb993c93f582d26a240f18f01c73632c922bca902d59eef40f84836e4ed06cbc44faf69d7dd6ec5b849fff7903c7327f4a3a264b4020e40c47c3327d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2172 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2172 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015cd1-12.dat dcrat behavioral1/memory/2840-13-0x0000000000E50000-0x0000000000F60000-memory.dmp dcrat behavioral1/memory/2196-86-0x0000000000F50000-0x0000000001060000-memory.dmp dcrat behavioral1/memory/304-274-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/984-454-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2932-514-0x0000000001360000-0x0000000001470000-memory.dmp dcrat behavioral1/files/0x0006000000016d6b-750.dat dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2888 powershell.exe 296 powershell.exe 1108 powershell.exe 2968 powershell.exe 712 powershell.exe 2160 powershell.exe 300 powershell.exe 2064 powershell.exe 2332 powershell.exe 2696 powershell.exe 2792 powershell.exe 2756 powershell.exe 2544 powershell.exe 2220 powershell.exe 1784 powershell.exe 1036 powershell.exe 2176 powershell.exe 2484 powershell.exe 2780 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2840 DllCommonsvc.exe 2196 services.exe 2628 services.exe 304 services.exe 2756 services.exe 1028 services.exe 984 services.exe 2932 services.exe 2828 services.exe 2448 services.exe 2268 services.exe 656 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 cmd.exe 2692 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 32 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 29 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\a76d7bf15d8370 DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\inf\ASP.NET\0015\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\AppCompat\Programs\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\AppCompat\Programs\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\csrss.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\Globalization\Sorting\csrss.exe DllCommonsvc.exe File created C:\Windows\Globalization\Sorting\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\inf\ASP.NET\0015\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2232 schtasks.exe 1288 schtasks.exe 1336 schtasks.exe 1880 schtasks.exe 2888 schtasks.exe 1888 schtasks.exe 1316 schtasks.exe 2944 schtasks.exe 1808 schtasks.exe 2624 schtasks.exe 2124 schtasks.exe 2984 schtasks.exe 884 schtasks.exe 2928 schtasks.exe 2464 schtasks.exe 1868 schtasks.exe 1892 schtasks.exe 2548 schtasks.exe 2028 schtasks.exe 2184 schtasks.exe 1488 schtasks.exe 1036 schtasks.exe 2556 schtasks.exe 2588 schtasks.exe 2428 schtasks.exe 3032 schtasks.exe 2640 schtasks.exe 1756 schtasks.exe 1896 schtasks.exe 2056 schtasks.exe 1428 schtasks.exe 2068 schtasks.exe 1812 schtasks.exe 1260 schtasks.exe 1724 schtasks.exe 1616 schtasks.exe 2052 schtasks.exe 1504 schtasks.exe 2816 schtasks.exe 2456 schtasks.exe 1664 schtasks.exe 1156 schtasks.exe 1668 schtasks.exe 2908 schtasks.exe 2204 schtasks.exe 1296 schtasks.exe 840 schtasks.exe 696 schtasks.exe 2260 schtasks.exe 1856 schtasks.exe 544 schtasks.exe 656 schtasks.exe 2508 schtasks.exe 756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2840 DllCommonsvc.exe 2968 powershell.exe 2176 powershell.exe 2696 powershell.exe 2332 powershell.exe 2888 powershell.exe 1784 powershell.exe 2484 powershell.exe 296 powershell.exe 2220 powershell.exe 2160 powershell.exe 2756 powershell.exe 2780 powershell.exe 1036 powershell.exe 300 powershell.exe 2544 powershell.exe 712 powershell.exe 2792 powershell.exe 2064 powershell.exe 1108 powershell.exe 2196 services.exe 2628 services.exe 304 services.exe 2756 services.exe 1028 services.exe 984 services.exe 2932 services.exe 2828 services.exe 2448 services.exe 2268 services.