Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:01
Behavioral task
behavioral1
Sample
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe
-
Size
1.3MB
-
MD5
8d758308ba356cd4992ecfdd50db9774
-
SHA1
bd07292d17333584c99654a584fae2420f589ed0
-
SHA256
b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2
-
SHA512
8ffe7d228ee170dd2b9203bd68cd3ceca415a2eb638977f0269df5f3d4c5c46e1b89b3ed203a5ecb6b1bc22a7246268b942ee83d5fedf0f0ef626a4eb3dd5d3c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2300 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2300 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000175f7-10.dat dcrat behavioral1/memory/2860-13-0x0000000001380000-0x0000000001490000-memory.dmp dcrat behavioral1/memory/2920-148-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/2184-266-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/1184-562-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2132-622-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2868-682-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2460-742-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2876 powershell.exe 1912 powershell.exe 1924 powershell.exe 2548 powershell.exe 1144 powershell.exe 2720 powershell.exe 2004 powershell.exe 1892 powershell.exe 1740 powershell.exe 1724 powershell.exe 2772 powershell.exe 2760 powershell.exe 2656 powershell.exe 2660 powershell.exe 2808 powershell.exe 2508 powershell.exe 1992 powershell.exe 2636 powershell.exe 1580 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2860 DllCommonsvc.exe 2920 dllhost.exe 1932 dllhost.exe 2184 dllhost.exe 1704 dllhost.exe 1544 dllhost.exe 2924 dllhost.exe 2688 dllhost.exe 1184 dllhost.exe 2132 dllhost.exe 2868 dllhost.exe 2460 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Google\Chrome\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\5940a34987c991 DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\dllhost.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\PLA\Rules\en-US\smss.exe DllCommonsvc.exe File created C:\Windows\PLA\Rules\en-US\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2424 schtasks.exe 1692 schtasks.exe 2456 schtasks.exe 2016 schtasks.exe 2672 schtasks.exe 2248 schtasks.exe 2104 schtasks.exe 2812 schtasks.exe 1596 schtasks.exe 2984 schtasks.exe 1624 schtasks.exe 960 schtasks.exe 1636 schtasks.exe 540 schtasks.exe 2308 schtasks.exe 2280 schtasks.exe 3008 schtasks.exe 844 schtasks.exe 1940 schtasks.exe 2704 schtasks.exe 1944 schtasks.exe 2180 schtasks.exe 1220 schtasks.exe 2924 schtasks.exe 2548 schtasks.exe 444 schtasks.exe 1152 schtasks.exe 2088 schtasks.exe 2324 schtasks.exe 1584 schtasks.exe 276 schtasks.exe 2508 schtasks.exe 2556 schtasks.exe 988 schtasks.exe 2296 schtasks.exe 1148 schtasks.exe 1732 schtasks.exe 1936 schtasks.exe 1588 schtasks.exe 2404 schtasks.exe 1744 schtasks.exe 1384 schtasks.exe 2512 schtasks.exe 2564 schtasks.exe 2668 schtasks.exe 1460 schtasks.exe 692 schtasks.exe 2768 schtasks.exe 2356 schtasks.exe 1492 schtasks.exe 2604 schtasks.exe 3024 schtasks.exe 1836 schtasks.exe 2276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2004 powershell.exe 2760 powershell.exe 1144 powershell.exe 2876 powershell.exe 1992 powershell.exe 2720 powershell.exe 2636 powershell.exe 1740 powershell.exe 2808 powershell.exe 2660 powershell.exe 2548 powershell.exe 1580 powershell.exe 2656 powershell.exe 2772 powershell.exe 1724 powershell.exe 2508 powershell.exe 1912 powershell.exe 1924 powershell.exe 1892 powershell.exe 2920 dllhost.exe 1932 dllhost.exe 2184 dllhost.exe 1704 dllhost.exe 1544 dllhost.exe 2924 dllhost.exe 2688 dllhost.exe 1184 dllhost.exe 2132 dllhost.exe 2868 dllhost.exe 2460 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2860 DllCommonsvc.