Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:21
Behavioral task
behavioral1
Sample
JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe
-
Size
1.3MB
-
MD5
2c4c3cdc40410affea03f25de402097f
-
SHA1
a505e1cc748e0982a2fefc449f7b7efe5c6aa21e
-
SHA256
7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f
-
SHA512
dbefb6079721c043aa3c26414ee8769fb1544a66e8961b40230c334891d7fa9e1eacad97e8ce0e2cfe28a88b80f6c5a1e97c576aceb513e2706f357ca490856d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2720 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2720 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000016d13-9.dat dcrat behavioral1/memory/2596-13-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/2676-143-0x0000000001370000-0x0000000001480000-memory.dmp dcrat behavioral1/memory/1380-380-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2864-558-0x00000000000C0000-0x00000000001D0000-memory.dmp dcrat behavioral1/memory/984-618-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/2368-738-0x0000000000020000-0x0000000000130000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1048 powershell.exe 2296 powershell.exe 2420 powershell.exe 2924 powershell.exe 1308 powershell.exe 1292 powershell.exe 2912 powershell.exe 2928 powershell.exe 1588 powershell.exe 2124 powershell.exe 2416 powershell.exe 2308 powershell.exe 1676 powershell.exe 1692 powershell.exe 1548 powershell.exe 1748 powershell.exe 2856 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2596 DllCommonsvc.exe 2676 winlogon.exe 2592 winlogon.exe 1128 winlogon.exe 2104 winlogon.exe 1380 winlogon.exe 1920 winlogon.exe 2364 winlogon.exe 2864 winlogon.exe 984 winlogon.exe 2964 winlogon.exe 2368 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2212 cmd.exe 2212 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 12 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\fr-FR\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\ext\wininit.exe DllCommonsvc.exe File created C:\Program Files\Java\jre7\lib\ext\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\conhost.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_64\winlogon.exe DllCommonsvc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1768 schtasks.exe 1076 schtasks.exe 936 schtasks.exe 864 schtasks.exe 632 schtasks.exe 3004 schtasks.exe 2552 schtasks.exe 2244 schtasks.exe 2140 schtasks.exe 1952 schtasks.exe 2208 schtasks.exe 1380 schtasks.exe 2836 schtasks.exe 1208 schtasks.exe 1124 schtasks.exe 1188 schtasks.exe 1632 schtasks.exe 3044 schtasks.exe 2184 schtasks.exe 2988 schtasks.exe 1424 schtasks.exe 2080 schtasks.exe 2844 schtasks.exe 1684 schtasks.exe 2576 schtasks.exe 1980 schtasks.exe 1700 schtasks.exe 1976 schtasks.exe 2088 schtasks.exe 1664 schtasks.exe 1964 schtasks.exe 2512 schtasks.exe 2484 schtasks.exe 1984 schtasks.exe 536 schtasks.exe 2360 schtasks.exe 2940 schtasks.exe 572 schtasks.exe 1936 schtasks.exe 2340 schtasks.exe 1092 schtasks.exe 2664 schtasks.exe 1808 schtasks.exe 2476 schtasks.exe 2892 schtasks.exe 2176 schtasks.exe 2132 schtasks.exe 2004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2596 DllCommonsvc.exe 2296 powershell.exe 2928 powershell.exe 1048 powershell.exe 2856 powershell.exe 1676 powershell.exe 2416 powershell.exe 1548 powershell.exe 2308 powershell.exe 1292 powershell.exe 1748 powershell.exe 1588 powershell.exe 2924 powershell.exe 1308 powershell.exe 2420 powershell.exe 2124 powershell.exe 1692 powershell.exe 2912 powershell.exe 2676 winlogon.exe 2592 winlogon.exe 1128 winlogon.exe 2104 winlogon.exe 1380 winlogon.exe 1920 winlogon.exe 2364 winlogon.exe 2864 winlogon.exe 984 winlogon.exe 2964 winlogon.exe 2368 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2596 DllCommonsvc.