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2840 DllCommonsvc.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2196 services.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 300 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2628 services.exe Token: SeDebugPrivilege 304 services.exe Token: SeDebugPrivilege 2756 services.exe Token: SeDebugPrivilege 1028 services.exe Token: SeDebugPrivilege 984 services.exe Token: SeDebugPrivilege 2932 services.exe Token: SeDebugPrivilege 2828 services.exe Token: SeDebugPrivilege 2448 services.exe Token: SeDebugPrivilege 2268 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2792 2816 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 30 PID 2816 wrote to memory of 2792 2816 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 30 PID 2816 wrote to memory of 2792 2816 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 30 PID 2816 wrote to memory of 2792 2816 JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe 30 PID 2792 wrote to memory of 2692 2792 WScript.exe 31 PID 2792 wrote to memory of 2692 2792 WScript.exe 31 PID 2792 wrote to memory of 2692 2792 WScript.exe 31 PID 2792 wrote to memory of 2692 2792 WScript.exe 31 PID 2692 wrote to memory of 2840 2692 cmd.exe 33 PID 2692 wrote to memory of 2840 2692 cmd.exe 33 PID 2692 wrote to memory of 2840 2692 cmd.exe 33 PID 2692 wrote to memory of 2840 2692 cmd.exe 33 PID 2840 wrote to memory of 2696 2840 DllCommonsvc.exe 89 PID 2840 wrote to memory of 2696 2840 DllCommonsvc.exe 89 PID 2840 wrote to memory of 2696 2840 DllCommonsvc.exe 89 PID 2840 wrote to memory of 2968 2840 DllCommonsvc.exe 90 PID 2840 wrote to memory of 2968 2840 DllCommonsvc.exe 90 PID 2840 wrote to memory of 2968 2840 DllCommonsvc.exe 90 PID 2840 wrote to memory of 2484 2840 DllCommonsvc.exe 92 PID 2840 wrote to memory of 2484 2840 DllCommonsvc.exe 92 PID 2840 wrote to memory of 2484 2840 DllCommonsvc.exe 92 PID 2840 wrote to memory of 2756 2840 DllCommonsvc.exe 93 PID 2840 wrote to memory of 2756 2840 DllCommonsvc.exe 93 PID 2840 wrote to memory of 2756 2840 DllCommonsvc.exe 93 PID 2840 wrote to memory of 2792 2840 DllCommonsvc.exe 94 PID 2840 wrote to memory of 2792 2840 DllCommonsvc.exe 94 PID 2840 wrote to memory of 2792 2840 DllCommonsvc.exe 94 PID 2840 wrote to memory of 2780 2840 DllCommonsvc.exe 95 PID 2840 wrote to memory of 2780 2840 DllCommonsvc.exe 95 PID 2840 wrote to memory of 2780 2840 DllCommonsvc.exe 95 PID 2840 wrote to memory of 2160 2840 DllCommonsvc.exe 97 PID 2840 wrote to memory of 2160 2840 DllCommonsvc.exe 97 PID 2840 wrote to memory of 2160 2840 DllCommonsvc.exe 97 PID 2840 wrote to memory of 2176 2840 DllCommonsvc.exe 99 PID 2840 wrote to memory of 2176 2840 DllCommonsvc.exe 99 PID 2840 wrote to memory of 2176 2840 DllCommonsvc.exe 99 PID 2840 wrote to memory of 300 2840 DllCommonsvc.exe 101 PID 2840 wrote