Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:27
Behavioral task
behavioral1
Sample
JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe
-
Size
1.3MB
-
MD5
38d39854f8a1e1c7ef7db77aed9b1207
-
SHA1
4199a20f478c8e09de4356d125c0b86e7cfbfbf9
-
SHA256
8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b
-
SHA512
300c3bca2e2b5d623f7ef50c00c4818e0343c85463e203d8713a2a5bbc309f8c2a697fd45c62b50d86d77c2cdd48cda3984233536c58078807a200ffa9d58253
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2404 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2404 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000015f96-10.dat dcrat behavioral1/memory/2760-13-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/2984-58-0x0000000000300000-0x0000000000410000-memory.dmp dcrat behavioral1/memory/1940-197-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/1980-257-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2784-317-0x0000000000860000-0x0000000000970000-memory.dmp dcrat behavioral1/memory/2440-377-0x00000000009F0000-0x0000000000B00000-memory.dmp dcrat behavioral1/memory/2952-437-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/2584-497-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat behavioral1/memory/1604-557-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat behavioral1/memory/872-617-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat behavioral1/memory/876-737-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2756 powershell.exe 1696 powershell.exe 2496 powershell.exe 2008 powershell.exe 1384 powershell.exe 2748 powershell.exe 1500 powershell.exe 1048 powershell.exe 2668 powershell.exe 2164 powershell.exe 3028 powershell.exe 2124 powershell.exe 2808 powershell.exe 2608 powershell.exe 2540 powershell.exe 2604 powershell.exe 2304 powershell.exe 2616 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2760 DllCommonsvc.exe 2984 taskhost.exe 1940 taskhost.exe 1980 taskhost.exe 2784 taskhost.exe 2440 taskhost.exe 2952 taskhost.exe 2584 taskhost.exe 1604 taskhost.exe 872 taskhost.exe 2272 taskhost.exe 876 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 cmd.exe 2820 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 31 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 18 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\taskhost.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\lua\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\ShellNew\OSPPSVC.exe DllCommonsvc.exe File created C:\Windows\ShellNew\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Windows\AppPatch\de-DE\csrss.exe DllCommonsvc.exe File created C:\Windows\AppPatch\de-DE\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\PLA\Reports\it-IT\csrss.exe DllCommonsvc.exe File created C:\Windows\PLA\Reports\it-IT\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1984 schtasks.exe 1560 schtasks.exe 1616 schtasks.exe 2800 schtasks.exe 2872 schtasks.exe 2288 schtasks.exe 2128 schtasks.exe 968 schtasks.exe 1408 schtasks.exe 1296 schtasks.exe 1032 schtasks.exe 960 schtasks.exe 1812 schtasks.exe 3012 schtasks.exe 2660 schtasks.exe 2108 schtasks.exe 576 schtasks.exe 2012 schtasks.exe 1576 schtasks.exe 2940 schtasks.exe 1744 schtasks.exe 1728 schtasks.exe 1540 schtasks.exe 2348 schtasks.exe 2976 schtasks.exe 2140 schtasks.exe 2372 schtasks.exe 1068 schtasks.exe 2036 schtasks.exe 284 schtasks.exe 1784 schtasks.exe 2092 schtasks.exe 2168 schtasks.exe 2088 schtasks.exe 2900 schtasks.exe 3000 schtasks.exe 2324 schtasks.exe 1752 schtasks.exe 2836 schtasks.exe 1340 schtasks.exe 2696 schtasks.exe 2260 schtasks.exe 780 schtasks.exe 1988 schtasks.exe 1332 schtasks.exe 2520 schtasks.exe 1512 schtasks.exe 2896 schtasks.exe 2952 schtasks.exe 1620 schtasks.exe 2776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2760 DllCommonsvc.exe 2124 powershell.exe 1384 powershell.exe 2608 powershell.exe 2808 powershell.exe 3028 powershell.exe 2604 powershell.exe 2748 powershell.exe 2540 powershell.exe 1500 powershell.exe 2616 powershell.exe 2984 taskhost.exe 2164 powershell.exe 1048 powershell.exe 1696 powershell.exe 2304 powershell.exe 2668 powershell.exe 2496 powershell.exe 2756 powershell.exe 2008 powershell.exe 1940 taskhost.exe 1980 taskhost.exe 2784 taskhost.exe 2440 taskhost.exe 2952 taskhost.exe 2584 taskhost.exe 1604 taskhost.exe 872 taskhost.exe 2272 taskhost.exe 876 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2760 DllCommonsvc.