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2920 dllhost.exe Token: SeDebugPrivilege 1932 dllhost.exe Token: SeDebugPrivilege 2184 dllhost.exe Token: SeDebugPrivilege 1704 dllhost.exe Token: SeDebugPrivilege 1544 dllhost.exe Token: SeDebugPrivilege 2924 dllhost.exe Token: SeDebugPrivilege 2688 dllhost.exe Token: SeDebugPrivilege 1184 dllhost.exe Token: SeDebugPrivilege 2132 dllhost.exe Token: SeDebugPrivilege 2868 dllhost.exe Token: SeDebugPrivilege 2460 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2544 2224 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 30 PID 2224 wrote to memory of 2544 2224 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 30 PID 2224 wrote to memory of 2544 2224 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 30 PID 2224 wrote to memory of 2544 2224 JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe 30 PID 2544 wrote to memory of 2744 2544 WScript.exe 32 PID 2544 wrote to memory of 2744 2544 WScript.exe 32 PID 2544 wrote to memory of 2744 2544 WScript.exe 32 PID 2544 wrote to memory of 2744 2544 WScript.exe 32 PID 2744 wrote to memory of 2860 2744 cmd.exe 34 PID 2744 wrote to memory of 2860 2744 cmd.exe 34 PID 2744 wrote to memory of 2860 2744 cmd.exe 34 PID 2744 wrote to memory of 2860 2744 cmd.exe 34 PID 2860 wrote to memory of 2876 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2876 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2876 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2760 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2760 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2760 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2720 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2720 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2720 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2808 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2808 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2808 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2772 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2772 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2772 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2636 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 2636 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 2636 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 1992 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 1992 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 1992 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 1144 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 1144 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 1144 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 1724 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 1724 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 1724 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 1740 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 1740 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 1740 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 1892 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 1892 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 1892 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 2660 2860 DllCommonsvc.exe 105 PID 2860 wrote to memory of 2660 2860 DllCommonsvc.exe 105 PID 2860 wrote to memory of 2660 2860 DllCommonsvc.exe 105 PID 2860 wrote to memory of 2548 2860 DllCommonsvc.exe 106 PID 2860 wrote to memory of 2548 2860 DllCommonsvc.exe 106 PID 2860 wrote to memory of 2548 2860 DllCommonsvc.exe 106 PID 2860 wrote to memory of 2004 2860 DllCommonsvc.exe 107 PID 2860 wrote to memory of 2004 2860 DllCommonsvc.exe 107 PID 2860 wrote to memory of 2004 2860 DllCommonsvc.exe 107 PID 2860 wrote to memory of 1924 2860 DllCommonsvc.exe 108 PID 2860 wrote to memory of 1924 2860 DllCommonsvc.exe 108 PID 2860 wrote to memory of 1924 2860 DllCommonsvc.exe 108 PID 2860 wrote to memory of 2656 2860 DllCommonsvc.exe 109 PID 2860 wrote to memory of 2656 2860 DllCommonsvc.exe 109 PID 2860 wrote to memory of 2656 2860 DllCommonsvc.exe 109 PID 2860 wrote to memory of 1912 2860 DllCommonsvc.exe 110 PID 2860 wrote to memory of 1912 2860 DllCommonsvc.exe 110 PID 2860 wrote to memory of 1912 2860 DllCommonsvc.exe 110 PID 2860 wrote to memory of 2508 2860 DllCommonsvc.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4d1df831ef65d1fc8458a43bdfa047510b3ea9569cac8a35809f0a3140cdca2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\en-US\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D7EBp90Pxg.bat"5⤵PID:1936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1480