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2676 winlogon.exe Token: SeDebugPrivilege 2592 winlogon.exe Token: SeDebugPrivilege 1128 winlogon.exe Token: SeDebugPrivilege 2104 winlogon.exe Token: SeDebugPrivilege 1380 winlogon.exe Token: SeDebugPrivilege 1920 winlogon.exe Token: SeDebugPrivilege 2364 winlogon.exe Token: SeDebugPrivilege 2864 winlogon.exe Token: SeDebugPrivilege 984 winlogon.exe Token: SeDebugPrivilege 2964 winlogon.exe Token: SeDebugPrivilege 2368 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2260 1868 JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe 28 PID 1868 wrote to memory of 2260 1868 JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe 28 PID 1868 wrote to memory of 2260 1868 JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe 28 PID 1868 wrote to memory of 2260 1868 JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe 28 PID 2260 wrote to memory of 2212 2260 WScript.exe 29 PID 2260 wrote to memory of 2212 2260 WScript.exe 29 PID 2260 wrote to memory of 2212 2260 WScript.exe 29 PID 2260 wrote to memory of 2212 2260 WScript.exe 29 PID 2212 wrote to memory of 2596 2212 cmd.exe 31 PID 2212 wrote to memory of 2596 2212 cmd.exe 31 PID 2212 wrote to memory of 2596 2212 cmd.exe 31 PID 2212 wrote to memory of 2596 2212 cmd.exe 31 PID 2596 wrote to memory of 2856 2596 DllCommonsvc.exe 81 PID 2596 wrote to memory of 2856 2596 DllCommonsvc.exe 81 PID 2596 wrote to memory of 2856 2596 DllCommonsvc.exe 81 PID 2596 wrote to memory of 2308 2596 DllCommonsvc.exe 82 PID 2596 wrote to memory of 2308 2596 DllCommonsvc.exe 82 PID 2596 wrote to memory of 2308 2596 DllCommonsvc.exe 82 PID 2596 wrote to memory of 1748 2596 DllCommonsvc.exe 83 PID 2596 wrote to memory of 1748 2596 DllCommonsvc.exe 83 PID 2596 wrote to memory of 1748 2596 DllCommonsvc.exe 83 PID 2596 wrote to memory of 1308 2596 DllCommonsvc.exe 85 PID 2596 wrote to memory of 1308 2596 DllCommonsvc.exe 85 PID 2596 wrote to memory of 1308 2596 DllCommonsvc.exe 85 PID 2596 wrote to memory of 2124 2596 DllCommonsvc.exe 87 PID 2596 wrote to memory of 2124 2596 DllCommonsvc.exe 87 PID 2596 wrote to memory of 2124 2596 DllCommonsvc.exe 87 PID 2596 wrote to memory of 2924 2596 DllCommonsvc.exe 88 PID 2596 wrote to memory of 2924 2596 DllCommonsvc.exe 88 PID 2596 wrote to memory of 2924 2596 DllCommonsvc.exe 88 PID 2596 wrote to memory of 2912 2596 DllCommonsvc.exe 89 PID 2596 wrote to memory of 2912 2596 DllCommonsvc.exe 89 PID 2596 wrote to memory of 2912 2596 DllCommonsvc.exe 89 PID 2596 wrote to memory of 2928 2596 DllCommonsvc.exe 90 PID 2596 wrote to memory of 2928 2596 DllCommonsvc.exe 90 PID 2596 wrote to memory of 2928 2596 DllCommonsvc.exe 90 PID 2596 wrote to memory of 1548 2596 DllCommonsvc.exe 91 PID 2596 wrote to memory of 1548 2596 DllCommonsvc.exe 91 PID 2596 wrote to memory of 1548 2596 DllCommonsvc.exe 91 PID 2596 wrote to memory of 1692 2596 