Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:23
Behavioral task
behavioral1
Sample
JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe
-
Size
1.3MB
-
MD5
422441400d128e80c4c8e23cd2a15d8c
-
SHA1
a06afa2a9ad15e6ddc58f371f6fba0986d124bc9
-
SHA256
51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0
-
SHA512
65e3fa61e94b958a787626dc5303da20488e6488aa119941156f72c7a8566fd41607b77b3d06cddd0b9603621694d73b100b791ef9a541b4e2df49449aea7b4f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2148 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2148 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001932a-9.dat dcrat behavioral1/memory/2804-13-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/2640-149-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/296-208-0x0000000001230000-0x0000000001340000-memory.dmp dcrat behavioral1/memory/2484-268-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2864-329-0x0000000000800000-0x0000000000910000-memory.dmp dcrat behavioral1/memory/1844-389-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/2308-450-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2400 powershell.exe 2156 powershell.exe 1952 powershell.exe 1816 powershell.exe 396 powershell.exe 2320 powershell.exe 2232 powershell.exe 952 powershell.exe 2308 powershell.exe 1524 powershell.exe 868 powershell.exe 2972 powershell.exe 2168 powershell.exe 2092 powershell.exe 2004 powershell.exe 1700 powershell.exe 1276 powershell.exe 2744 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2804 DllCommonsvc.exe 2640 dllhost.exe 296 dllhost.exe 2484 dllhost.exe 2864 dllhost.exe 1844 dllhost.exe 2308 dllhost.exe 2780 dllhost.exe 1936 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2104 cmd.exe 2104 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\addins\csrss.exe DllCommonsvc.exe File created C:\Windows\addins\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2184 schtasks.exe 2952 schtasks.exe 2632 schtasks.exe 2460 schtasks.exe 2420 schtasks.exe 888 schtasks.exe 2256 schtasks.exe 2292 schtasks.exe 2824 schtasks.exe 1804 schtasks.exe 2152 schtasks.exe 1440 schtasks.exe 1652 schtasks.exe 1772 schtasks.exe 2508 schtasks.exe 916 schtasks.exe 1324 schtasks.exe 896 schtasks.exe 2628 schtasks.exe 108 schtasks.exe 2940 schtasks.exe 2244 schtasks.exe 1120 schtasks.exe 2368 schtasks.exe 2064 schtasks.exe 2648 schtasks.exe 2204 schtasks.exe 1780 schtasks.exe 1596 schtasks.exe 1808 schtasks.exe 1616 schtasks.exe 2888 schtasks.exe 1240 schtasks.exe 396 schtasks.exe 2280 schtasks.exe 2620 schtasks.exe 1984 schtasks.exe 1696 schtasks.exe 1828 schtasks.exe 1132 schtasks.exe 2060 schtasks.exe 2456 schtasks.exe 1940 schtasks.exe 1104 schtasks.exe 2052 schtasks.exe 2608 schtasks.exe 2260 schtasks.exe 772 schtasks.exe 2372 schtasks.exe 2560 schtasks.exe 1264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2804 DllCommonsvc.exe 2804 DllCommonsvc.exe 2804 DllCommonsvc.exe 2972 powershell.exe 2168 powershell.exe 1276 powershell.exe 2400 powershell.exe 2232 powershell.exe 2156 powershell.exe 2744 powershell.exe 868 powershell.exe 1700 powershell.exe 2092 powershell.exe 1816 powershell.exe 952 powershell.exe 1952 powershell.exe 2308 powershell.exe 2004 powershell.exe 1524 powershell.exe 396 powershell.exe 2320 powershell.exe 2640 dllhost.exe 296 dllhost.exe 2484 dllhost.exe 2864 dllhost.exe 1844 dllhost.exe 2308 dllhost.exe 2780 dllhost.exe 1936 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2804 DllCommonsvc.