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2984 taskhost.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1940 taskhost.exe Token: SeDebugPrivilege 1980 taskhost.exe Token: SeDebugPrivilege 2784 taskhost.exe Token: SeDebugPrivilege 2440 taskhost.exe Token: SeDebugPrivilege 2952 taskhost.exe Token: SeDebugPrivilege 2584 taskhost.exe Token: SeDebugPrivilege 1604 taskhost.exe Token: SeDebugPrivilege 872 taskhost.exe Token: SeDebugPrivilege 2272 taskhost.exe Token: SeDebugPrivilege 876 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2676 2780 JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe 31 PID 2780 wrote to memory of 2676 2780 JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe 31 PID 2780 wrote to memory of 2676 2780 JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe 31 PID 2780 wrote to memory of 2676 2780 JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe 31 PID 2676 wrote to memory of 2820 2676 WScript.exe 32 PID 2676 wrote to memory of 2820 2676 WScript.exe 32 PID 2676 wrote to memory of 2820 2676 WScript.exe 32 PID 2676 wrote to memory of 2820 2676 WScript.exe 32 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2760 wrote to memory of 3028 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 3028 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 3028 2760 DllCommonsvc.exe 87 PID 2760 wrote to memory of 2756 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2756 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 2756 2760 DllCommonsvc.exe 88 PID 2760 wrote to memory of 1696 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 1696 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 1696 2760 DllCommonsvc.exe 89 PID 2760 wrote to memory of 1500 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 1500 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 1500 2760 DllCommonsvc.exe 90 PID 2760 wrote to memory of 2540 2760 DllCommonsvc.exe 91 PID 2760 wrote to memory of 2540 2760 DllCommonsvc.exe 91 PID 2760 wrote to memory of 2540 2760 DllCommonsvc.exe 91 PID 2760 wrote to memory of 2496 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2496 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2496 2760 DllCommonsvc.exe 92 PID 2760 wrote to memory of 2604 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2604 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2604 2760 DllCommonsvc.exe 93 PID 2760 wrote to memory of 2748 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2748 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2748 2760 DllCommonsvc.exe 94 PID 2760 wrote to memory of 2808 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 2808 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 2808 2760 DllCommonsvc.exe 95 PID 2760 wrote to memory of 2608 2760 DllCommonsvc.exe 97 PID 2760 wrote to memory of 2608 2760 DllCommonsvc.exe 97 PID 2760 wrote to memory of 2608 2760 DllCommonsvc.exe 97 PID 2760 wrote to memory of 2616 2760 DllCommonsvc.exe 99 PID 2760 wrote to memory of 2616 2760 DllCommonsvc.exe 99 PID 2760 wrote to memory of 2616 2760 DllCommonsvc.exe 99 PID 2760 wrote to memory of 2008 2760 DllCommonsvc.exe 102 PID 2760 wrote to memory of 2008 2760 DllCommonsvc.exe 102 PID 2760 wrote to memory of 2008 2760 DllCommonsvc.exe 102 PID 2760 wrote to memory of 1384 2760 DllCommonsvc.exe 104 PID 2760 wrote to memory of 1384 2760 DllCommonsvc.exe 104 PID 2760 wrote to memory of 1384 2760 DllCommonsvc.exe 104 PID 2760 wrote to memory of 2164 2760 DllCommonsvc.exe 106 PID 2760 wrote to memory of 2164 2760 DllCommonsvc.exe 106 PID 2760 wrote to memory of 2164 2760 DllCommonsvc.exe 106 PID 2760 wrote to memory of 2124 2760 DllCommonsvc.exe 108 PID 2760 wrote to memory of 2124 2760 DllCommonsvc.exe 108 PID 2760 wrote to memory of 2124 2760 DllCommonsvc.exe 108 PID 2760 wrote to memory of 2668 2760 DllCommonsvc.exe 109 PID 2760 wrote to memory of 2668 2760 DllCommonsvc.exe 109 PID 2760 wrote to memory of 2668 2760 DllCommonsvc.exe 109 PID 2760 wrote to memory of 2304 2760 DllCommonsvc.exe 110 PID 2760 wrote to memory of 2304 2760 DllCommonsvc.exe 110 PID 2760 wrote to memory of 2304 2760 DllCommonsvc.exe 110 PID 2760 wrote to memory of 1048 2760 DllCommonsvc.