Analysis
-
max time kernel
142s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:43
Behavioral task
behavioral1
Sample
JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe
-
Size
1.3MB
-
MD5
076958015ed390af121a6dbb9badb6a7
-
SHA1
26b8091a850412aa1de37fc71ebef366bd6be4d0
-
SHA256
a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f
-
SHA512
3eca7f893cde7d582feda5daf0af75ca3b4f4f73ced71441d220800e20433bc69a6d22864e85f18c0e9ce0de2bbbe06161e9192886976515eb4ca46b77da7c9a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2920 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000193d9-12.dat dcrat behavioral1/memory/2756-13-0x0000000000CB0000-0x0000000000DC0000-memory.dmp dcrat behavioral1/memory/2836-130-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/1724-189-0x0000000000A20000-0x0000000000B30000-memory.dmp dcrat behavioral1/memory/2064-249-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/840-309-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/1168-369-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2232 powershell.exe 2952 powershell.exe 2880 powershell.exe 880 powershell.exe 900 powershell.exe 380 powershell.exe 1620 powershell.exe 2900 powershell.exe 2748 powershell.exe 2416 powershell.exe 3036 powershell.exe 892 powershell.exe 2228 powershell.exe 316 powershell.exe 1744 powershell.exe 1752 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2756 DllCommonsvc.exe 2836 WmiPrvSE.exe 1724 WmiPrvSE.exe 2064 WmiPrvSE.exe 840 WmiPrvSE.exe 1168 WmiPrvSE.exe 1744 WmiPrvSE.exe 1120 WmiPrvSE.exe 1336 WmiPrvSE.exe 1704 WmiPrvSE.exe 2976 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2752 cmd.exe 2752 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 12 raw.githubusercontent.com 15 raw.githubusercontent.com 32 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\ja-JP\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe DllCommonsvc.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Boot\EFI\en-US\csrss.exe DllCommonsvc.exe File created C:\Windows\Setup\State\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\SchCache\cmd.exe DllCommonsvc.exe File created C:\Windows\SchCache\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\Tasks\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Windows\L2Schemas\services.exe DllCommonsvc.exe File created C:\Windows\Setup\State\taskhost.exe DllCommonsvc.exe File created C:\Windows\Tasks\services.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe 1352 schtasks.exe 2872 schtasks.exe 1316 schtasks.exe 2052 schtasks.exe 536 schtasks.exe 916 schtasks.exe 444 schtasks.exe 812 schtasks.exe 2136 schtasks.exe 2412 schtasks.exe 1712 schtasks.exe 1668 schtasks.exe 1256 schtasks.exe 1724 schtasks.exe 2444 schtasks.exe 3036 schtasks.exe 2392 schtasks.exe 1856 schtasks.exe 864 schtasks.exe 2716 schtasks.exe 2620 schtasks.exe 1616 schtasks.exe 1676 schtasks.exe 276 schtasks.exe 2452 schtasks.exe 2116 schtasks.exe 2000 schtasks.exe 2292 schtasks.exe 788 schtasks.exe 1332 schtasks.exe 1484 schtasks.exe 1148 schtasks.exe 2876 schtasks.exe 2972 schtasks.exe 692 schtasks.exe 2104 schtasks.exe 3068 schtasks.exe 2520 schtasks.exe 1964 schtasks.exe 752 schtasks.exe 576 schtasks.exe 1672 schtasks.exe 2384 schtasks.exe 1004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 2952 powershell.exe 2228 powershell.exe 1752 powershell.exe 380 powershell.exe 880 powershell.exe 1620 powershell.exe 1744 powershell.exe 316 powershell.exe 2232 powershell.exe 2880 powershell.exe 2748 powershell.exe 892 powershell.exe 900 powershell.exe 3036 powershell.exe 2416 powershell.exe 2836 WmiPrvSE.exe 1724 WmiPrvSE.exe 2064 WmiPrvSE.exe 840 WmiPrvSE.exe 1168 WmiPrvSE.exe 1744 WmiPrvSE.exe 1120 WmiPrvSE.exe 1336 WmiPrvSE.exe 1704 WmiPrvSE.exe 2976 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2756 DllCommonsvc.