to memory of 300 2840 DllCommonsvc.exe 101 PID 2840 wrote to memory of 300 2840 DllCommonsvc.exe 101 PID 2840 wrote to memory of 2064 2840 DllCommonsvc.exe 104 PID 2840 wrote to memory of 2064 2840 DllCommonsvc.exe 104 PID 2840 wrote to memory of 2064 2840 DllCommonsvc.exe 104 PID 2840 wrote to memory of 1784 2840 DllCommonsvc.exe 105 PID 2840 wrote to memory of 1784 2840 DllCommonsvc.exe 105 PID 2840 wrote to memory of 1784 2840 DllCommonsvc.exe 105 PID 2840 wrote to memory of 2544 2840 DllCommonsvc.exe 107 PID 2840 wrote to memory of 2544 2840 DllCommonsvc.exe 107 PID 2840 wrote to memory of 2544 2840 DllCommonsvc.exe 107 PID 2840 wrote to memory of 2220 2840 DllCommonsvc.exe 109 PID 2840 wrote to memory of 2220 2840 DllCommonsvc.exe 109 PID 2840 wrote to memory of 2220 2840 DllCommonsvc.exe 109 PID 2840 wrote to memory of 712 2840 DllCommonsvc.exe 110 PID 2840 wrote to memory of 712 2840 DllCommonsvc.exe 110 PID 2840 wrote to memory of 712 2840 DllCommonsvc.exe 110 PID 2840 wrote to memory of 1036 2840 DllCommonsvc.exe 111 PID 2840 wrote to memory of 1036 2840 DllCommonsvc.exe 111 PID 2840 wrote to memory of 1036 2840 DllCommonsvc.exe 111 PID 2840 wrote to memory of 296 2840 DllCommonsvc.exe 113 PID 2840 wrote to memory of 296 2840 DllCommonsvc.exe 113 PID 2840 wrote to memory of 296 2840 DllCommonsvc.exe 113 PID 2840 wrote to memory of 2888 2840 DllCommonsvc.exe 115 PID 2840 wrote to memory of 2888 2840 DllCommonsvc.exe 115 PID 2840 wrote to memory of 2888 2840 DllCommonsvc.exe 115 PID 2840 wrote to memory of 2332 2840 DllCommonsvc.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_375ce4a9beabd459e3f5459cec75a1b1e8e2814443bae7914553d7b266ed1923.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ASP.NET\0015\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"6⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1028
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"8⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2996
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"10⤵PID:1496
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2052
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"12⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1776
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"14⤵PID:2580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1332
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"16⤵PID:780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2544
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"18⤵PID:1896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1284
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"20⤵PID:1512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2456
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"22⤵PID:812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1504
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"24⤵PID:2180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1836
-
-
C:\Windows\inf\ASP.NET\0015\services.exe"C:\Windows\inf\ASP.NET\0015\services.exe"25⤵
- Executes dropped EXE
PID:656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ASP.NET\0015\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5763e4472d000508b6763c541b0c10d46
SHA125f37b1c09a6f388d6e95265d1885fbbf8d1ef84
SHA25646926d31ef9b29c568415b555a320de49854ef2305d07f35c16a0638609de79b