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2640 dllhost.exe Token: SeDebugPrivilege 296 dllhost.exe Token: SeDebugPrivilege 2484 dllhost.exe Token: SeDebugPrivilege 2864 dllhost.exe Token: SeDebugPrivilege 1844 dllhost.exe Token: SeDebugPrivilege 2308 dllhost.exe Token: SeDebugPrivilege 2780 dllhost.exe Token: SeDebugPrivilege 1936 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2224 2880 JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe 30 PID 2880 wrote to memory of 2224 2880 JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe 30 PID 2880 wrote to memory of 2224 2880 JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe 30 PID 2880 wrote to memory of 2224 2880 JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe 30 PID 2224 wrote to memory of 2104 2224 WScript.exe 31 PID 2224 wrote to memory of 2104 2224 WScript.exe 31 PID 2224 wrote to memory of 2104 2224 WScript.exe 31 PID 2224 wrote to memory of 2104 2224 WScript.exe 31 PID 2104 wrote to memory of 2804 2104 cmd.exe 33 PID 2104 wrote to memory of 2804 2104 cmd.exe 33 PID 2104 wrote to memory of 2804 2104 cmd.exe 33 PID 2104 wrote to memory of 2804 2104 cmd.exe 33 PID 2804 wrote to memory of 2744 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 2744 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 2744 2804 DllCommonsvc.exe 87 PID 2804 wrote to memory of 1276 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 1276 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 1276 2804 DllCommonsvc.exe 88 PID 2804 wrote to memory of 2308 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 2308 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 2308 2804 DllCommonsvc.exe 89 PID 2804 wrote to memory of 1700 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 1700 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 1700 2804 DllCommonsvc.exe 90 PID 2804 wrote to memory of 2004 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 2004 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 2004 2804 DllCommonsvc.exe 91 PID 2804 wrote to memory of 1952 2804 DllCommonsvc.exe 92 PID 2804 wrote to memory of 1952 2804 DllCommonsvc.exe 92 PID 2804 wrote to memory of 1952 2804 DllCommonsvc.exe 92 PID 2804 wrote to memory of 2092 2804 DllCommonsvc.exe 94 PID 2804 wrote to memory of 2092 2804 DllCommonsvc.exe 94 PID 2804 wrote to memory of 2092 2804 DllCommonsvc.exe 94 PID 2804 wrote to memory of 952 2804 DllCommonsvc.exe 95 PID 2804 wrote to memory of 952 2804 DllCommonsvc.exe 95 PID 2804 wrote to memory of 952 2804 DllCommonsvc.exe 95 PID 2804 wrote to memory of 2168 2804 DllCommonsvc.exe 97 PID 2804 wrote to memory of 2168 2804 DllCommonsvc.exe 97 PID 2804 wrote to memory of 2168 2804 DllCommonsvc.exe 97 PID 2804 wrote to memory of 1816 2804 DllCommonsvc.exe 98 PID 2804 wrote to memory of 1816 2804 DllCommonsvc.exe 98 PID 2804 wrote to memory of 1816 2804 DllCommonsvc.exe 98 PID 2804 wrote to memory of 2232 2804 DllCommonsvc.exe 99 PID 2804 wrote to memory of 2232 2804 DllCommonsvc.exe 99 PID 2804 wrote to memory of 2232 2804 DllCommonsvc.exe 99 PID 2804 wrote to memory of 2156 2804 DllCommonsvc.exe 100 PID 2804 wrote to memory of 2156 2804 DllCommonsvc.exe 100 PID 2804 wrote to memory of 2156 2804 DllCommonsvc.exe 100 PID 2804 wrote to memory of 2320 2804 DllCommonsvc.exe 101 PID 2804 wrote to memory of 2320 