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2836 WmiPrvSE.exe Token: SeDebugPrivilege 1724 WmiPrvSE.exe Token: SeDebugPrivilege 2064 WmiPrvSE.exe Token: SeDebugPrivilege 840 WmiPrvSE.exe Token: SeDebugPrivilege 1168 WmiPrvSE.exe Token: SeDebugPrivilege 1744 WmiPrvSE.exe Token: SeDebugPrivilege 1120 WmiPrvSE.exe Token: SeDebugPrivilege 1336 WmiPrvSE.exe Token: SeDebugPrivilege 1704 WmiPrvSE.exe Token: SeDebugPrivilege 2976 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2736 3012 JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe 30 PID 3012 wrote to memory of 2736 3012 JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe 30 PID 3012 wrote to memory of 2736 3012 JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe 30 PID 3012 wrote to memory of 2736 3012 JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe 30 PID 2736 wrote to memory of 2752 2736 WScript.exe 31 PID 2736 wrote to memory of 2752 2736 WScript.exe 31 PID 2736 wrote to memory of 2752 2736 WScript.exe 31 PID 2736 wrote to memory of 2752 2736 WScript.exe 31 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2752 wrote to memory of 2756 2752 cmd.exe 33 PID 2756 wrote to memory of 1752 2756 DllCommonsvc.exe 80 PID 2756 wrote to memory of 1752 2756 DllCommonsvc.exe 80 PID 2756 wrote to memory of 1752 2756 DllCommonsvc.exe 80 PID 2756 wrote to memory of 2228 2756 DllCommonsvc.exe 81 PID 2756 wrote to memory of 2228 2756 DllCommonsvc.exe 81 PID 2756 wrote to memory of 2228 2756 DllCommonsvc.exe 81 PID 2756 wrote to memory of 892 2756 DllCommonsvc.exe 82 PID 2756 wrote to memory of 892 2756 DllCommonsvc.exe 82 PID 2756 wrote to memory of 892 2756 DllCommonsvc.exe 82 PID 2756 wrote to memory of 880 2756 DllCommonsvc.exe 83 PID 2756 wrote to memory of 880 2756 DllCommonsvc.exe 83 PID 2756 wrote to memory of 880 2756 DllCommonsvc.exe 83 PID 2756 wrote to memory of 900 2756 DllCommonsvc.exe 84 PID 2756 wrote to memory of 900 2756 DllCommonsvc.exe 84 PID 2756 wrote to memory of 900 2756 DllCommonsvc.exe 84 PID 2756 wrote to memory of 380 2756 DllCommonsvc.exe 85 PID 2756 wrote to memory of 380 2756 DllCommonsvc.exe 85 PID 2756 wrote to memory of 380 2756 DllCommonsvc.exe 85 PID 2756 wrote to memory of 316 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 316 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 316 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 1744 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 1744 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 1744 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 1620 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 1620 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 1620 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 2952 2756 DllCommonsvc.exe 89 PID 2756 wrote to memory of 2952 2756 DllCommonsvc.exe 89 PID 2756 wrote to memory of 2952 2756 DllCommonsvc.exe 89 PID 2756 wrote to memory of 2232 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2232 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2232 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2900 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 2900 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 2900 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 2748 2756 DllCommonsvc.exe 104 PID 2756 wrote to memory of 2748 2756 DllCommonsvc.exe 104 PID 2756 wrote to memory of 2748 2756 DllCommonsvc.exe 104 PID 2756 wrote to memory of 2880 2756 DllCommonsvc.exe 106 PID 2756 wrote to memory of 2880 2756 DllCommonsvc.exe 106 PID 2756 wrote to memory of 2880 2756 DllCommonsvc.exe 106 PID 2756 wrote to memory of 3036 2756 DllCommonsvc.exe 107 PID 2756 wrote to memory of 3036 2756 DllCommonsvc.exe 107 PID 2756 wrote to memory of 3036 2756 DllCommonsvc.exe 107 PID 2756 wrote to memory of 2416 2756 DllCommonsvc.exe 108 PID 2756 wrote to memory of 2416 2756 DllCommonsvc.exe 108 PID 2756 wrote to memory of 2416 2756 DllCommonsvc.exe 108 PID 2756 wrote to memory of 988 2756 DllCommonsvc.exe 110 PID 2756 wrote to memory of 988 2756 DllCommonsvc.exe 110 PID 2756 wrote to memory of 988 2756 DllCommonsvc.exe 110 PID 988 wrote to memory of 1932 988 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5d27a98f91803a0ed7919cbc8a4c44cecb02c72a13be111867a117783a7b72f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4jUwetVEPL.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1932