DllCommonsvc.exe 93 PID 2596 wrote to memory of 1692 2596 DllCommonsvc.exe 93 PID 2596 wrote to memory of 1692 2596 DllCommonsvc.exe 93 PID 2596 wrote to memory of 1588 2596 DllCommonsvc.exe 94 PID 2596 wrote to memory of 1588 2596 DllCommonsvc.exe 94 PID 2596 wrote to memory of 1588 2596 DllCommonsvc.exe 94 PID 2596 wrote to memory of 2416 2596 DllCommonsvc.exe 96 PID 2596 wrote to memory of 2416 2596 DllCommonsvc.exe 96 PID 2596 wrote to memory of 2416 2596 DllCommonsvc.exe 96 PID 2596 wrote to memory of 2420 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 2420 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 2420 2596 DllCommonsvc.exe 97 PID 2596 wrote to memory of 2296 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 2296 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 2296 2596 DllCommonsvc.exe 98 PID 2596 wrote to memory of 1676 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 1676 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 1676 2596 DllCommonsvc.exe 99 PID 2596 wrote to memory of 1048 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 1048 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 1048 2596 DllCommonsvc.exe 100 PID 2596 wrote to memory of 1292 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 1292 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 1292 2596 DllCommonsvc.exe 101 PID 2596 wrote to memory of 2640 2596 DllCommonsvc.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c1c6e0abfdbf0fd7abf694a77b34c85be16b5b40f6a65565a52495e5caf509f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v2.0.50727_64\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\ext\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YnfmNXYe8z.bat"5⤵PID:2640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2492
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"7⤵PID:2436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2044
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"9⤵PID:1484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1948
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"11⤵PID:2316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3012
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"13⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2880
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"15⤵PID:1940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:344
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"17⤵PID:2200
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:920
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"19⤵PID:2616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1544
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"21⤵PID:1712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2256
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"23⤵PID:2324
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2904
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"25⤵PID:2916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3032
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\lib\ext\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\lib\ext\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc8de0cd5bd2411cf1d0eef89247c9db
SHA196e557932e2d7532e1c27c0b5c7bfd965164cb6f
SHA2563d05766fb2a3718c67aeb1e3ee6b0738182f3d1a3070e3a7a7d05f37d35c2922