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8248988f35d97b2964fa00970ddc547e790395e2b488480e6b08e786c4aa253b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\it-IT\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"6⤵PID:1792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2708
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"8⤵PID:1996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1732
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"10⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2432
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"12⤵PID:3028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"14⤵PID:1656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1956
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"16⤵PID:1416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1688
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"18⤵PID:2300
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:772
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"20⤵PID:2072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2240
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"22⤵PID:2648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2776
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"24⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2660
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579de03486e1a75616867fd60d1a639ba
SHA14bd54abfcb2d5bde05523f3cebd1f7aaea104f41
SHA25698e5aa0150896a83dfbe68bb26f17e4db001bcb990f1512a0812c72c1405193a
SHA5120fe141a0308c946e2c17dd79b54e1f03b17eeec92fb4433deab49d0a0fa59c8fa72b8749f7c33566fea9553304b592cc6af06bbbf033a79c619ab9ae6c42fa99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f6ca680147ae2896b4ca5150b470c83
SHA1e013636bb053e2af376d29045edd1c68f2569593
SHA25643d05478fc16ac922fbf9e29cf3cc46855be50cb614e15f0c56589e3c829a071
SHA5123d2fd3e0e8f0613a31e6d070850b9fda3375aa2d53fca54efec1009e493e5f941ec58ba5839d81710ecc95bd0f536c0b0c475537a3136537933444757f022dea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5edbc2b2671ad6c5ed5053ffc183a3ebc
SHA1b7e69d63362ff3dfd8c1096c27e7bb869aa640ed
SHA256af5d5962a89c4594068ad1a7f5ccf26b5f4bb9b16432fb6556a3c7845f3572a6
SHA5124f3597c13c183fb2d0c2447e31ec9b7c57b18f2850f3c02cb84566c5c8476a016453ec26c5ea2e98b48b32b01417bf017fce0bc4ac0fba7be46dd5b8bc094793
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56db5261b0261ebd6096dbddf9b2167cd
SHA108e40e50ba72b10782d8aa7f6322f074c7c4e5de
SHA256493e10cc3a6f24a59c242922715942676f68c5329efd870974fa8b70d7128a25
SHA512cdfa8eb0fa5d7e3470d37b443eba02fa872e4fbc8e7ea3096ddd2db7f1fb21fabf667f181581cf638c9884944003c18114c04f9a751d9a6e5db4b9ab6d3e6092
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ded3489c989f5c1a9cab47849320ee8d
SHA13c0ae25840b8f81579121ba422ff880fdb73f5af
SHA25622b6e90b0633f072cd1dbe20492beeb3c3116c3f627578bfeded5e46c5492c4f
SHA512b80f83d7d69a296eeef24ee01d39e1248e9eebfaf2e62d33ebfca441457f1f268572530a21f1a52017e5db0f4f9d1be2b8001d2abb96c82e581bfc9b80265d88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d966fa55296ec8a86399015c9fe7203
SHA127765ee53322912cc564fe583fbb006584f1a1a9
SHA2563b9a1b9e5badbff414bdfd9796095dd28348fbbc38e76510bb944139d58454fc
SHA512c7b277ebd4fc90af18a947872f4cd2f68f74ec1bb8f20d8208575b90a35fca6708645c928652864e7fedfbe22b45f5cc5ace03f04fd40e7dc7659aa577e80459
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517b7d4e6664aaf221100c9434c94572b
SHA123ddaf74b5d1531545200b98ee7a977942a1a253
SHA256758868ae3b829e59c8ab8a08943b0707891d16a00313be5f524c044b496463f4
SHA51240dfd915513256749e096235c6fc6cb6cedb95346442535cd97cb7d39c5b1a8d36a7b7208eba94079ccc6593f46be0e04e449c193489cf6f52261136921f5894
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f28c5d06b8998fec96514d7ab44077ec
