Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:27
Behavioral task
behavioral1
Sample
JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe
-
Size
1.3MB
-
MD5
0497cf9a742024a9c551e2ada1e26d1a
-
SHA1
d335627e11555de708ef8e1dfdc7cda8f42f20c5
-
SHA256
1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5
-
SHA512
61a1083be3af761f59cccc7e8956a5f08194260a69df34a3a268b12db9743d179488d5512ecb7b084a4e26ebf991f5986b2b411576de5d72dc4e66b22ff24132
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2848 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2848 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x00080000000186b7-9.dat dcrat behavioral1/memory/2860-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/1616-64-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/3852-209-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1588-269-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/3340-329-0x0000000000900000-0x0000000000A10000-memory.dmp dcrat behavioral1/memory/2288-389-0x0000000000A90000-0x0000000000BA0000-memory.dmp dcrat behavioral1/memory/3132-449-0x00000000011E0000-0x00000000012F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2748 powershell.exe 2648 powershell.exe 2256 powershell.exe 2640 powershell.exe 2828 powershell.exe 2832 powershell.exe 2696 powershell.exe 2216 powershell.exe 2260 powershell.exe 2884 powershell.exe 2836 powershell.exe 1696 powershell.exe 1712 powershell.exe 2464 powershell.exe 2460 powershell.exe 2360 powershell.exe 2868 powershell.exe 1676 powershell.exe 2664 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2860 DllCommonsvc.exe 1616 DllCommonsvc.exe 3852 DllCommonsvc.exe 1588 DllCommonsvc.exe 3340 DllCommonsvc.exe 2288 DllCommonsvc.exe 3132 DllCommonsvc.exe 3768 DllCommonsvc.exe 2472 DllCommonsvc.exe 2780 DllCommonsvc.exe -
Loads dropped DLL 2 IoCs
pid Process 2356 cmd.exe 2356 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\DigitalLocker\it-IT\dwm.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\it-IT\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Windows\it-IT\winlogon.exe DllCommonsvc.exe File created C:\Windows\it-IT\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\IME\de-DE\csrss.exe DllCommonsvc.exe File created C:\Windows\IME\de-DE\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\en-US\csrss.exe DllCommonsvc.exe File created C:\Windows\en-US\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 624 schtasks.exe 2964 schtasks.exe 2604 schtasks.exe 1600 schtasks.exe 1728 schtasks.exe 2560 schtasks.exe 2084 schtasks.exe 1992 schtasks.exe 2400 schtasks.exe 1792 schtasks.exe 2716 schtasks.exe 520 schtasks.exe 2344 schtasks.exe 2312 schtasks.exe 2540 schtasks.exe 3064 schtasks.exe 2632 schtasks.exe 2676 schtasks.exe 2844 schtasks.exe 1964 schtasks.exe 1348 schtasks.exe 428 schtasks.exe 2028 schtasks.exe 668 schtasks.exe 1196 schtasks.exe 1656 schtasks.exe 2592 schtasks.exe 1616 schtasks.exe 2988 schtasks.exe 1320 schtasks.exe 912 schtasks.exe 2584 schtasks.exe 1980 schtasks.exe 2420 schtasks.exe 1680 schtasks.exe 2036 schtasks.exe 1764 schtasks.exe 2752 schtasks.exe 2936 schtasks.exe 2880 schtasks.exe 2800 schtasks.exe 2188 schtasks.exe 1612 schtasks.exe 3052 schtasks.exe 940 schtasks.exe 1724 schtasks.exe 1704 schtasks.exe 2436 schtasks.exe 560 schtasks.exe 784 schtasks.exe 1344 schtasks.exe 2912 schtasks.exe 3044 schtasks.exe 2512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2860 DllCommonsvc.exe 2868 powershell.exe 2464 powershell.exe 2884 powershell.exe 2460 powershell.exe 2216 powershell.exe 2828 powershell.exe 2260 powershell.exe 2640 powershell.exe 2748 powershell.exe 1712 powershell.exe 2256 powershell.exe 2664 powershell.exe 1676 powershell.exe 1696 powershell.exe 2696 powershell.exe 2832 powershell.exe 2836 powershell.exe 2648 powershell.exe 2360 powershell.exe 1616 DllCommonsvc.exe 3852 DllCommonsvc.exe 1588 DllCommonsvc.exe 3340 DllCommonsvc.exe 2288 DllCommonsvc.exe 3132 DllCommonsvc.exe 3768 DllCommonsvc.exe 2472 DllCommonsvc.exe 2780 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2860 DllCommonsvc.exe Token: SeDebugPrivilege 1616 DllCommonsvc.