SHA512f16d1076a5d858f959106979ae33a9d50e123297f7935c9028afa7561d3f1027cf326a10b1b18b630630812347269d06fc18e688e223fc42901485b77d64b288
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5408bbee80298f187eb53b28b1f3baf7e
SHA13e4be68705e6667c09c4b0302a51f0e0821c81c0
SHA256c1079d3606cebd566db52d1f59483dac891b3b50a071a08d5b7baead9f02b1f3
SHA51223dbe102222f2dceba386964b4651573c3c3faa5f03380beca0890f27844ab4543b9373376b0e001ebc53261ec6faf60a2186246bcdc8a3d0ca85ad0602e797b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fb4a3279a44cf7f8d7681740a659071
SHA1fe374c293dc9d69a11bcd41ec4ebdf19e54575d5
SHA2564b8fe9960d0459017d0d609d9a876645300e3e9aa40089c5463bc25e4bbc7045
SHA5124b691230e3271726ddf7f88076402a31ef1687be0a78eb69ef9fff93a94a3335df3c3637e2d45d158e0f4e276299cf27ca1fd0ff582e58f055f53c23823a5898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f2e01bc910a0579c20e00fcf7acefe8
SHA1248ec8b4d1beb4df4c68c5d0454f4059d4dea6a7
SHA256f0dcddadccb2b42c5c21498ddb0df87dce8bb8c1881902fb717d335a52fcbaa4
SHA5129e76559d2195c4d1f6040e6f76db71b17ffcdfdad194db80ef349e27d6dd25ba3193c5064e971ae865c7414dcd17c01a9e97d5aa32ca889290094da0ff9f7d8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508ac9065765c1f1f38902b6030159658
SHA1596b4e7f253b7018a2e7113f869a3221e9645e58
SHA25622adcfd8e184a930643d3a971f1292c181f8acc34c2f58e55f6901104c68ed89
SHA51264f36f4dd49fe01bc081ab9decc5b070177e3dd7a9a61550bfc24d0a23ec3314a1512c898bfb20b5e30325af4031dc117d73550a14dc34dbd2d08b26b1393046
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581ee24d5ee5aaba1b5a9820daa59320e
SHA1b29d144711a7c82adedeefc1bec1c6ade97077f0
SHA256d764b750d9a65614f8d3c7a426e89d8dd1f99a52d8bc5e68f368722adf3cea4c
SHA512083a56ab7182d0439ae0802810d165b9d42c188514f9acff8fcc1b86e031febc332af611a626e3544bd9d4792e484f2d70c1714c0ea3a4c7154628fa54d3ce3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc3fd91c8ecb4ca1c1ff2870956df076
SHA1735731aaf240f70805a800a1bb14a8c4b9530549
SHA256213be80d52bfba53b37eab81cd8334b355fc7478d72bd81295e9687f3f0a9984
SHA512e28929db358efd8dddd545f0c59fdb863722c104ef44bfa5cd7dca43dcb749c7c5c944a14204e87e5b5eab44d4dcf96d9e458267580a72d8d37377efbf99e9bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed589f77e5b115407eca6aadb3c6f4ec
SHA1bf5d4b4c9413df9ba8e74430344c6e47d2732522
SHA2569f2675814a8c6d9a8b732dad36358b8b5d70c5f4b58bcdfe6ac6a7a4d139253a
SHA5126e4be01e108b91596c77f3a3cec0052a2daabc74c6aa3da844922d44a89dd8e66f846e04c8be09e634acd1f8e1da9c942b70d88268e68fa3e58956e27e6732ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfe04d31cf3c79016aa8bc5bdd04b737
SHA1dbe3856eca97f37f5fcaad43f5f63395c8fcad3d
SHA256c4f66becca5aa9e9a2156198b63fcf201f9ddc2621e4ec1aa845a3d9ef84c6ae
SHA51243e15bb4b58d9e5884979cf96eccbca5d1e2205c264a754e238408cf128da44061d3c4df60a1ff5898db8b6199e21c59f02169a4540b764c86652965775103cd
-
Filesize
226B
MD543fba72874c2fda09edb338ea0ba75a5
SHA15408daaf76b98d86ab5dbfad29065620ad84b0b0
SHA2567d3307ca697d8d62187da711f1323bfde12436bf8dc2415a4e9097525ad4782e
SHA512a4bc2bb4f12c6779e7cb1be6c33ff6f2fda6bc7fcc4abbc0a1de9c5932a2ab23fe7917ed98465da9e6f9b174e7452a5913561f1795f0d7264637161791684472
-
Filesize
226B
MD5d0dc49b6d28702cec1a219bc2ee9191e
SHA17aedbbc5fcea29e7a778df417d5022eb22d31262
SHA25617186c20c4b96317dd7613504797cb1e5b6deab85b31f9cd45e46ab0f63e02e8
