Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:02
Behavioral task
behavioral1
Sample
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe
-
Size
1.3MB
-
MD5
9d6a6c835223becab287987d7c1aae59
-
SHA1
f2428e81d4d2a67fb5de23ca65a45254a0e6acc8
-
SHA256
30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367
-
SHA512
bfc8861b5b4cdc2facca5b0564bd7a07ed827b6b0d1584c31036e59254d48b51bc6d9ed21183895f902d77e7bb5e57692ba645ed6d95cea67709e6e0722fd1ff
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2540 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2540 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0009000000016009-9.dat dcrat behavioral1/memory/2544-13-0x0000000001170000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/1296-65-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/748-189-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2180-367-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/2808-428-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/2408-489-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/2132-549-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/2036-609-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/1508-669-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2600 powershell.exe 2168 powershell.exe 2616 powershell.exe 2536 powershell.exe 2796 powershell.exe 2712 powershell.exe 2516 powershell.exe 1812 powershell.exe 2760 powershell.exe 2872 powershell.exe 2736 powershell.exe 1576 powershell.exe 2652 powershell.exe 2656 powershell.exe 2664 powershell.exe 3064 powershell.exe 1780 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2544 DllCommonsvc.exe 1296 lsm.exe 748 lsm.exe 1684 lsm.exe 2300 lsm.exe 2180 lsm.exe 2808 lsm.exe 2408 lsm.exe 2132 lsm.exe 2036 lsm.exe 1508 lsm.exe 1088 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 3060 cmd.exe 3060 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\fr-FR\wininit.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\fr-FR\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ModemLogs\services.exe DllCommonsvc.exe File created C:\Windows\ModemLogs\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 752 schtasks.exe 1748 schtasks.exe 2300 schtasks.exe 2944 schtasks.exe 1656 schtasks.exe 2904 schtasks.exe 688 schtasks.exe 2464 schtasks.exe 1164 schtasks.exe 2964 schtasks.exe 1272 schtasks.exe 2756 schtasks.exe 1728 schtasks.exe 1456 schtasks.exe 2236 schtasks.exe 1240 schtasks.exe 1804 schtasks.exe 1360 schtasks.exe 1916 schtasks.exe 2016 schtasks.exe 1416 schtasks.exe 2492 schtasks.exe 616 schtasks.exe 2472 schtasks.exe 572 schtasks.exe 1036 schtasks.exe 2444 schtasks.exe 2288 schtasks.exe 2752 schtasks.exe 1724 schtasks.exe 772 schtasks.exe 1736 schtasks.exe 1784 schtasks.exe 952 schtasks.exe 2396 schtasks.exe 1928 schtasks.exe 2960 schtasks.exe 1944 schtasks.exe 3052 schtasks.exe 308 schtasks.exe 832 schtasks.exe 2988 schtasks.exe 2836 schtasks.exe 1492 schtasks.exe 532 schtasks.exe 2908 schtasks.exe 2548 schtasks.exe 444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2544 DllCommonsvc.exe 2760 powershell.exe 2664 powershell.exe 2712 powershell.exe 2616 powershell.exe 1812 powershell.exe 1780 powershell.exe 2600 powershell.exe 2168 powershell.exe 2656 powershell.exe 2516 powershell.exe 2736 powershell.exe 2536 powershell.exe 2652 powershell.exe 1576 powershell.exe 2796 powershell.exe 2872 powershell.exe 3064 powershell.exe 1296 lsm.exe 748 lsm.exe 1684 lsm.exe 2300 lsm.exe 2180 lsm.exe 2808 lsm.exe 2408 lsm.exe 2132 lsm.exe 2036 lsm.exe 1508 lsm.exe 1088 lsm.