2804 DllCommonsvc.exe 101 PID 2804 wrote to memory of 2320 2804 DllCommonsvc.exe 101 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 104 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 104 PID 2804 wrote to memory of 2400 2804 DllCommonsvc.exe 104 PID 2804 wrote to memory of 396 2804 DllCommonsvc.exe 107 PID 2804 wrote to memory of 396 2804 DllCommonsvc.exe 107 PID 2804 wrote to memory of 396 2804 DllCommonsvc.exe 107 PID 2804 wrote to memory of 2972 2804 DllCommonsvc.exe 108 PID 2804 wrote to memory of 2972 2804 DllCommonsvc.exe 108 PID 2804 wrote to memory of 2972 2804 DllCommonsvc.exe 108 PID 2804 wrote to memory of 868 2804 DllCommonsvc.exe 110 PID 2804 wrote to memory of 868 2804 DllCommonsvc.exe 110 PID 2804 wrote to memory of 868 2804 DllCommonsvc.exe 110 PID 2804 wrote to memory of 1524 2804 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51678144017bfc389ab538c7b305e479d1b593d717b5d80b784c2f8cdcff92e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1o2YWI4H9t.bat"5⤵PID:2280
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1960
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"7⤵PID:960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1720
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"9⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1036
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"11⤵PID:2808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1584
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"13⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2596
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"15⤵PID:620
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1092
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"17⤵PID:2336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:912
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"19⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2720
-
-
C:\Users\Admin\Videos\dllhost.exe"C:\Users\Admin\Videos\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f7644c3dceec6f142a7f1eb37781c56
SHA1417ddbd8d1338a7149078366211881e357e5d0c1
SHA2565b227ee232cb0ff62f9ff448469f3120cb8e3d71140b60d4370b35d2fd84c7ca
SHA5125fecf36e2673096c03ff097f2c686564160705675e5a342c8397ff2c543bef465ae6470a97e0e98f07c14a284f4199bdba4d8911b64642c58404a713286ede7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd71156e782d6fc78f2f8dcd11521af3
SHA128e7b24995ae7d552948f54ef859489dc9468680
SHA256d9709d0138e16ef5f6aa4f8b8d01b06486f986c1c8c627bc1079df283bfb9239
SHA512a00587e2000d389a11c7f9da5b2d25da5daa90fca0830639fa45520e53b76853e16441443973a80d42ffb73fc6f8b1a8b22d796e38bd21ef4912e99f75e28116
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d150eac0bc22e313a1a7844527a0e1d
SHA199ce845a0df2c79300dc8e2a86ff04f965fbc7bf
SHA25649cf00a4d3410fb801c57fad2a7c7ac356c1ef8816889ce9d8dfa2c20f4f5be9
SHA512aee5fa5eb6c7c3c43ee662eec5590d9d626550436585a55d63b258ca88e2e35aa8be146f536f78518dcaec28ff9df241db74c4bbd7bc6f7dedbb1686023e9bcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5599fafd3a301f44aa92cf2eff3bf7231
SHA1b5b310c7206924c98dffa06a1ed13e72f370de53
SHA256968fc4e195c07575de713ecf00474462c0154bde1af430baf1072cfb39ace186
SHA512725529a7e747e722c3f4511856060b61d250ec17a6e4ca04efd343849cac263764cd1a0a78f944b1c1c256dc3a01e35984ef44b8b1097b032ebb8e7bb42b29ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57109856ec2c5d9584c55b0002038f136
SHA12141e22537532aa21efcf5efece00ac4a4f0b3ba