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"7⤵PID:636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1404
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"9⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2832
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"11⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1960
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"13⤵PID:2292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2480
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"15⤵PID:2032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2036
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"17⤵PID:952
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2936
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"19⤵PID:2288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:608
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"21⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1800
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"23⤵PID:1864
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2332
-
-
C:\Users\All Users\Favorites\WmiPrvSE.exe"C:\Users\All Users\Favorites\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf791f7401ce6ab96ee6c7043468b560
SHA1671d8aeb5bca76d006d57c9ffd02f520f3cab104
SHA25655af8c6815c47d3d67a3ce4a72a0a819fa5069a3d308c7ce8a13f7e5433b1111
SHA5126001cc5286342dfe88f0a68b1e7c81af9f1e8aa15012ff557c0b765c344e25766a9778e886e9258522b93b92c2ab404c0f8ec884d44756f769b0059ff70f28be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5483b92c3b8df0f07e1e5adabaef54e1b
SHA11435158110dbf7ca74cd483b8c060b459d8cdae0
SHA256a4ea3f5add637cf0a5d65a0ade24ea1f6e623c7f085318a1408f9bfb46c49c68
SHA5127f7527839d18f4f018a6c2d63c9c01d0b61a8eaeafa0b8d278ab1d06d1eb4d66715666b82aaa1866325a96046f0c884ab22be53bedbda02c1a2b1ba209f13f62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c2c97ce17fa1c06c35e6679aacb3b882
SHA1a3ecc243ff4fd898dc9f95baf5776f831370aa72
SHA2562b836a9e0ab552197417e70d6d0f42f27dc703ecbc4e17acfb93c3bc12ed26bc
SHA512609e2c564f3697596404c37e8d0683de208926f808032f8ff309ef3178626594ec6dd6b4aa0b7145b7d851bf3551365aafeb492526dad2b40f67e72fe90aad3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9c2ea2e2f724825012bbecafad297f5
SHA10c8d021e1eb9ca5ceda79f6fe67189f23148fd54
SHA256b5746040271c38f81998df5909e0f53b1c99d36cfea99c43c4b1c7648a97d422
SHA512e6ae42c57c677bb1fd5b445e47d9f990f2b5b8f5f7ede019a67bc55ba1c8dada49aabb4bc1497c1119f240149f0fe7799d17f7323d84157f765c2e8bc3fcf487
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fdba1f88db444821824b9fba4ad9cb50
SHA12e3078236ac92407773d1996514eb62b9288b571
SHA2562a06d8b83c3dc7b22c919d713f321484b05d99e791a1adcbcb9a5483054677da
SHA512c338f009b6a108ef1f6770315003fea95afd330e3b6412ebff26dfd4d1036bf465f79619c9758475bc58607cfb8f170d5bc7116727534105829643647e4cab02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d30450ea1a1ad6cbebbd6bb7bd2af7e
SHA1fa1345ca833d1440b0061766c9f5d42d9307c70f
SHA2568bf3c94df37b166425ef68a241084ff4b1e4e27380b584d27d41758ec6c6b3f2
SHA512d225e76396cbf5e64eb036d514eb4fa533abbd9cfed706e0538c8f15448034c440e4c20a7227121d3e28289f19225b096e115891cd087b25af03833fd01c0968
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acce86892c78acb3186989f017437513
SHA161bdca392e9249a359252103cd4dfe2c40af29ca
SHA25631521a28e0e070691ad7bb2aa8488d79cb66e4361f9a8cc97e39c2a345e9b4b8