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2544 DllCommonsvc.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1296 lsm.exe Token: SeDebugPrivilege 748 lsm.exe Token: SeDebugPrivilege 1684 lsm.exe Token: SeDebugPrivilege 2300 lsm.exe Token: SeDebugPrivilege 2180 lsm.exe Token: SeDebugPrivilege 2808 lsm.exe Token: SeDebugPrivilege 2408 lsm.exe Token: SeDebugPrivilege 2132 lsm.exe Token: SeDebugPrivilege 2036 lsm.exe Token: SeDebugPrivilege 1508 lsm.exe Token: SeDebugPrivilege 1088 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2704 2872 JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe 30 PID 2872 wrote to memory of 2704 2872 JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe 30 PID 2872 wrote to memory of 2704 2872 JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe 30 PID 2872 wrote to memory of 2704 2872 JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe 30 PID 2704 wrote to memory of 3060 2704 WScript.exe 31 PID 2704 wrote to memory of 3060 2704 WScript.exe 31 PID 2704 wrote to memory of 3060 2704 WScript.exe 31 PID 2704 wrote to memory of 3060 2704 WScript.exe 31 PID 3060 wrote to memory of 2544 3060 cmd.exe 33 PID 3060 wrote to memory of 2544 3060 cmd.exe 33 PID 3060 wrote to memory of 2544 3060 cmd.exe 33 PID 3060 wrote to memory of 2544 3060 cmd.exe 33 PID 2544 wrote to memory of 2168 2544 DllCommonsvc.exe 83 PID 2544 wrote to memory of 2168 2544 DllCommonsvc.exe 83 PID 2544 wrote to memory of 2168 2544 DllCommonsvc.exe 83 PID 2544 wrote to memory of 2616 2544 DllCommonsvc.exe 84 PID 2544 wrote to memory of 2616 2544 DllCommonsvc.exe 84 PID 2544 wrote to memory of 2616 2544 DllCommonsvc.exe 84 PID 2544 wrote to memory of 1576 2544 DllCommonsvc.exe 85 PID 2544 wrote to memory of 1576 2544 DllCommonsvc.exe 85 PID 2544 wrote to memory of 1576 2544 DllCommonsvc.exe 85 PID 2544 wrote to memory of 1780 2544 DllCommonsvc.exe 88 PID 2544 wrote to memory of 1780 2544 DllCommonsvc.exe 88 PID 2544 wrote to memory of 1780 2544 DllCommonsvc.exe 88 PID 2544 wrote to memory of 2652 2544 DllCommonsvc.exe 89 PID 2544 wrote to memory of 2652 2544 DllCommonsvc.exe 89 PID 2544 wrote to memory of 2652 2544 DllCommonsvc.exe 89 PID 2544 wrote to memory of 3064 2544 DllCommonsvc.exe 90 PID 2544 wrote to memory of 3064 2544 DllCommonsvc.exe 90 PID 2544 wrote to memory of 3064 2544 DllCommonsvc.exe 90 PID 2544 wrote to memory of 2664 2544 DllCommonsvc.exe 91 PID 2544 wrote to memory of 2664 2544 DllCommonsvc.exe 91 PID 2544 wrote to memory of 2664 2544 DllCommonsvc.exe 91 PID 2544 wrote to memory of 2600 2544 DllCommonsvc.exe 92 PID 2544 wrote to memory of 2600 2544 DllCommonsvc.exe 92 PID 2544 wrote to memory of 2600 2544 DllCommonsvc.exe 92 PID 2544 wrote to memory of 2656 2544 