Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:03
Behavioral task
behavioral1
Sample
JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe
-
Size
1.3MB
-
MD5
dfdd5c906ab4a594abcd0269827ac4cd
-
SHA1
64076d1cf1292f77ce801ec48c45b3bd2d6d74c6
-
SHA256
d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f
-
SHA512
d19c2566fd6a7954ecd5221d778248ad8de61d454475b03ad8373cd7177223c955ab943d280074f103d283facbeb387f0af88c63ac33014545ba0fda9216b3a9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2876 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2876 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016d4e-9.dat dcrat behavioral1/memory/2084-13-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/1664-72-0x0000000001230000-0x0000000001340000-memory.dmp dcrat behavioral1/memory/1728-323-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/2404-383-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/1408-620-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/1576-680-0x0000000000860000-0x0000000000970000-memory.dmp dcrat behavioral1/memory/2312-740-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2740 powershell.exe 2964 powershell.exe 1960 powershell.exe 2120 powershell.exe 2576 powershell.exe 2448 powershell.exe 1988 powershell.exe 1980 powershell.exe 2384 powershell.exe 2436 powershell.exe 2716 powershell.exe 2380 powershell.exe 2044 powershell.exe 2592 powershell.exe 2780 powershell.exe 3008 powershell.exe 1412 powershell.exe 2484 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2084 DllCommonsvc.exe 1664 wininit.exe 1800 wininit.exe 2328 wininit.exe 1728 wininit.exe 2404 wininit.exe 1004 wininit.exe 1528 wininit.exe 1744 wininit.exe 1408 wininit.exe 1576 wininit.exe 2312 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 cmd.exe 2212 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Journal\de-DE\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\56085415360792 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Office\wininit.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\de-DE\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ehome\ja-JP\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\AppPatch\en-US\winlogon.exe DllCommonsvc.exe File created C:\Windows\AppPatch\en-US\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\ehome\ja-JP\sppsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2484 schtasks.exe 2316 schtasks.exe 936 schtasks.exe 1732 schtasks.exe 1004 schtasks.exe 1444 schtasks.exe 2644 schtasks.exe 2704 schtasks.exe 2300 schtasks.exe 2124 schtasks.exe 2224 schtasks.exe 3012 schtasks.exe 2776 schtasks.exe 660 schtasks.exe 1936 schtasks.exe 1736 schtasks.exe 628 schtasks.exe 2732 schtasks.exe 2164 schtasks.exe 1268 schtasks.exe 2540 schtasks.exe 748 schtasks.exe 1144 schtasks.exe 688 schtasks.exe 2508 schtasks.exe 2800 schtasks.exe 1924 schtasks.exe 2040 schtasks.exe 1796 schtasks.exe 600 schtasks.exe 2348 schtasks.exe 2520 schtasks.exe 2568 schtasks.exe 2140 schtasks.exe 1260 schtasks.exe 1636 schtasks.exe 1568 schtasks.exe 532 schtasks.exe 544 schtasks.exe 556 schtasks.exe 2748 schtasks.exe 2304 schtasks.exe 536 schtasks.exe 2620 schtasks.exe 1280 schtasks.exe 1644 schtasks.exe 548 schtasks.exe 984 schtasks.exe 1704 schtasks.exe 2476 schtasks.exe 