Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:38
Behavioral task
behavioral1
Sample
JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe
-
Size
1.3MB
-
MD5
0e91f0e752ae2f3a5cf20b889cbea1e7
-
SHA1
289b9baa8dbc9d464eb5a149f95c7f0f52f935ae
-
SHA256
8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7
-
SHA512
1a913604da1216c4d0ac31a3df5324799fae4e084bfbf88ecbc361a28cd256b597930089c49e282ee610bec53d4183d952202a40dcc26437a0fcd4dce1a1e6a0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2892 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2892 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c51-9.dat dcrat behavioral1/memory/2760-13-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/2696-136-0x0000000001230000-0x0000000001340000-memory.dmp dcrat behavioral1/memory/1392-255-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2680-315-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/2696-375-0x0000000000CC0000-0x0000000000DD0000-memory.dmp dcrat behavioral1/memory/936-435-0x0000000000CE0000-0x0000000000DF0000-memory.dmp dcrat behavioral1/memory/2800-495-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/2692-734-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 868 powershell.exe 1108 powershell.exe 1504 powershell.exe 1332 powershell.exe 804 powershell.exe 2424 powershell.exe 348 powershell.exe 1628 powershell.exe 1416 powershell.exe 2888 powershell.exe 2340 powershell.exe 1632 powershell.exe 268 powershell.exe 2464 powershell.exe 2288 powershell.exe 2928 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2760 DllCommonsvc.exe 2696 WmiPrvSE.exe 2748 WmiPrvSE.exe 1392 WmiPrvSE.exe 2680 WmiPrvSE.exe 2696 WmiPrvSE.exe 936 WmiPrvSE.exe 2800 WmiPrvSE.exe 2200 WmiPrvSE.exe 776 WmiPrvSE.exe 2268 WmiPrvSE.exe 2692 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2472 cmd.exe 2472 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 21 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\SIGNUP\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\lsass.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1692 schtasks.exe 584 schtasks.exe 1388 schtasks.exe 280 schtasks.exe 2292 schtasks.exe 2572 schtasks.exe 1912 schtasks.exe 2708 schtasks.exe 1640 schtasks.exe 2948 schtasks.exe 1624 schtasks.exe 1396 schtasks.exe 532 schtasks.exe 1716 schtasks.exe 2984 schtasks.exe 1272 schtasks.exe 1384 schtasks.exe 1956 schtasks.exe 2588 schtasks.exe 2356 schtasks.exe 2500 schtasks.exe 592 schtasks.exe 2124 schtasks.exe 752 schtasks.exe 2656 schtasks.exe 3024 schtasks.exe 1704 schtasks.exe 904 schtasks.exe 1120 schtasks.exe 1768 schtasks.exe 2276 schtasks.exe 2352 schtasks.exe 2748 schtasks.exe 2672 schtasks.exe 1992 schtasks.exe 1688 schtasks.exe 1732 schtasks.exe 2648 schtasks.exe 1780 schtasks.exe 2284 schtasks.exe 468 schtasks.exe 3056 schtasks.exe 1224 schtasks.exe 2908 schtasks.exe 2236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 868 powershell.exe 2288 powershell.exe 804 powershell.exe 348 powershell.exe 268 powershell.exe 2464 powershell.exe 2424 powershell.exe 2928 powershell.exe 1416 powershell.exe 1332 powershell.exe 1632 powershell.exe 1504 powershell.exe 1108 powershell.exe 2888 powershell.exe 2340 powershell.exe 1628 powershell.exe 2696 WmiPrvSE.exe 2748 WmiPrvSE.exe 1392 WmiPrvSE.exe 2680 WmiPrvSE.exe 2696 WmiPrvSE.exe 936 WmiPrvSE.exe 2800 WmiPrvSE.exe 2200 WmiPrvSE.exe 776 WmiPrvSE.exe 2268 WmiPrvSE.exe 2692 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeDebugPrivilege 348 powershell.