SHA1a3c03f3ed3d8e1553b754118e1a44e4b933dc42a
SHA2568d24f6f2c1674df3a9ccac1f391c92a98898cc0c1f82675ae7cc4642b57cf744
SHA512b0bb6af96320133ec65edfd2a0cb146777147c09dc3041469061496f259b7b4e7f5c884093ff30efdc3f83a7d5745f44caca4cfa49f295b2b206745bbf513ff4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cae9b5f81c3456f5d51e8a8b70b6294
SHA16a2ca5e36190e5c2860c4176bae8c1d82cc136ac
SHA256862ad50dd93003a1f053c30473107398da4397d15fa70629bd61c21090c96251
SHA5126f42cd43033ecd583d2e498c3e8ece47ba3d3f6838b99e067cb20f1a5957818904d31662266fc0f022778ae451a738649828724e65569a435e9c7d37bb026ed2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD5dade97c2e88c02cdd8c652f488abedab
SHA1987c076c02f1b91f06026c5783dbf17dd2ad9b66
SHA256d70156be2eb43c591efba443b392d041feb2af7740997592fe68fe90b1487b9b
SHA51260c8c14d526d360e24f2bcc8860b36e1e3f67613de34848628364cdd5d4457042484152cb3eef213d61372db5cc04adfce415f897db4041cafc75e9e7cd34f06
-
Filesize
240B
MD56bd98f60e83851877b5359a86a3a0463
SHA1d3211591e8b83f441c475a8064b597e87c8c65e8
SHA2565f7246f1749f183105f949243f29fd2c187d85978f6fac21138ace390726efbb
SHA51279c6ca16bc63457a0fa8422fd6fb0a3663edd5959e38360c4bb9d59ad77dfea9e4be28d49f2debab5a070c19a0b51a65eb457468d5ce735550b619e41810ef96
-
Filesize
240B
MD5df974a0c93b8ca3d634b37b62fdbabda
SHA17c7e1a4aa7e4796005d7530ca6280812fe88502e
SHA2560252cd4315d706fe905401b15820bc5be19126318b4d263e066d2f1e95dd662e
SHA512a526a3608be26ee8de574e650c9bf2be64dc56e7a186c4cc88926f5c4b750616684230fadb8b7ed67e5a170643d9a0c870a23b8cf00289ec1944732ca1e4140a
-
Filesize
240B
MD5191fd7a1c2e5a88220558a9cf73637c3
SHA1bb2f56ca697d775ac2b34c3da70abd2c38e9c978
SHA2560266dfb703022e6618121fa91e86be510455fca66fd76ca05f6ca61fd2b98013
SHA512810e02e5fd6c9a44e7f68ba0c92ce75290fd834a988d4f4ac5529bd9a33c55d97d72a7e9e89a5166f6d8dc4b89128c5498e30e8b738010b04ec6eee8f91f7a3f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD530baa09907ed029b2e850669f181f0ee
SHA15f70949c67003992974ad3cbb9d725841875db93
SHA25640bfa1a7d1b8bedc9f14f2c5564a1f5db2191f8830a4d04fa1d27699717f0425
SHA51264a76b93aca19fadcd6524c27323eb6d890fca5dce95ebd10aa0d8f410fcfa9e2e43a018e7d1dd6022607eea81eb6330cc7bd49a9911ab43bea258c1f5df9add
-
Filesize
240B
MD5554afa2329b922e7ca9bde275c3894b5
SHA1a0b1933f881f97e5d7d19e90bb492db42208c245
SHA256d5b650952203bef4cb3fc55d44a713dcba7ef53de3abf4d625b5e3fab10293bc
SHA512848432ab3a39c6017365bb13aa8619dfdcf0fe64875490a154b6ba54b8e7c0a29ffd82553d08b139da0005a36d647ba2ac41c576b5c992c72b9ad60e1df3307f
-
Filesize
240B
MD538cbd264860873fae39648db5027ea96
SHA137ad91f874fa87e56e74ebe0ab3c28d282979925
SHA25634b54101cfbd85af4d3e1180137b3a4a0b553e0692757a4058dac934a4bff33c
SHA51279aad62a3f083f110ec0becf6f8103fb445a14370518c0125313b0bc8bfe399b9a55c16364fce8b139145b9674ff7002371feacd5bb9b8a6240c7195f77d47b7
-
Filesize
240B
MD5be330606dd9226d976751d2abf6f8452
SHA1b7ff87500b8787456d43b5be4506a5b2f6775a44
SHA2560d72617a390743a599b17bf7d1350d5fa8549332c209ce1ab6e89d36b88cee73
SHA51209384fa193cc7a636bcdfa7edd4261641584ebd997851ce0aac3e6c9847a8c902953891337b0e1816d7cccd74dc4f5c62c4ce70af2a3b2da7b9dc28f0c7ed4d3
-
Filesize
240B
MD59525e5540b2b74627d7337985971b671
SHA1c4c9553b1106d47601e9bd742491ca1e6b1325de
SHA25608cbd24c2982a22f960407bfcfa83949c21d830ab5d349507b207ade28d88d97
SHA51232fa726b5cf35c9738c8a708cf8565469f21282cf83921d0a814e0b012a6cef4efe6ff29d47e989477ad6924f1f11ee849c13288a799effdf45506f7dc4460c1
-
Filesize
240B
MD582832e63c55b455a7b1a2d2de1b7f5d1
SHA1fbee415321345ef4e1301ddf39aea08e713f6fdc
SHA256956a5d74052471a098276c34f069ffd2cbb96025816022062275cf0e4626506f
SHA512196ceeb1a5f4820de5c724b859867292fd62c9397f372490ca9ab3eb3b0de2848d407dc0fb9769eb7c43b5a91140507317998d4b5508f51bfb628a3b9862ad57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07HSRL4KMJ5XNRPXLKZX.temp
Filesize7KB
MD54f1d56ece64362fdacd60c3df381364c
SHA1eceeadc7527d055ea13999435d680e50f2109774
SHA256e273d8abdfa87dffa696a01e728542e3c6ad5394b47014d338dee673afd40c25
SHA512c9a7754374ee27f48c8922297cf8b4f27fc3a22f6795cb777398a65c46aa9d09fb1f073019dabb5ca3106f4e6c36487c63450e4c72672938e92635c602f1a0fa
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478