1592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2084 DllCommonsvc.exe 1988 powershell.exe 1960 powershell.exe 2576 powershell.exe 2592 powershell.exe 2780 powershell.exe 2436 powershell.exe 2044 powershell.exe 2740 powershell.exe 2380 powershell.exe 2716 powershell.exe 2484 powershell.exe 3008 powershell.exe 2448 powershell.exe 2384 powershell.exe 2120 powershell.exe 1980 powershell.exe 1412 powershell.exe 2964 powershell.exe 1664 wininit.exe 1800 wininit.exe 2328 wininit.exe 1728 wininit.exe 2404 wininit.exe 1004 wininit.exe 1528 wininit.exe 1744 wininit.exe 1408 wininit.exe 1576 wininit.exe 2312 wininit.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2084 DllCommonsvc.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 1664 wininit.exe Token: SeDebugPrivilege 1800 wininit.exe Token: SeDebugPrivilege 2328 wininit.exe Token: SeDebugPrivilege 1728 wininit.exe Token: SeDebugPrivilege 2404 wininit.exe Token: SeDebugPrivilege 1004 wininit.exe Token: SeDebugPrivilege 1528 wininit.exe Token: SeDebugPrivilege 1744 wininit.exe Token: SeDebugPrivilege 1408 wininit.exe Token: SeDebugPrivilege 1576 wininit.exe Token: SeDebugPrivilege 2312 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2448 2592 JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe 30 PID 2592 wrote to memory of 2448 2592 JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe 30 PID 2592 wrote to memory of 2448 2592 JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe 30 PID 2592 wrote to memory of 2448 2592 JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe 30 PID 2448 wrote to memory of 2212 2448 WScript.exe 31 PID 2448 wrote to memory of 2212 2448 WScript.exe 31 PID 2448 wrote to memory of 2212 2448 WScript.exe 31 PID 2448 wrote to memory of 2212 2448 WScript.exe 31 PID 2212 wrote to memory of 2084 2212 cmd.exe 33 PID 2212 wrote to memory of 2084 2212 cmd.exe 33 PID 2212 wrote to memory of 2084 2212 cmd.exe 33 PID 2212 wrote to memory of 2084 2212 cmd.exe 33 PID 2084 wrote to memory of 2436 2084 DllCommonsvc.exe 86 PID 2084 wrote to memory of 2436 2084 DllCommonsvc.exe 86 PID 2084 wrote to memory of 2436 2084 DllCommonsvc.exe 86 PID 2084 wrote to memory of 1960 2084 DllCommonsvc.exe 87 PID 2084 wrote to memory of 1960 2084 DllCommonsvc.exe 87 PID 2084 wrote to memory of 1960 2084 DllCommonsvc.exe 87 PID 2084 wrote to memory of 1988 2084 DllCommonsvc.exe 88 PID 2084 wrote to memory of 1988 2084 DllCommonsvc.exe 88 PID 2084 wrote to memory of 1988 2084 DllCommonsvc.exe 88 PID 2084 wrote to memory of 2592 2084 DllCommonsvc.exe 90 PID 2084 wrote to memory of 2592 2084 DllCommonsvc.exe 90 PID 2084 wrote to memory of 2592 2084 DllCommonsvc.exe 90 PID 2084 wrote to memory of 2044 2084 DllCommonsvc.exe 91 PID 2084 wrote to memory of 2044 2084 DllCommonsvc.exe 91 PID 2084 wrote to memory of 2044 2084 DllCommonsvc.exe 91 PID 2084 wrote to memory of 2120 2084 DllCommonsvc.exe 93 PID 2084 wrote to memory of 2120 2084 DllCommonsvc.exe 93 PID 2084 wrote to memory of 2120 2084 DllCommonsvc.exe 93 PID 2084 wrote to memory of 2576 2084 DllCommonsvc.exe 94 PID 2084 wrote to memory of 2576 2084 DllCommonsvc.exe 94 PID 2084 wrote to memory of 2576 2084 DllCommonsvc.exe 94 PID 2084 wrote to memory of 2716 2084 DllCommonsvc.exe 96 PID 