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1332 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2696 WmiPrvSE.exe Token: SeDebugPrivilege 2748 WmiPrvSE.exe Token: SeDebugPrivilege 1392 WmiPrvSE.exe Token: SeDebugPrivilege 2680 WmiPrvSE.exe Token: SeDebugPrivilege 2696 WmiPrvSE.exe Token: SeDebugPrivilege 936 WmiPrvSE.exe Token: SeDebugPrivilege 2800 WmiPrvSE.exe Token: SeDebugPrivilege 2200 WmiPrvSE.exe Token: SeDebugPrivilege 776 WmiPrvSE.exe Token: SeDebugPrivilege 2268 WmiPrvSE.exe Token: SeDebugPrivilege 2692 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2396 2504 JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe 30 PID 2504 wrote to memory of 2396 2504 JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe 30 PID 2504 wrote to memory of 2396 2504 JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe 30 PID 2504 wrote to memory of 2396 2504 JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe 30 PID 2396 wrote to memory of 2472 2396 WScript.exe 31 PID 2396 wrote to memory of 2472 2396 WScript.exe 31 PID 2396 wrote to memory of 2472 2396 WScript.exe 31 PID 2396 wrote to memory of 2472 2396 WScript.exe 31 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2472 wrote to memory of 2760 2472 cmd.exe 33 PID 2760 wrote to memory of 2928 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 2928 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 2928 2760 DllCommonsvc.exe 80 PID 2760 wrote to memory of 1332 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 1332 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 1332 2760 DllCommonsvc.exe 81 PID 2760 wrote to memory of 348 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 348 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 348 2760 DllCommonsvc.exe 82 PID 2760 wrote to memory of 268 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 268 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 268 2760 DllCommonsvc.exe 83 PID 2760 wrote to memory of 804 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 804 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 804 2760 DllCommonsvc.exe 84 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 1632 2760 DllCommonsvc.exe 85 PID 2760 wrote to memory of 1628 2760 DllCommonsvc.exe 86 PID 2760 wrote to memory of 1628 2760 DllCommonsvc.exe 86 PID 2760 wrote to memory of 1628 2760 DllCommonsvc.exe 86 PID 2760 wrote to memory of 1416 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 1416 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 1416 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 2464 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2464 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2464 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 868 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 868 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 868 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 1108 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 1108 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 1108 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2424 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2288 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2288 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2288 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2888 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2888 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2888 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2340 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 2340 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 2340 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 1504 2760 DllCommonsvc.exe 96 PID 2760 wrote to memory of 1504 2760 DllCommonsvc.exe 96 PID 2760 wrote to memory of 1504 2760 DllCommonsvc.exe 96 PID 2760 wrote to memory of 2728 2760 DllCommonsvc.exe 112 PID 2760 wrote to memory of 2728 2760 DllCommonsvc.exe 112 PID 2760 wrote to memory of 2728 2760 DllCommonsvc.exe 112 PID 2728 wrote to memory of 320 2728 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ed3c435a085a49c78c91b1c0dd3a44304aae2bef1a74771961d7fb3eb8cf4d7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wg0VTKYngz.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:320
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"7⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:976