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"7⤵PID:540
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1728
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"9⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1348
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"11⤵PID:1204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2968
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"13⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1380
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"15⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3000
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVLs15dYuc.bat"17⤵PID:1924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:912
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"19⤵PID:2292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2040
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"21⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2288
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"23⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1968
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"25⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1048
-
-
C:\Program Files (x86)\Windows Media Player\dllhost.exe"C:\Program Files (x86)\Windows Media Player\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559072839ee960dd04a327d4332531a5e
SHA1a0ab9f4fd04b54b7c2b83e993477a9abcd93b644
SHA25659c442a94f4962ba78df88959a1298d735e53af53e261efe1e79d675d7c289a5
SHA51261a9fca060a7de3ebbdac86725f9f7b808c2fc0328341d7c1956bc28301a8e7711d6b90cefd8e9a03dffdbcbda6e610b213923b5b4dd21123220162b3a323bd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c67805f76357bf4fa91c74cfa94499f
SHA1381195862024d5f40d7241000e088dbbbdc95403
SHA2563747082d873e2c751708ff3b99d5801e22e645872fde6d8060d69a555775e374
SHA512ef0d35f60dac27cbafa49a3ce9b49e9d3850bba2e684ab4c457ed48e6f15742e90d2adcbfe75526ad910ff2d06a7ad3c7215bcbb319fc9ba17f70215c63d0e4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f75b5a569b26b5ed80c717cb0a9aa2ef
SHA19bc911f8ee950beb616665cdb8d51924918890e5
SHA256ab3b154c405d1d8e5188326dcf9f7f2cb33ca119a42ecc080ea9deb86c9b722b
SHA512f178b19f70d17875b2d0a0cf61ec5d69d6c95f9e116085db511de3ca3d9f411805ae9d6ebd89474c18fdcffa9caa122323103ce2254a3bcd35747390c9edf110
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54067748b2bf4b4a51410977e261807b8
SHA19c71032e4f8886a416c8ba89e1b34c9c9c9f46bc
SHA2566aa02f0a2c19b668e80813faca68fcb562afa8ed4306fbf1feb81f69298c4620
SHA512dbe9901658e571400b225f84e35713fd7ea43a979631b61466c47ed0b513c7b16b1029bead2aa3a83e015c5a5ff1a377aaddf9b3aa7f5915fea6d1d7ef597b47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5330c57bd87c17d42ee4e2788d2ea4029
SHA1df9a8ab8defd407563acc26a33c48d5898b0afa7
SHA256dce7945e04bb9cc21f600e962449583aee6623801565aaecd2564033e0395aa4
SHA512d42a9d7ed1f2830136e8403a121054dc5ad7a78c1ac499563a8a28c6f8174c8909f116baf40d9bdad85375f05fcf42fc1e51f40f2ddf49e8be26b4a1f1c95be9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc0c286438eb45cb50c6231cefbf8738
SHA17882d0d80d1b8f92c0a8fb6a84a2a8b017072a35
SHA256c7e15bb3f1549d4e78fe540189860fb36502ab7e1417d2fe8ad3ae6f17ba6bae
SHA5126467e3b56280584081e8304cbf169f6dee47ef09a1566f57d92f11fdef9483382bccd56877446f11662dc96efcc6ec874520a21ca5a7b0f2d650829322f17cad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57169006b1ec248d66b375dbb38cde3c5
SHA18b51c871e56bba2736cd211ca5167e0f747ca24f
SHA256e689ec16271e1907f83234ab7a085b3913f94dd7af2a42d950e62b986f5301a1
SHA512b8b4a198b85996bd749ed9e37bafef7c9af89ce90be02248e7b4640514ef6c281092d108073fdf3ade0439680266477a61de0531cf51f19d53ea1b75df44356a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57871f69675f7bb8654e370bfc71122b3
SHA177c63486edceaaf5c03c16f5a0c0accda09936c5
SHA2560be4af2a40ae102387b565377b04d2a8c2573de8f7ffecf2e83edd8643a2b0d6
SHA512304ebb07a698334afd21c7885b325024e38cc94fbe04e072b98b41aed79964d0e67c08ce41580568c73741c77a5484ea3ea04728e71f872d65531d1bc45791d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9e3d6c5e88ebe264bf1ffff4303f839