2084 wrote to memory of 2716 2084 DllCommonsvc.exe 96 PID 2084 wrote to memory of 2716 2084 DllCommonsvc.exe 96 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 97 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 97 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 97 PID 2084 wrote to memory of 2380 2084 DllCommonsvc.exe 99 PID 2084 wrote to memory of 2380 2084 DllCommonsvc.exe 99 PID 2084 wrote to memory of 2380 2084 DllCommonsvc.exe 99 PID 2084 wrote to memory of 2740 2084 DllCommonsvc.exe 100 PID 2084 wrote to memory of 2740 2084 DllCommonsvc.exe 100 PID 2084 wrote to memory of 2740 2084 DllCommonsvc.exe 100 PID 2084 wrote to memory of 2780 2084 DllCommonsvc.exe 101 PID 2084 wrote to memory of 2780 2084 DllCommonsvc.exe 101 PID 2084 wrote to memory of 2780 2084 DllCommonsvc.exe 101 PID 2084 wrote to memory of 2384 2084 DllCommonsvc.exe 110 PID 2084 wrote to memory of 2384 2084 DllCommonsvc.exe 110 PID 2084 wrote to memory of 2384 2084 DllCommonsvc.exe 110 PID 2084 wrote to memory of 2484 2084 DllCommonsvc.exe 111 PID 2084 wrote to memory of 2484 2084 DllCommonsvc.exe 111 PID 2084 wrote to memory of 2484 2084 DllCommonsvc.exe 111 PID 2084 wrote to memory of 1980 2084 DllCommonsvc.exe 112 PID 2084 wrote to memory of 1980 2084 DllCommonsvc.exe 112 PID 2084 wrote to memory of 1980 2084 DllCommonsvc.exe 112 PID 2084 wrote to memory of 1412 2084 DllCommonsvc.exe 113 PID 2084 wrote to memory of 1412 2084 DllCommonsvc.exe 113 PID 2084 wrote to memory of 1412 2084 DllCommonsvc.exe 113 PID 2084 wrote to memory of 3008 2084 DllCommonsvc.exe 114 PID 2084 wrote to memory of 3008 2084 DllCommonsvc.exe 114 PID 2084 wrote to memory of 3008 2084 DllCommonsvc.exe 114 PID 2084 wrote to memory of 2964 2084 DllCommonsvc.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6413f240a362cd8532e5e05c6b8ba9d59fcce6e4afb1bd11fd1a99fc6ff856f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\ja-JP\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"6⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2692
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"8⤵PID:2732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2632
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"10⤵PID:2484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2092
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"12⤵PID:2944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:856
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"14⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1156
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"16⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:292
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"18⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2436
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"20⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2856
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"22⤵PID:2964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2812
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"24⤵PID:688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2076
-
-
C:\Program Files (x86)\Windows Portable Devices\wininit.exe"C:\Program Files (x86)\Windows Portable Devices\wininit.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\ja-JP\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501121dfdc9ed2d0a9a60581b949ec8c8