SHA5120bd7ccc823e339b4e3b911d4ea4f5da860bebbed87252681aa983448d6bd82952143981f9af68c3177db701894e754857e101842f774f2643a103e59c705372b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d8e73d6c266affaf2f7539c4d2546fe
SHA147bcb0fc6c534e5509a13c9a748b1d09efc07c2e
SHA2563e033edbf8c74afe231f636f1e3a425c6889af19bbd8783837548f450e7a95d5
SHA5125a39ac8aa986642f68cdc5ca15d3ff85e4724156be8052d1dcc212bef524a31fdf00f6796b13b0dbe7cc04126c45c47a4b75de0c019d76a71d3443cd122c45d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0359ff827131c8cd2e6bcf95337e7e1
SHA1c85d3ba30f0e31aee84960f4bd0d7cf75b1c5690
SHA25690eaf8ef1e9a4bb879f1f94168753844908a100952be403e1f8c5666a4c57108
SHA5129105cb1141cd3c109a3fb656cc294d7c4f9bee0c7ceb9610db39d3f09c2cc7f0b7317418ca29a0d703e5e920e8722ce143f9d3f4a4c2cd4cbd7f6e928c8207f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e331fa27a211dcb2beda310f4afd6dde
SHA14e68a4a0fa920bbef6e3eee1aa1ea69e6974c8bb
SHA25662073a74c4e8e5e888a38fb5d2a019ab9ea4a6669122d009dc7023e7455fce08
SHA512c8da4cfbb2c9ca59e5ae9b3d81b01c5fee5988b05cb2d442730c0b97c47427478107b254d88bc302497e05501073e9f27850779e2aaba6f8a4d9d96b85a0e168
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55149d2f2f9f23cb41cf0f00e42f452b6
SHA19e5e84e31638f83a102c75e1c829deb059cf5067
SHA2568250494cd994319c51b472c83ec498ae69260bcd656ce433ea340193243fbf85
SHA51249bdbc8c83fc6154c3267d81dc94d62ab2a391d3990cd54863671c49ef439397b4e5432a8668864c47a6aeb5669ba25a9a4ca68e94a799c00bb88afacfc379d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a0bddb05055bfe679f964bf016976b3
SHA1750920054b0e0be175ed66e82772130e9b7695c3
SHA2567cc79e959ae723c72922e8182097979282cfccd00cdc1c1ca773341c9ad3f49a
SHA512a98946cffe9698d68146fb725ffcef69c4ea3133a8ead29a0fffe4a5453a5f052769c0a7db6bbad6bf5348e58dc426bbaaa045c9b44eb03384af2b006f497229
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d44037f106e0eb542471d06611fb2a1
SHA15c6ca498b9b5d194d76e1bec3136949bc2a465e5
SHA256bf67a1a1ec15997fd7f47ce3899d3ffefa324581af565e9af7d93893a0ddf86d
SHA51287e5cee2a1beb9feca64168086f73858dd14a2d5cc6707986f33b1bb905aa9871d1388c1096768ac29596e4573a705c842f5bcc8e88019ba44f8f79b2aad672d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8176a7ee205270b7b850c6b33160040
SHA146027486c846734743bbb3a2290802eebe806143
SHA256b2b011715f83fdbd22f70330c4c6a86a38abfa31153ef0bef3f7ae83824d3d16
SHA51218f5c27f56c7f62188abee5fa709ad92e7042718ecededc31c5cfb3c50c67f01a230c9074f8967cb9599221a68ec37f53358376635a36e7ca465fbde87d50053
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d21c3c7497c4fd4c7d3f25dab91b3bd
SHA145e29c2924aed5213b30f090ac05bd78b6144860
SHA2561231872bdac4635a9ad6d63ed62118febe10c558a1c1bd4b8e4e60b9095f1d74
SHA51201ea6f2f6dfcd94fff1df05e69f66175d64ba3c90077b45a4101b409d3cad4c98aa9a339ab70eec9ab9bc017650b2b37bdafca43a97d2669c1631eed23113400
-
Filesize
205B
MD5de9f4d7306f972140a6892200495be4d
SHA1359a69ba9d070d6bd439b91cd8e5c9b7cf7286c0
SHA25627cdb9cf709e55f128315c0facc1361316753fd6c3482223cfd3d001b0eb6015
SHA5125e0cd11738530dab308a7ab3e4723e84b08c7ca7d6efe68e2175ae1c7c7a402321118af5d90ec6bfb9f02711c380bbcb91692e83f9938ab211465e2971b5c60c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
205B
MD5625d01725291f44b76c1aed730690ed4
SHA108071240393735e1401604a57aefafd41d9c08d7
SHA256dbfce0c666551b8f102c3febd987c6f5f96f665766cddb2a6d08df64ffddbbda