SHA5122615d683c04d9ff194774f691228063ffd4081be96a2380e3dabc2fd8cffc7b017e49c19444bbab79f2ca1bd9d05ebd0eb9966f20ca0ac81ad75b42205eac522
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD592b55ca66892ea27da3bcafbbcc79d58
SHA1d1126ffec3dcacaaa029d9028a08b04d2fc96ebd
SHA256b32414d70eb31ac90a77adc93656e2f30b340d371656ac0a8dbcb949030ffcba
SHA512c3fef13fcdf566818493de46a8f92f1c166f48933a576acd2cf01568a38d02fc1dc9bac17f97a30af48e84ef5c4fe21bf830bdc6a0b6059804e51bb0bbf6ed7d
-
Filesize
226B
MD5b0928987c2301fe523128299c0235eb1
SHA1fe8ef93e5551100a5052423e40a4ed54cf71c302
SHA256673076dc832c8c790bed2e95e95892cf7b8def6b9743ec8a3b8c3843d21b787b
SHA51249aafeb30613454cc4d7e4a347d3ac420d360249bd9038341694a2184b0932b0708cd27d0b2ed1807def0d3776c4f068373d4aed25854d6bc8cfd213c6b95537
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD5289133a2d0de4c74d98c751f89f6192a
SHA132bc90db4a839c09601ee3a19ec3d743577c129e
SHA256253907f8854321028311552b983bff0202ba3b942d280dce6a6ef4faece86bdf
SHA512d9d72b7bcbdc656d8afa0ff6e826798c4768008a4eb029770d9b794b0595e9aae0603c3b692b7ccc3368e9b4cd6b0fbf961073733b9fec469a85fd7307c5cdbc
-
Filesize
226B
MD5095a78761621465465f13158150ac75c
SHA13dd880bc6e4be51bf9f1d3a86529ace069f47c6a
SHA2568295c3057c6569ea55ac4ddb201f46883142e61ea32f710d49fdcc85ca0457f2
SHA512b39b624cfc5cee73e28c59ac115b4c48471e34f879fb15fab49b11b09303768b16f6d05135c86402e8e6beb279faae0075b8bd6571944558032f95529bb12534
-
Filesize
226B
MD5881e01eaa96e5318c12eefbaafc4f702
SHA1f23044de806b9e5a28256909ae1413336ca2274a
SHA256cca8db74ce99c42634e6e5f15cf8d621eb3431f34a7397e7de23c81715b72189
SHA5128ac750bb0a3ac254d9651b4f31ddc4375a88a6171609f7c03056f133ff1e1a8c625fa79cd8302f95a7ad87a62d5711504e9a99076031c599027e775acc182988
-
Filesize
226B
MD545917ca464c3209deb982fe41b9939ed
SHA144f922d8c3124491ba0a4369097d84b6aa6371b4
SHA25695cae5ec7f40aa7b345c41fd9cc1d1ff69c3faba2af84381fcad9deb3788ce47
SHA512623cc82a921c3a400c154b2715e77950e961cb2b2064bce434ca4328875da20d7e03a7b2ba9d30962fbafcde2918c093432ce69db6fab1f23c86603504febf5d
-
Filesize
226B
MD5ee0c5f396d8e1d7c095f88d082b23eed
SHA1f2a88c8dc9f7734a0a9e65d948b86a334e68dd04
SHA2566caf653def286fba53b5d4f17b48d5e1700345c14338019c1e7b93d95e509900
SHA51251cdf07f31459a3e3cd4fba285ed836afe5c4e0bd2e2c14b3c384f0fae7f5fd7410ba6e60bf9f6cfcb0fdef08ca6246f329dac956599a93ef4663f5df57ec9db
-
Filesize
226B
MD57d470fb59a8bd4621b3b074d40548236
SHA1c2bfca214a9ff984be2c605db19effedb8041409
SHA256d33c160937034f242f662c4d2a2d4355f560fb6c43881822519afa9d3cd1a12e
SHA51250ea9d9deda48a98d4a326ff2055b389b5c7da1f66eaa3adc8a45fda4f4a1c94e032bbb92f40a61c6a2af256b7b5dd004a46e697f1d25ee8ab63524fe98f2942
-
Filesize
226B
MD54e83ae09a79c135af15f0e42b825487d
SHA1b15039ff5020d5d95b5fadd47ef66cfb3efbe7a2
SHA256327410108c618c9aa81e250f224dcce91b4d4c783ace51682400f7cf06a64da3
SHA51251f7d39f4d8a6f53b81a51ee6e6bdaa935a6fb0a47c13c29aba09da74edfd026627af8e5ae88f769935db9dfd00fad352c12be83c29e77017a2ce30cf514191c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59281f7f2acc7abf8a821944183dbd857
SHA1c43c64eccc8ecdbf022ecd7841e48ead2ce6bad1
SHA2565207ffb44e84d7b9a08da0529a2d2fdb5bc7aef17283b6bc28b2e0374676b4c3
SHA512e8e987b98a3cde5f66cb07209868506bca6be7123a30c6fe493f8f780ca631cbd80d0db0235a9574c1b61562a5030bf1eec46ab466046317fcaf0b53aa699a14
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394