DllCommonsvc.exe 93 PID 2544 wrote to memory of 2656 2544 DllCommonsvc.exe 93 PID 2544 wrote to memory of 2656 2544 DllCommonsvc.exe 93 PID 2544 wrote to memory of 2872 2544 DllCommonsvc.exe 94 PID 2544 wrote to memory of 2872 2544 DllCommonsvc.exe 94 PID 2544 wrote to memory of 2872 2544 DllCommonsvc.exe 94 PID 2544 wrote to memory of 1812 2544 DllCommonsvc.exe 96 PID 2544 wrote to memory of 1812 2544 DllCommonsvc.exe 96 PID 2544 wrote to memory of 1812 2544 DllCommonsvc.exe 96 PID 2544 wrote to memory of 2516 2544 DllCommonsvc.exe 98 PID 2544 wrote to memory of 2516 2544 DllCommonsvc.exe 98 PID 2544 wrote to memory of 2516 2544 DllCommonsvc.exe 98 PID 2544 wrote to memory of 2712 2544 DllCommonsvc.exe 100 PID 2544 wrote to memory of 2712 2544 DllCommonsvc.exe 100 PID 2544 wrote to memory of 2712 2544 DllCommonsvc.exe 100 PID 2544 wrote to memory of 2796 2544 DllCommonsvc.exe 102 PID 2544 wrote to memory of 2796 2544 DllCommonsvc.exe 102 PID 2544 wrote to memory of 2796 2544 DllCommonsvc.exe 102 PID 2544 wrote to memory of 2536 2544 DllCommonsvc.exe 103 PID 2544 wrote to memory of 2536 2544 DllCommonsvc.exe 103 PID 2544 wrote to memory of 2536 2544 DllCommonsvc.exe 103 PID 2544 wrote to memory of 2736 2544 DllCommonsvc.exe 104 PID 2544 wrote to memory of 2736 2544 DllCommonsvc.exe 104 PID 2544 wrote to memory of 2736 2544 DllCommonsvc.exe 104 PID 2544 wrote to memory of 2760 2544 DllCommonsvc.exe 105 PID 2544 wrote to memory of 2760 2544 DllCommonsvc.exe 105 PID 2544 wrote to memory of 2760 2544 DllCommonsvc.exe 105 PID 2544 wrote to memory of 1296 2544 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30cb004eae1bdb1d9613d1586c363bef8d1c4f3fc926812d2de2ec6325707367.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"6⤵PID:2984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2656
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"8⤵PID:2976
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2568
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"10⤵PID:2408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:884
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"12⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:892
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"14⤵PID:2724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:748
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"16⤵PID:596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2424
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"18⤵PID:1420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2308
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"20⤵PID:1576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1028
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"22⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:688
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"24⤵PID:492
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1700
-
-
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bf27b693bc495f87aa502db0f114f9a
SHA1a84261d70440fc25bc78bf014d47da287cfa836d
SHA25636d464d57baba45a5dde583294eb208da52e6574867a993b03ca7d322875f556