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"9⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1564
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"11⤵PID:2800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2976
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"13⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1852
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"15⤵PID:1828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1120
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"17⤵PID:1996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2260
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"19⤵PID:1604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1592
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"21⤵PID:1044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1448
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"23⤵PID:3012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2240
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"25⤵PID:760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2396
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525fc6c7580a163b382f32579578ba023
SHA19316d9ee3941f84d7dc1ed03f61212b447da422d
SHA2566b67d24a2e5e4713972afb9f85893ffe20900dea0c9a7f629d493b41c409af7b
SHA5127d052b123da9466430d5e8288352de591b96584d423c7d441ebfffefae2799673f20c4cb29cbd2afd4329256067e0937d6e8ecc3ad4f931269fc1746120b2cc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad061d6eed985e328b81029a77c9af9a
SHA13cac398eb66605d07246e792ddceceb2d403b411
SHA256333dfc4d7033ad0792a1720101a8f8be6d7c6090a758d598ca7a4a1fc1395417
SHA512fa7a03db3dd4cf71c038ba223223c5f0685ca0f3edf0b4ce95b2a90e065bd78e4088bcb3954f73040869e6a3baeada546a9f484ab7ca1defabc7ed27daf2cdcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573ba93bf3cf228258e8902f776ba41d6
SHA12f82f213f115165661f96ef91c530287307db049
SHA256c75f9bbc3838eb54484a1da799366344363dc2dcdb3b040227d04555d666aa9c
SHA5129ac90940b02dd44283597ccb8764541690a6529f84b7549fb0e2952e0d037b2387b8d6afef3f4927736160c7d03675c0deafd44b7f47579ba70908dbce6b611a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528a17dbd532767ef88a6edbcaa4da7b0
SHA1a449f91b53db33e85a34d94a86fca2deb97d9619
SHA2568fb5e250e1fe848c9ef9522caff9eda893ce7d3373cdf3d9a1c3ffe2d841714f
SHA5122de47c681cc4c3e009cee353bd53e162df590a49c69cd4b6c8d0d1490407dfe24dbec3d05cb2d9c77c2e8077b528554432b156b582c8e47a73e81e0051366a75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d30f77dc45c4be7d2dc4de6d65cb0aa
SHA1227f0fbf48f04b3d079cdead45d877f0ac6737b1
SHA256ba452fdc887f4535ecca292fbd5b8b708c2d02f295c260753e3b9c59980d7615
SHA512e836ba47e485834a81580da53d315f477b37a24513fb5fd968f6507f3d287eee453003e69e547ada8d50411ca5f7c20bf482c8f673d1c6fc1c200f44556c36ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d23b0d88f4a692b917bb4be69e0b11d0
SHA17011fb92d73e28a91c38fe6df193f8bc58ec6410
SHA2568f2be1a54d30f7c80787f98dfa971680df840eac6600dbbf2e2acc423257a16e
SHA51279b94c01f73b02aec42d578a1941f05363f93a5223becb6c814f30e6c2acf19682a79cfa0765e959ce1d2b6c6bf5bad42c235524a022a28b953df5b0f8e04986
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd388bdce431f3892564c06af6cdf3a7
SHA107918acc918a3f49416101b3f0b3f7c43beabd9a
SHA2562e0db128de3d34cd987bb524ba605efaf7a7a3c4a17e6896193ba875d1e266aa
SHA5128038defe087548501c6d2332bf17adf428a2a20e25137f7db0fb06a588eaa912710eec441633697f34efa493c6babd6620aea566078c0ff422418c264625dde2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6613e16c6584cac1d5440a3c822ae78
SHA184d420d898c702451f77238d8e7367af903e74ee
SHA256b5a54c130aa9fde05a029d3a836fe690d9b8e21e375787b5228d075e6c08c6e2
SHA512a16d09277fbe5a6e4b4705aa610d5974a037358c0d368fab191dd6f5bc15e9166650e0477dff643fdb5387183894ad926af6d726852c663ea85e7007def77e02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51845436f9e3e9b6cc90e3f3e245bb75e
SHA1c11f3bdf4eca8d6993a739377e5b87833afbcb28
SHA25679413bdcb7d64f39befd6ca3adb276c96d5dfa49dfdf396a6b575f10f30045da