SHA125c57f779b70dbda26e32c0f9f6ed497193ede0a
SHA25642dc055dab14c5f33d9590a11b72f6f09f707cbd46c9c029ab44be82553fcfaf
SHA5126ba61a43a9dab8c3473f9647585c1699fb542084b100ab26b7d459c2d191a513c20253fee59a0c6ee2f6802268790e1e3dfc0867121beb3e3ca507e0a6b20c19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee467dcc38357b63ed3c0e5270cfa76c
SHA10a6a42c4d3535bcec1b2f37f042d689e62bff821
SHA256edafcf017a3da2fe28acb19b577e71117809b353d87fa583418f671da2f1211f
SHA512d846708097aba747d894644295f42fb8a6d058e6cf4210f7fcc69a87b88c7ee327c86df78fe135f551e2575f287e3cf998b82cb99b4d9a9fbc9ec371e353ba56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b33d83240e6359901d27c1ef6662f10
SHA14499dcd9b38da6fdd0ed46e5ad97c095cfa51863
SHA256a8cbfe0747ca8292400278c7924e7853a12853beae3f2389725517d658fd6263
SHA51278deccf11fa173107587606334826ab9240469df939a56a6c014874552e01d2e18453377d1edf23c78057219943b3ba308fdffa7ccd317f4cf1e71357ff1f55d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53862f900c7ea9eb3426ef042f29d436a
SHA18aed7645cf68edef2c97a14976566cc78c8fe455
SHA256839b3d6b4d47da0df3d488f6ee20a4ae080e00dbea80b4a09958d04673df484c
SHA512423b1d6cdf496390183cda0eb9c0990cd92a592dc1deb61b175c727537527440b16ee6b07d6b6bae6fd8aa09ce77d50c40be43dc6048c5ce00df40669f1cbd03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53dee6084373f4d84c18670123178962f
SHA1af1b7409d2a26cbba4e1b5ce3d7806d50e2e90f7
SHA256fd6b5693a86048ff516f9710c194e869ea32980093111b19fea76a470f4bf406
SHA5123ad11ce9761a96ee0eba2f6c724532064237fa2300fd8c3eeff8bf909b0a3b1319f466813bbd3dfe5a47153abbfa05887abce5d199fe59addea08ea248c14d25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd49529fef6eaa903b267a5ab0e72509
SHA18728cff847805f4523206f28a32176ed7aa2bcc5
SHA256fd4515a8157b0b355336b2544c9a9b9437aff5c8d1e8534696824d1821911021
SHA512f0afd50aa83cf714fca44572a04e657920f1139659c8cc2bacbb6500aeef916635b2e2fc87a41d74c36fa36e485860754521f7d016cdd3c40c7f7de4b19da3b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564a7946c28362777335b27e3f956106d
SHA1dfb39f066928fe8488d26d9e64b7849c881f0543
SHA256b536686ef9bbfc2a41191142f9d7278ae6b47796ff412795ed6f0557f0ebba5b
SHA51204b30127df9b689c363e3b2e80893fedd538d6d2157af19d2c37931f3c7009fdfc496f78a65c4aba6a3b8c558cdec49258105ed56c316eec6b067bd010777258
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a66357a144b23e75fd5b1300884d8773
SHA1abd2fb9cc77a1f3d13fc37002ec9e10eab2ff39d
SHA25693cc64f0e4338c7f7e26c325f9863a5950e46de2ebce2258532fe656b6e1a84c
SHA512a613466c357019e3fe7bc97358752af4337c0507060009a9087d566d3ae714ffa2e95de270ae5bff60d34a2a97f45e6072baac8026642eb1d3bef728eeef8f56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0f123d68fff0d0f3dd4e0a2cfa639a1
SHA1a5caa1c7806e872f52c4af29a21b80965ad6f683
SHA256695b7a2867e7b823efe98c062e8716ffdbac7f5acd6121ebb02979645deb0bcd
SHA5124be03e3bbd8708d8ae7fd587270e3fe005f52ef360ebc22e384ada345a53fffe7a22698c7f28605d24c3fb7649ac29f1cf5383adc74e4a5d4688626ca42f49f5
-
Filesize
224B
MD59469ab82ab79c80816dc34574c04e7d3
SHA1de2107dd0eec5843dd62301255deacebcd2188d9
SHA256453f70d02c2659c6f93b07a6593c6b52783a3a30550602147e621fd97c1b5ec2