SHA5127d13e513d65bbd4b42575272eeb639529590f85ee69791c16f9e976d0c6c14289010639c7da89862e3e2b51811e2a212786375ed1db9e41e49e70d8664b60328
-
Filesize
205B
MD5c2532f238732281f520a8f335a188383
SHA1ca349e5c048ee4729c3b7fa8bb9398e52a19d93b
SHA2567cae8e2fc61c57497819f5cea417052b0e5ad68348d59998a49414ed6bf61d1a
SHA512da7b08dc4ff3c4e23bb60423b61bdf06937370e2159fbc4417d1fe2b07b0986073f3ea604f4793eb35d2799d8d555236947357cce389c244d2cb0b58f5680549
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
205B
MD5f72b3397b49a6a6605268faf7df4847b
SHA1979b6b739310c87298dc681710dae43e9c2969aa
SHA25668a7105267d5f1789ad4317ae7cefb45546213bd6bf47f3e545d6c2d88de965a
SHA5122773ede2479ba12dadeb4ee7e3a8c0cfe6daaae425b460efe147834b847e36ffa1bd966796a31a43d6e65e4451ca26b77864292b3926fdb3472a17b03c182758
-
Filesize
205B
MD59db71bbd3bf5d9c606dc620dce9d671f
SHA1803b7f50bf8b0c2bfc1c1a2422bc5d3b40a3ddeb
SHA2560321bd3cf90f2b7b8fedb0af0ddc864ec0cf180c0f0e42d1e53cef4a91c3e637
SHA512e9d61d1eabf9c3bf5be52791a378a4b520cbf39b9d796099044540515bef9a736efe72ba03213138343bcedbd9c347d4796a11bb7009426168f661da31531616
-
Filesize
205B
MD5b1804fd12b823b4bcbfa3bc6eec7874c
SHA192007aeb80a50549da76453063974b7d48daa162
SHA25605581dcfd9610c361f015ec047bef13f76716604e7db8ebe6429b268d97a21fe
SHA5121a736d408337f3a087b75e4b31648a444ed8b8e96a256e933a385cd523cd2bc3c25d231602e91dc9b451510662dfb3df81e7822f09435090a6139c35513039ee
-
Filesize
205B
MD5718ff226a71cf8e36266d09b06055721
SHA15ed2c840c1ab4a8ef718f4a64071026051d63111
SHA2565ef9b407486c939c2684f1f239ad70046e7d32406e0dc9a2158f309e9e34a538
SHA5123ced2f6502996df846863f4f25eb496bcd1135d964d80b32f5adce8c3ff7b3bb821aadaf081d23abb7ab7651eebca8fc26bb301d0efb7d5dc0bbcaaa5257ec0d
-
Filesize
205B
MD59fed6e9ade6ef2e6457197ff1e42c5d7
SHA107f20759b07232203a1a50aebd990429eb6f0386
SHA256da4181b49d3de784230d124d2961caea6be90bcf2fd918ec0ee6d8331a600329
SHA51204f601566433eb3bad484fac4c74d5cd15865ce19c0e56b928fba5257569047416ac47b035f4815f698601f036358d97a648da60e39964a2557634dcfab20556
-
Filesize
205B
MD538cb1ebc762dc5c14230df9c4ae66c76
SHA1f58c6dda355227e5b742fb0b61fc8d478cc7cacc
SHA256124edfa6d844774233e03af9c8c693e15e9b604c5a9b431ccdde5c45ef3c00fa
SHA5124926a670be6994054fc3dff09be3b8c42b91f5de7226c7f1e6666328e8aaedbab4add900bd7085425849a82160cc17780625238d374254bd41ffcafc0595b288
-
Filesize
205B
MD580e1ed96693488b873d0303c6b5f25dc
SHA1afe050b3fc31fb4e2a2cf8a5ab59a013a507ccf1
SHA2560f347eab29e5700c6f11b58c48402dbb78073597c5cd5f302f66dc9e62fed213
SHA512b4217ba21eb92b10e2c14437cbafb9f006705011131aea76f9be485bdbe66489c9637edd3db5a39e685ab43a6449918bd2fc4cf6c0f4bdc1aa8b3c32561476c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54065491bf4479f0c279aa7136146a0b2
SHA171ffd2efb948bbf91973481e1faab62ba8e1b8eb
SHA2565807b9d1dfd26fafa6a5cd6d3ecc169517ab15069d93f32a876f7b641a0b3a4b
SHA5121ac45e4bd51e57e0dee85720b1070ef67fe59a2546313d745a233cdda78d1b9e84e2ba99cee353010f2902849a4719dfa4adeb96dd899b48b649b56e6afc1f93
-
Filesize
605KB
MD5428760f5851ea9b583a70b905428d76c
SHA13b89f01398840df9804648152f18a0a9fa6655a9
SHA256b91d65c1ffc9b454013da44cc8313765d118ec63a8cfdf7288871320ab8649cd
SHA51288ec42b4a3a914a847070250546c9cb4719bbc1bf3141fdac00ab705e1d4c39edb0afd8b023518370d034ef11eae2dc3adbdea0d064ce348875d223d0dac717e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478