SHA51299d4e07ff4267b9f920ad86c3785e24a1060f91ebb43e2c6d47b7475adcd3d3dc8fd17ec2e7019b5c15ee04ff5e5ff563d644951871f062dcd5dae3b4f0a3b3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c6bcbdd038fab7b19ccb0e133544acb8
SHA10503f3bc6b682746900fc2c757ecdb42c74adfff
SHA2567ebc19843d1da6396c52cf12ae9c8293360e656d49a4f59dab40cb16f07d62f1
SHA5122645ceb36aa66a294342fc77fa0e879d32ea155a3b362a0a18eb66c3655673ac22e5b041a41a73a2cf6f8f04984a2129f9bd4b661d4444f671b08c322c2c7955
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc7184fa5b3ba80879c8e36d80ef360e
SHA149477cfc8e8e5fedaa522b70167a02812cc33b92
SHA2564f69506514b32a4c4ddea5b04786f205feb0cb6f342730ac891ca4317dd63a3d
SHA51221d42b6f5e857ca06f643f4374c08b09ab66b555158a94e9df387756bfb5ec1a76b31483202166dc73fe5d685ea898b76b3d1cfe4309a2b608a7dbb97d3adb2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c28b8eede55f1161b55b3d5eb1192ce
SHA13e74c15b4d09b81e15b79467b86f63c419be4782
SHA2568776923479fb54874baa93bdf918568fe2ee52264e577862e5ac05a5b8e93082
SHA5129cf258f521dd5c93f7f2c2df98e674e32f41a078b483809265f99f926abd3bdd170a88e5203639d0dfe86855a3ccb31ff55248791e8aad5adc70a5d56ffe6bfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c36ddcd5d60e48ea0193ce6a4ffd538
SHA12851905709ad053ba6c29a2d4326d3061faa4674
SHA25675db8285034c40abb0486d1a4b3ef6ca0233481babf0ddd227864edf9db3bec5
SHA5125867efdd2d5103bed2a045f48e68c6c688932c451fd21edeecde891034f6208e8ce2663dad1cf96fa5b064d2535390b52dff29daf18e8ea2ce0b6ab036f8fcaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bfc5a19d970a5362be1e0219139f61c
SHA14cfd397b1a80833bf9ca834e40bdd29b4ad8e6b2
SHA25682a34f23236d354a183a049af472cfaba4209629e728124f9d295a74520f5c11
SHA512c125a30cadf475dcbdb0e570b11c0543fb79a70689ad89ce69b0106e56617f8d378ff77213f91d07865244845128bc400abbabcea18babce82a0cb8a838e05be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5817593b22111014c5f6bdb7dce14af73
SHA1ddda4265a6f38a1b0a58a82dc39ddbf6ba259ac8
SHA256cbf878b92eb1460aa3ff53037692ade947516255b219ff79c576d468bca9fac7
SHA5125b83f87046db1da16da580048c22817fff48171b1a8bac0624ed17ffeb76dc3f8c5c36e2f4de516339be64bab827b0395dcc76e6a4a54ec1220697b860b8d91d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5962ae112a3206407973f8d076ffdb7c6
SHA1db930cebf553dda3c9d18021b80ca406717ff75a
SHA2563c9f8108ca82196ef6659ed9349d0da60b1fe370d8b057a30daa4249539b5e6b
SHA512191d238a874343ff2f1499f0dbe4b87ae44e49a3bcdaba8ee63e4e382875a4e25bf08766e35eb1d838395a4b4695664eb3e0bcdbd3d23741650088bbb265ca92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d14ae8a97d0a0114e108fc43c33233f
SHA1cc1450ccd6261cbaf4ea065b733cd3ec879b7119
SHA256465ca07c627afba2211a236daa6d2724847d3079d505bccb3e6f3384c901370b
SHA512e2bdc858b3719c7bbaee0aa88aebbe69eeae689a1c88109285654c7023b510568c273a71a1e07487166f2c31c7a8aa673d3e04be1a147ca5e93d9ccb1e3685be
-
Filesize
221B
MD54ca25500c09d76b3e3e1a1574551035f
SHA1d513a24d23acd2d60d3d5c95cd7f20c479e311f3
SHA25651c81e1eed2003390c20d4d9d275e3f1c5c2b1fa0679688bde60082ffadcf984
SHA51242ee4093816417b559d2de2bbc3dae04ccda403996d0bfebbb17cde515a32854fadab8bfa2a47a39f370dcb0a7019a02773848a654547f97d933b2a8d1309d36
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD563d5ba87e857be5cb1f4aabf484caa66