SHA5124895c9689fef28b4c6e4f1558a736beb34c4e86c7c98bb6a2efa8f986f9c5542c52e3af864fd0f878d07b6644f8c446b17b743f162cb1ed4042ee0bd9c52d4ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5126d4e5bd25001ead5be5720c0d7dff8
SHA18a7f5a22df393a70d913786ffed6cd05be489ead
SHA25671542a73c57538b1ceffc50c1f14df55c3cd539d669043d89c96b7f4ace2ca5d
SHA512584d56c0885096d1d65882b0764b184433960ab2eacfb919819a1cb11d718a3f55c1b8018c7ce0ec4d60c36df0eca41f133b28d21872bc3f1b1c025cf4337826
-
Filesize
206B
MD5883dca7463f9ce764f46c874b6eabe26
SHA179f7b0fff2b9ba20e9e5c1f6e6aef44f3e4de879
SHA256a18f7ce201b1289c26e044e9255f366c6704f64e178de5167fa1aa015c61eef4
SHA5125b5d69998c0a89253deb6ec4315adff3680d1e201a282d454a35874e842387502fbb12b7c55f2b9c5937c1ad29493f8aaa4de588d09d9afce55fcae62122db84
-
Filesize
206B
MD5071c1ad329c71ba16a5d19da03a5c712
SHA10f820f751f2639609f45c4047dced7f8a92421d7
SHA256488bc0b7d057114680579e422f4519198fb576c80d40b441fe3118789cf46f49
SHA51293271ba0a80237a36b981f096be759ce2cb85e7c7a29f18702a5d105c4da6f2e1b307e2acb0d87486f463db320dcdd92fbb0dbd876b50e0a3509fd2490b181aa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
206B
MD524a947b3721825cb366c27eb2ae488c3
SHA1d5cf0c92250c67ef1ee3a5121b5321a3914635ae
SHA25606964247543633f9d602a78df7ce4c14d6e93053b9c05fea243f782469e6b8ac
SHA51256996b6336c2d6f9d2a2bfa61635066e4dc785c3b2f11ed8b822fb5340b6ddadf1430561f1d2b243cfb1ad3da0ecee76c8865efa984d52da50fe891ad329faae
-
Filesize
206B
MD50b15c323649227a5d47cfc6c191057f7
SHA1bff9a44ac4c3880b3f385337201ebd984fa98df0
SHA25653e8425e5f9a8b6d29a9dec11a683fa41e7336089e3037775cb0c90308aabfbc
SHA5121df91db263fe6f833b318715271be7f53e192fc1c0cb71c6ff1c69dfab920640d0842fa21bce6c3649f558ffbbbd095e9350b0dd528b84551316c41fec339fce
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
206B
MD5ebbf649fd51e21ad53d17f0b945b16c4
SHA16489230da53a96a44e762d6acb72a1c37b9ca2b0
SHA256cef5b463036b734980ae3f63477563331b05d05ccd980960097214c4028717ec
SHA512b4d31dc296131568974847bcc94ad9afa6ccc6f5d03dcd532efe26ee9ed3fc8c90be566af18a605ae9bdc561bc431b55f016342e7f4b985f873ca3ad9fa8ed8d
-
Filesize
206B
MD582dd01a08a209e21fe3c6784b2fcd1cb
SHA1306aff79c2054726e429b3e3c1257ebc02e9a2c8
SHA2561933f2377b1afe3390fad58a1a62c420c5c9ea5b3e7ddb25f366af381bb6c5e5
SHA512ee1039639e330da688bae0e323a3eb2b4ebb53d740566ab6c9e91db17b9bcd22632b341bef642377904d0029a5b6cfcc84dc54258f4fbbbb2012dfb8c398f72d
-
Filesize
206B
MD5f659c0ced0971eb9cee38fb7f9d2c22b
SHA132d3155f0925189bea6461fe997252a279eefd2c
SHA256ab3a3e84b57d65ced9180be1978fcd4b76aa9da4bd92aba571591e45c49dbcf9
SHA512563bc936efb9d2d6eb46e3e73ca6ed2b39d5e057091ae8aa1f6742fea08d3446c975d98901e6cbb26157f5d49ac6f3f0140e588ae51b6a4a8a325fec4bbe3895
-
Filesize
206B
MD50e6d7eeebd251e3a75fc110b5c9fe248
SHA1dab8892ebfbbd45d5e858ed0871cd45be3584807
SHA256c42defba150e00cf1e6f13aa2e4e78bd249ad3d355e9f82492239d6d404af4b7
SHA512bfe1cdcfcf0bf00c4f58a32610c10684ed7fbf073e07bbf9e5a71ca2d95ddafed77a886f7ab41372189f67cdee49191e1daad9f61309101acb3d7cddcc433e50
-
Filesize
206B
MD5aca9005852148ff12661298eec51afba
SHA1f323e27a40516a7c4cf78eb37691790bbece6819
SHA2564ae4b90f87c6a30b107eae74d689045d5cd4cd6889768d428b92f69b93a84352
SHA5126d4f05e727202bdd2e8685df7186ac9e40d12f886112e68f9491fcf817817e02d4326350d7b39c98cfbde78b0b66b3375a55e0ec1125def64b7d67b4ba712f21
-
Filesize
206B
MD5647f23a2ebb03606579840b3a16c322c
SHA121255a8b4e7ac573aeaa6672ea69ae11af0433e2
SHA25657675aa87c8a66763321d393421c215465be110fa8be11f938edee69fb284bdd
SHA512947857adc60ee267b6b08535b6a9678582e5d197b9d9e62df912bcb0ea7e0037995a03cc4d4989fea222239f96c73c1d44a8508c05e238551fd3b4226cbd9682
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5885627a70ae71ca9e7b87859bcde7cf8
SHA1accf4fcb61a9c939c81a5f9c0a6f33beaa619e62
SHA25654dbec5d6dcb6c99797b50da9e9d0632ce1c8abd3c3e049a2c1d47cf7adaa9d8
SHA512cbb1ca910c7b0c0f4a85af1deac09748c6e400258757fe7592684afbb1163ff5d29dc325477ff25f53d0ddeb027a390760fbf04cdd1fd34a16fd49be8ba3c7a2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478