SHA2560f50a8bc1e2b0776bc9fc01d138968d4bc2ede048d0f7dc9d1c93cb965c4d337
SHA51296effc748892b15b686f5ad0888ad67724eb0ca5090da14ea765903110ad1e5f3bb6f0856a83a745e0923f2de574ff1659bc71b9dc9711faf0af393da7507f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c03d642066034acf2060fcfea9c3756d
SHA1195c6daacd320ac0e7858a3fc75219c744ffc160
SHA256fb4fce62bf1a16d564e547dd8f59a839dc1c36abdc6e14bb532fc08225c2a106
SHA5123714589e3f29f0cd1ac7c0b7139a808a04da9d17a0ed8687c539b1e055e71c8ca24592e51b42c90639d09ab37402e355ea5523149a4f9e7acd3bbb97638acc41
-
Filesize
198B
MD5657c9684f857b093801f5c9407a315fc
SHA12816943c584181cf0f78908932a44946b2776720
SHA2569f9b32adb3861e501c135447302f454e3dad09c89d562574677643bcac5af002
SHA512332247f845bd501f3e91e7d764a44eca5d80e8632ea1c684ce9f9deb1257c2b5deb665337407f832a3596b20922a2420293b3f767ef179da07d4390e51182eb2
-
Filesize
198B
MD581e75e39d3689416f43d29d88c662b6c
SHA1747bf1bcaf15917747558c1feb0a2e529fd04e50
SHA256326525836f93ffcb339fff58cbe33d92e925e340f758b77c322b18a769502d40
SHA51271e4ebceec2e42e37a5a16469aa205c41909972780c7818c7737cb70128bdfba646067cc3384b6c39071980176d6d427ba2b62620bbbcbf901c215056769a42b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
198B
MD5bf999fa6afc82ca78b9a8c991cfd4c6a
SHA1aaa1feff55bcc652867320bf5a19cf7576b3b111
SHA25603fa415b7918e2896a33e6720b8a0925d07986981ad4e0827834518864f0930e
SHA5126dbd57366e891a3e46de4c605d068e9132565f2b6e3e569caee71ad3428c02cc217b05e445e76e9de94608fc4b57eac1c7b978d62e397066deb2d773ec70cf21
-
Filesize
198B
MD582e0d4fcb391a6c6eded91e875ed1bec
SHA1645a64393cf5f5d5688eaf257e1d409cbf36a574
SHA256d7bd6ef3b7ab32d0cc01c762e4e61738c991072b169c3c59e8e36731a155c0c8
SHA5129e888b89b04e85f954fe061ee97f9fb4bd24975d58e727776cb3e296ff7ca0e0d2ca9dc2e2ae7fa6d13823a4d41d0b231454e45905793ed9a556f47e7a537678
-
Filesize
198B
MD551a45a27b9bd979594404f9497c0eef9
SHA1458a1e022dd6dc7d86fcdc0b5c059c60f494de5a
SHA256b3c234b11a91d9e9cec0d842a898fe45ee57e9a21edab0948988ed4669f5ef84
SHA512537c5cd245d17a5f0d3c9ef537ec3f6d60655f8a0c789dabb587a80d8bd294c27c26c8531ccb67328e71cf302753e33fd7d390eb3ee82e1207dbad49b9973922
-
Filesize
198B
MD5d6f068de51b400255fbe569aaaab46db
SHA1bcb0f37552951ab1d998e65313b847301368616c
SHA256bebbe071af0e428ea63bc444c4e8045f24ff2540becc11507914a71972e458b2
SHA5126a5edd6b6d700ce0f538128a049099baa07f8d773bc96069ed6e1a67b7b69e90862f5b3e46c7587637fd014fefaa47f675efe7e753374eab57dce5ac004c04b3
-
Filesize
198B
MD57b07ce56ec904eb1ff1f3b81eb05dc68
SHA15b93cd3c1d4b47b2e375c40207beaee116c2d147
SHA256e70368757b7f29023680fe97b54705e1ac011f0797db73ff83c91a89b3eab4e2
SHA512198c63094665cb56eadf53b354b340f217f343e9911d07539853dad20f96e5926a51aec8c4c2baa31c2229b9f47ec6427aa513860bb782984b65175dd854432a
-
Filesize
198B
MD5c01df0236d8463729f6db8d61eb7bf5e
SHA108d32b4640fc067ccdc103845c76903c3a5d2057
SHA25651dbf92cb3eb1d39fd89b91c13dcc699947a3e1ff632bfb387c277a093f8dcec
SHA5121e58e92f193af016f73c5cc3328cd4cd81fa9bbddd8044d787220da5b6cb92ff221c4071837ab25f0fafe735f9efa6074df2d3947c0267e9e9563b625213f372
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ef81fd5d4731f1c24a7461ef4c9161a0
SHA1c4c446c660c254fd7f34640941971dc0474bf4b1
SHA2569e276dffc2c0d3322fd5d086fc2a968bc058e078555241ae58d4db38ec2cae1a
SHA512411cbb841e8ef2121f45e35e3133ceaa60ccee528a8f4f62a0b2488a280a72da20b2bac90bd8b9092e1fd784790d307dba4e4ad27efe5872391491147fcc5d10
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394