SHA51225c0a098de7db3b65b1e5fd5b6f0e6008b45c90d7c82a890c7ba0787d1de3636d272bbceb122dabc3e8ee081462f43755e6ef929656f379449a0c3da8593ada1
-
Filesize
240B
MD5bff2fcc485b23e7e9589c79be741c235
SHA149606854c5bdd993d2f0cd9ce5df34d7bc5dc399
SHA256a214b94b3653929e0d75b39534a0bbb3eb9abe1f393388f3b869994ae56cc3b2
SHA512a632e4288b64825a9c68f84fddece14948ce41a5d421af3e5e7fafdda785a43affad23603ebc7063b1a97d20c2f20800997dd43c45df77f8ba65b21544c53e90
-
Filesize
240B
MD581b3f54a9ccfb2a0ce11f70ff23b2ad3
SHA12166340d78e73f851c7d46c31635e00b119e07b1
SHA256f9964aad3680d0266b6c82545d618f6990c0c554cc2b7fa4707ba3dbc1bba757
SHA51233874b68c541fc76fb22aaa5fb26ab7baeb4831aba353ef4de8def121f196e6a221b476fb6a24ae23288eeb331f18e900bc3a607264e4f9ac840110001bbf98c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5049713889f76370daae930b3e282ba34
SHA1abdc5794d8383fafe96c8ae9928fb12514f82c8b
SHA256c0cf62c897ab88af71503275f8a7c8f7c998df0633ca22599722667282aee363
SHA5121173729187de61ae678723491b72d49e740620e6c9a030bb58b42c8a5ea5c1bf09ad17c484cc87081d27fda74fd7178432bb4ffadf9a8f329c25465e6b35b0e7
-
Filesize
240B
MD5205f6f3c4ee59f8160347f69555f7efe
SHA13044c2e870d2e8ddf07e091f6dd98bbf47e6e435
SHA25679ad27ef09cfc01e474dcc69c47a67ee9d42a03bf17285293757fea14551aeee
SHA512016b2982c7b015fbbc1a12259e2062e8bc42a89641e0c91a453c36bcf2f37ac13ec80c360e9606940713167199769bcdfd4df960a08db748a98d31fe58fb5342
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD50a11f309d2aaa23e040ff5f5685962b8
SHA11ab1e2c55ce791429d72773d5076482edae225d2
SHA256c0e1c4ac37651a8fae92ee5f57c454b1b99210211dad6898916ebf7677af0ee1
SHA512ed384c2ef59813bbc4d926198b0fcd27e342cf09e874bcc4122a081e1ee6eb10dad3ec97d82947fb473bcacbc5726d23dfb8b3e9504fe906af95410d5fa3797e
-
Filesize
240B
MD584e11af3e00613e48a606094800cdf0c
SHA1b25ddae90c0b0679b0a8f889dba903995f30dfba
SHA256ad398841df00e1de2328e57e7831b23c4b16c294268e56dd85419b3a862120d0
SHA51227d681730a40e424bae7a1049006c88546866a16ca4650a502b7165c28bd058e0448e1630546ca4ee5d846c57cab46ef5cdcdb42cd2a9074e83c078107eb0615
-
Filesize
240B
MD5ea5984d1087dc8667bb493b47e814aaf
SHA1e97e2df1da80de28e3f0571e604a7b19d43d3f7d
SHA256e861f9adda619e1fe1e57147f53bce6acdb2c4b8030a5fddd77f4c858278949a
SHA51258fae107e9df1b7aa21d48acfaae766c8ae7b511744f8d76c66efd9e4423f735414368d3cdfa41d4a4b5f466765a565ba24eec34603d6a37199db5625279592e
-
Filesize
240B
MD5dbdcb68635ae0d7222f76a35c0527974
SHA190f64f092d07a4edc275ea23c72e2b408779b8c3
SHA256f849b99b5a1f57f5bf90a1f4101a305a7f55a8ebd991e3afa6deadbc8288acb1
SHA5123546e7929e851d1995c4f65c8060814ee3ef62ad4285d83092ba97c9ce40ed00c732118317886f23b97e5735500a2cbd1a1ba04aa40e5514861d4a8cf0df8e51
-
Filesize
240B
MD5073b20f2a2286c3a2ae0bf7303a5ad42
SHA1f462a95b4d80dd2cc8ad0a05dedf0125a34f4944
SHA2569109ca3b3c5e9bd6f342f0464b8b99bceabd99630bdb4c7cf9082f2db7a7863b
SHA51267563f502d2729a8a6c84e5ff78afe3fbf911df044cf897794a44794e0c7a3b98bbf3fc0f5e5ce67907007b241a11ce8f95afa1326de2454814f48a4bdd1cf7e
-
Filesize
240B
MD529894ee7b4c397ad0bf3cfab04a364aa
SHA1d4f46c29fdab53619425837adaa37c0356f4860a
SHA256d4a954dde6ca68cc941eec8fbea3306e96cba2e37222eb6145f590c145785909
SHA51242ea827407ad87fa7dda8d2bfd86b7c6b7f8661d4fd34afae5dc6e3267f61bf88cb2b61109f35898f31e07e30c96c55fd9f1fdbf6f5de54691a4b1f22408ec49
-
Filesize
240B
MD58baf1c4f4ea024de839564b576cce298
SHA1a87154f953e691c4bc5306387c72715eca43b5ae
SHA256b58c108bfffb08dbf84e682592d4ef036df79959b537f31a32bc7304094d4ab5
SHA51219a48cd3d502dbaf4de19c4b4fd6ea5f497ccc6eeded32df19ed6452ed970102f9e51a9472472b1edaabf883871a3e4417b3465ef142b28fe1bf9467a5de60e0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56b239f9d84d7c7ec4e8357da98058b68
SHA1c587caaca6fedab98c30d2ce33222335a794fbb0
SHA256a5f2e80f25671ef5ea1f1f3e0cdb6446ecc683ca43a220d1bf9f69de5bd970eb
SHA5129ee7b087c6263151787ae8d244fd50399dc0f92541bf4190cf0d52079d362a7395e16ea7d8c31f27e4481de9bbee2ae1c29ae2a3d9b82e8601418ea8e91aa3bb
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394