SHA512920c754878b7c3196811e0b15f8206cb90dd6a5bfdd1fba48cf724ec3599f7975ffe16e8b15b1141f4d069c8d3e5c7cac962807412da8f1fe9fa970586295d0f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD57c9bc9a2acd905d42ddf90a11f5928ce
SHA1534027db22abcd11a0aa322b43dc8454f049f42b
SHA256146960e9092df2a3fad155d45fa9a9149bdeca2daa22f341845f3386460bbb00
SHA512fe6def66ecc47e6343fb1b3decd25a1210ce3674a1368cb0894d61dafcde3411bf45d564fca05b3aebc602172dee112b8c025c94bc858da549b47809f35281bd
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD534cd834d235fe368d869d1c541c982fb
SHA1fca704fbc4260b8318995ecd33e1f1ed42d691bf
SHA2561b2389cdfaeb045febcea4b2380fef1a4651fcfe7bf1054e9810b1e1dce815a0
SHA512a2b0033cb51304e3d9d748d151ff8f12342c343db58b7e845a683a7efc8422689bbe00913e133ccb809d235d753eaaa63d106d69143f5aae4709e290a37c1342
-
Filesize
224B
MD586a7eef6cb6be2a5b40bf17c4a89e190
SHA165e81cd03a73c9697568c9891dd5d2108f23cd32
SHA256b795afe56cded3660c640424f6c9398a3bdc126a1d32d667b61d24e4a0a6a27d
SHA5124d546287b37e6d3cc574884cd251dd20605e490dcd37815e65707055fdbd67f8ea4d26373536e7b1616d6fba471c9317689f860c89eb2e6cfbab97ea8c0134a0
-
Filesize
224B
MD53b99e86bff36ea7ed401bf5062f9e0c4
SHA194555219a8940cef697bcb74388c3468388a1bf9
SHA256678c00e7abf35123fd006eb6892c40f802910a9dcdfb4edfdf69d4eb48026df9
SHA5129d5b4fdf71b6eae0561d5ea3dba85c4ef846fe63b98fb3ff7e3bb11676329f93a2a6f2351e654b33fd74b57bae2d85af3b0b9c87d81291c8cff412cfd6abd53a
-
Filesize
224B
MD5e92ef90a4f0e22ccc1f03faf62fb971f
SHA10b2e483095e43cbfc4df2ee78f5219f906d66518
SHA25661e55edeaa1db42539866ac1ba696bbf081e94bbefb34781d762151bc0225767
SHA512a2008278a322807d3f5fa83b985b050980ed42bac61979ef3bdc8513224bf7e30cf9ecb60d9aa6e729a984901c6a04ba7b00ddb41b15dd6a6e00e11e47a7b6c9
-
Filesize
224B
MD5cf3de6202a2f240b7fbe7826d7cccc0c
SHA1fa27f1b73a8534eedefd61b36205fa49d4952665
SHA256a0a52041e08179895230698621fcdcefa859bc819e51567ce354ca833351c298
SHA5128566dedad52012f7da3a9db9d950497321f935593d48ab196a37e1d4cb0ef002564a61016a226e6a82337b04cdfb790c03b111d5e727922a73ac49aebff5b1b1
-
Filesize
224B
MD58edfc344c58685e6b722f1d2772d5b97
SHA1374621bd4f85b31956862ca5924264797122e107
SHA256323b15023973cb778ea85caad8664a7a0e4b04bd7ba147a318b42ec8827ac385
SHA512db501fe483893482063d9d44873eb6f7afe530871e9fdb716277459b2379ac0b2d7868fbf99bef2a2a8c3f5f032d9f5a39b498d3659267ad6b05c6c048a2cbd1
-
Filesize
224B
MD5073ff69688b2d8f8745bb0f609a9f01d
SHA150c4f9475f02045567532f2c56ea134bb5252492
SHA2565d5c4a8265a5ee96c4373d1742b3dac31f85cc66082331cc2306b24f569f566e
SHA5122503fc92a5d6bc19b08c281df5e919e4c801252a3094a03c5dae43ebe7f3bcd92a2b3b1e6acc672d7b23ed7ef1b2c1e624e7d5dd376ed4773c4a3b3e5ac0aa68
-
Filesize
224B
MD591d7986f3506754f6c12f4c4f0e65566
SHA12bf3ad7e5feeb28bae8957b64aae071459903b6a
SHA25615771d900a609c79b7c9d859013b6b99e780e10219775cc85f75eb63351c719a
SHA5129db2c29d9a23ffd012275ae3cda15b65698f2c37291c9b87f8342dfade3ab8d4668b090146b795aad06d9e86ee1a533a047ddbafaf206eb262917dbfd5d32a03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d6444e46a43659ddcba6c30696b8ab96
SHA1644d15977e76fab3753346d8bbee6427873924fd
SHA256da311dedd965f4473a6e9209e4f7fd729e9c3f026dd53c7d771a13801dc4ce10
SHA51217955d62090ee5ace82159c78f3e93e4f481878cc0b98e68e6e2d40a5daa1811353b3a8a797049fa568097c6c0b37ba319c6538a7d1ebaff23b3724ce2233429
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394