SHA1862da81b67e7c049cb3fb9152c7fddb4facfda3a
SHA2568520dd41e7f4a6bcbe41bb2c8fd7813a0563ba9ffb915e187129b5e4bf27c80a
SHA512872e72e01604c154d759dcd7e4109f325a3c2598c99fe6dd9cda5f334f8cef7a87628334905cf4575df9b6d1c95e2e1193531856903f6328ed437acdf0b8c4f9
-
Filesize
221B
MD52f6368914735ac4e468d31640ffca103
SHA13770efd6153ed8a4b4e672f80594268d537785d2
SHA256a40094ff669244a90495e12d358e7b8822195044f9b9b3a2f4bed9753d7fee39
SHA51225fb3c9daef5c22f8e596468b3bbe0284b4f01f205a45134a8d6ac48a89f8324b3ac5e7422994b6c71eb679f595f4de5b4ba07ab19aaff6df1696606399462f0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5f918a0085a54baed2263a79a5e44e469
SHA1e0612edb944d5ea8b2a0b2b7406dadf5028bdb17
SHA2569113cc92e831dd71a6622d5002146b9e5a4e89007ec3924ef5c48eff4626c98e
SHA512c55d76dd44c9ba2c3b62372c4800cee77477f6a6ff08132723f9f7bf83b418bef66e0051c527d7a60e5ba39ed457c037bb8e56f038dc6b8cd83a44b0f18dfa58
-
Filesize
221B
MD5e7fe49cb58e9e6e34b2a09ef76257e4a
SHA1d766c811547ce4750fb30541efc0b9eff42c8e53
SHA256dc76da6caf28a2d0934e45c873f3aaca32f099308b3214258ccb548c0487cad4
SHA5123a48aaa4b0d66564a196a8617e5eff7056dbb3f73d292d1caaecce75b2a74318a37476d4ece9ea852a2a419460ec1594edb4db67f724ef1ba890c7ddcbeae180
-
Filesize
221B
MD5aa7b4dc54561fe897fba4b4b171e1c16
SHA151aac1ea8aa13d597258ec88ccfb381a1ac98eca
SHA256e4d4a0a7c6ae70170a4785b605577e207105d82b59c716193f94a6c7434bb4ca
SHA512bb17d7664d4a4703d93894e29c0f3ea93d552d3807961af34f5699820618a49e8cf17fa29f225b7781dc92ae1dcc6ade840fc831a0c4f34d00b0fd987f4f5a8d
-
Filesize
221B
MD5dc8ab9a1338358154f1726061386f06c
SHA14633af7ffb6fb74f1f595fb5745b0a7b06c95887
SHA25680eac3aa295241287bbe43830558041a634412008da67f2d7f6cc71b2858da5c
SHA51268bb6c11b1642a6375b9f285fa79221b4065ef8d4052b8d45e837c0ee822d8681f59cb61ce3bb6bdaf35296715f7c7e42fdb24f69df82adcc0cea4de589f17ce
-
Filesize
221B
MD508d2fb6362e1342e39e0026e41f9a3b5
SHA1a426e88a3b3077ee18242b9ab511784cec5ef838
SHA256dce7c8ae1e3caf432b221b2f3dade39cb312894e031eac9d516ec042fff6d36e
SHA512ab09761b3a3079ba7bcc27d07bd0933b3bc9823f9a1a54cf1af5abc08752b0183ed799171ce1c7ba6bf78ff760c28d70ab0f07f6b6d946759b59167b22f68230
-
Filesize
221B
MD51ad7ebd2c20b45643fe6c7543f2a46d7
SHA1a150cf2ee12316cb484619405846390115b46cc1
SHA256f75d2e870b36da612854b99f3b13fc4c942ccccb12c2ec959d2463d9fd750025
SHA5128d91c3acc0f157d94f3e9529c01030cdba90233471fa7366150fed76477909224fba6bc39286f37474dd847ed841718d807cd4798324c7509b1fe985a34057f0
-
Filesize
221B
MD539eeba7789fd25a63eb267c459351514
SHA1d543308b797f213239250fe52e8fe18c31fa9783
SHA2561f1f8dc70f1d35bb2a391d37ea9a3fd62d189b82ed53f448e6c008b18df04a32
SHA512a776c6c549838d34f3c04779fac322b3e6ed57e98319c10924d05d32eed6a72d0ac1b565b8f5fc0f7b060bfeea5ccb721e8208a544f686adfb1c57769dfc9347
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7XZNCWO1JT30FY3GKVDL.temp
Filesize7KB
MD5fcc14d48e0ccd1e206ab22f7c95b9a38
SHA1013fd5bfcf8870c9ba2b9a71ec809602ccb51f4b
SHA2561285d385dc44c229195b761b428c239fef3de8c0a38c2b8dd261bef224b16474
SHA5125e770a15aa31338c49f5e3616b7f17e65315c1d0979d3b491dc62809be3d8e6cd33852b2ea8f889e55d3799cb7870450f75ac4b1be3c8c8cb0b15685cc210b66
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394