SHA160da5d11b95d5655dc365a53306efc5f002cbe64
SHA256f26f04f0c736e8fdf3163d38371748a2e0b0b9a019f9b284a0d4ac10eecab73f
SHA5120ef7487237bcf4ceb0a841934421bb4e1048b3d2aee6ab1487bb6f2a0ebe37061e7444fdd6f19d64041d05ae4c6869822e3c01af40a7d7b563b9a96cd25fb2cd
-
Filesize
220B
MD56ee65545091c107f727103b4c3b7de31
SHA1bbd1e8efa11a098a8583e436f9b99618b6d992bb
SHA25623cb4c1a521cfee2889993e24e7611ab41db6fb78ecf81d0c3dc682788601959
SHA51289e6c28b2b3702b68e5a7da248030ddec13bdc1dcac1cdb03fb233ee83164b0166aa02907d1207799a58c849a5208cec852def48e1b7998ab66b47d0879931c9
-
Filesize
220B
MD59df396c5e0d7a57e38d8ae4bb6264236
SHA147916441423647a4032ec84a73b39ed0263eb0de
SHA25632aff5481abb5f3efa3f61b234fa0ea96978863d3730902d80ec35fe5276685a
SHA512ee82d31bbc2c202f7642eafc88b95dca4c2ab51a4e19c81af9fd0e3a6a5d210ab2812bc7475662c578bf2ee1a446ef6263741a8de9c332b17b0cac1fd4bb5672
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD5a0558142895798c915fe2d9cb05cbebd
SHA1fb81470aa959b2df364537a80860afdf56ced571
SHA256d6bbb9e469dd4f09fb50b394c635716a6461d088338e1dbf24cf13c500f542d9
SHA5124f1b27bdafa3e4644382f22c1f3d3e2bdbad276a39a34deb9f5d016bfe3ebcef1cdbced0d6e0fd344583ec63c0bce0417393a8a9bfc14217cba8863fe6549461
-
Filesize
220B
MD5f399cc4c701a67a4c565fbdb8b728b64
SHA1f7ea9b60c123fe32534f92a8619bd73d3e510461
SHA2563e52c028ff897d02ca40b85d3eccf2d9e72acd273c5a3f02e89e203361d7f394
SHA5123da43f4275fe93047bbdf4226fbb4bdda058fe9de7a9c2f2ea293009f3f91ba41cb760368cc3ac629ce6390ba41c85784178b595a2b0b7f3a3dd76008025d79e
-
Filesize
220B
MD556a20d8878cd3cb9bca7f9d37d280423
SHA1cde388d248f1b59223da6d1b9aa3d51fa2ecdf89
SHA256a063a5b4352e62309c9311051b8299f62e33621739c5e8797b6ed83e399be1b1
SHA512e75a43b1701c5692b09dfc3f8fc827049d3dbc463a4eb697489f2f39be51d3e806cd6d79f82041ee4eb1b5f8e2930c67793d1f03534a1d76db14b6accc3d5d18
-
Filesize
220B
MD5396b6bdcd5e5069f244b1eeb16bfa7d6
SHA16868e291ee94ca91fc2da6bdfa1dc31033941904
SHA2565395f9b7a648022efc5cd8b8eddbf5468b3de092104f646de5766d8a7b3899b5
SHA51212371ba9f02fee6efc156e1f8eabfd33d2088d6c6a1c9837fa1ddeb59add8d1c211796d457a20b7d56d8cc90e873f05975b3c9fe9f3a7cfad7bd9caad28c8644
-
Filesize
220B
MD5ab8410fe35ea6a38c02b067a1b6b178c
SHA1fa35205f4f0107a6f9e48a6c391aa6bcf1a37c04
SHA25694c526622f287da4e6f6fc06ccc71c5e39f353ac4a69f73242108a1be228cd01
SHA512bba8dcb837afc78e2c19b63681cb770f44a70e42de70b6d20095559142c620cf3bd0e4f2b0cbc264048d66e043821544d2fb8b93374ec3794c2800587e49b25b
-
Filesize
220B
MD5b229017f22310c8b9d1f05c30991eb8a
SHA18232d20339b18a485f2481e690337bd283ffd6b9
SHA25662de0373a7b35d7f726e253f7c6eb631eceff0ae1fb281abc79795499dc45a87
SHA51204cb78c127131efef93bc3e70f599a18c00fbc824362472272e81c24e0bcb2fbcd31a167c990e5c5a77e376f5aa63f5120ab0631f8f6224a217b419fa4afc0fe
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD55929c883abe77a485cd673712e6157cd
SHA16c4350f263841285bdb4151f15f8826214e35db6
SHA2565aa35028cc6760b422be3fcecfdbe1596b7696a08bccfbf1ee895b21ae48db9d
SHA512285854de724bacb90aa4f8ba536766759a93befe609150daabd5afd75c89f60065e325b1f8c3545c86bc48225f7bf1c77ade8854abf779a7e2224ab16717c308
-
Filesize
220B
MD5d53357e2c8f39eac0ee58f6caba60b60
SHA15b16748f2e5dcc8d9714f3c1a6bf843ea8eb0ab7
SHA256edfc7335e0e4196748346280d5865d72efd608ce4407d2cfa9754c43adc0d62b
SHA51218721a834a756bad3b6412c4d851546eecd33cd034da5d176db426bbbe34b12de639924985a4e5f206e1448823eebde2e3b52f8cfbef89d45f943b74debb11c4
-
Filesize
220B
MD52d68adc297ba15436f12f0aaae2d4071
SHA1d0797bca48cb12826935cf1c0dfa9ab436aa641a
SHA256a1cb3a3a7a4b06f4649b8f6e41ebacc014e44c6902e83683082b96dc15409175
SHA512f07b7e95c4a3f505165f709d31557e74a4d7bb90cef8586454f75007169e278cfc8fb77383eaf6c25e246cab94bf55f718b4acd181eb00c59e0ff3a6795eec1e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5abeca5e9c2df995ec43df1ca199cdbfe
SHA19d378f1aa57361c6279469983039c01ac8522e1e
SHA256d6e9866ffef01d8ad79f2d2820998a25c04d2cb0a998699437cbd4e9e0364b1e
SHA512c22e92c90c074a829f90b9f3aac5b0eea2fb022e1c393f6d717281d6c9d880872c195af4350fa7a9f00d334956622914d27a26cdd07a6549a4e15c7ccfd01a2f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478