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 3852 DllCommonsvc.exe Token: SeDebugPrivilege 1588 DllCommonsvc.exe Token: SeDebugPrivilege 3340 DllCommonsvc.exe Token: SeDebugPrivilege 2288 DllCommonsvc.exe Token: SeDebugPrivilege 3132 DllCommonsvc.exe Token: SeDebugPrivilege 3768 DllCommonsvc.exe Token: SeDebugPrivilege 2472 DllCommonsvc.exe Token: SeDebugPrivilege 2780 DllCommonsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1344 wrote to memory of 2260 1344 JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe 29 PID 1344 wrote to memory of 2260 1344 JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe 29 PID 1344 wrote to memory of 2260 1344 JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe 29 PID 1344 wrote to memory of 2260 1344 JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe 29 PID 2260 wrote to memory of 2356 2260 WScript.exe 30 PID 2260 wrote to memory of 2356 2260 WScript.exe 30 PID 2260 wrote to memory of 2356 2260 WScript.exe 30 PID 2260 wrote to memory of 2356 2260 WScript.exe 30 PID 2356 wrote to memory of 2860 2356 cmd.exe 32 PID 2356 wrote to memory of 2860 2356 cmd.exe 32 PID 2356 wrote to memory of 2860 2356 cmd.exe 32 PID 2356 wrote to memory of 2860 2356 cmd.exe 32 PID 2860 wrote to memory of 2256 2860 DllCommonsvc.exe 88 PID 2860 wrote to memory of 2256 2860 DllCommonsvc.exe 88 PID 2860 wrote to memory of 2256 2860 DllCommonsvc.exe 88 PID 2860 wrote to memory of 2464 2860 DllCommonsvc.exe 89 PID 2860 wrote to memory of 2464 2860 DllCommonsvc.exe 89 PID 2860 wrote to memory of 2464 2860 DllCommonsvc.exe 89 PID 2860 wrote to memory of 2260 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2260 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2260 2860 DllCommonsvc.exe 90 PID 2860 wrote to memory of 2884 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2884 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2884 2860 DllCommonsvc.exe 91 PID 2860 wrote to memory of 2868 2860 DllCommonsvc.exe 92 PID 2860 wrote to memory of 2868 2860 DllCommonsvc.exe 92 PID 2860 wrote to memory of 2868 2860 DllCommonsvc.exe 92 PID 2860 wrote to memory of 2836 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2836 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2836 2860 DllCommonsvc.exe 93 PID 2860 wrote to memory of 2640 2860 DllCommonsvc.exe 94 PID 2860 wrote to memory of 2640 2860 DllCommonsvc.exe 94 PID 2860 wrote to memory of 2640 2860 DllCommonsvc.exe 94 PID 2860 wrote to memory of 2460 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2460 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2460 2860 DllCommonsvc.exe 95 PID 2860 wrote to memory of 2828 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2828 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2828 2860 DllCommonsvc.exe 96 PID 2860 wrote to memory of 2748 2860 DllCommonsvc.exe 97 PID 2860 wrote to memory of 2748 2860 DllCommonsvc.exe 97 PID 2860 wrote to memory of 2748 2860 DllCommonsvc.exe 97 PID 2860 wrote to memory of 2832 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 2832 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 2832 2860 DllCommonsvc.exe 98 PID 2860 wrote to memory of 2696 2860 DllCommonsvc.exe 99 PID 2860 wrote to memory of 2696 2860 DllCommonsvc.exe 99 PID 2860 wrote to memory of 2696 2860 DllCommonsvc.exe 99 PID 2860 wrote to memory of 2648 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 2648 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 2648 2860 DllCommonsvc.exe 100 PID 2860 wrote to memory of 2664 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 2664 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 2664 2860 DllCommonsvc.exe 101 PID 2860 wrote to memory of 2360 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 2360 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 2360 2860 DllCommonsvc.exe 102 PID 2860 wrote to memory of 1676 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 1676 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 1676 2860 DllCommonsvc.exe 103 PID 2860 wrote to memory of 2216 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 2216 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 2216 2860 DllCommonsvc.exe 104 PID 2860 wrote to memory of 1696 2860 DllCommonsvc.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d9a9419adc05a53c2fd59e30f1fd36800f4b023aeed60bc1a5b936f2a3a0fc5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\it-IT\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\de-DE\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"6⤵PID:3780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"8⤵PID:1296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"10⤵PID:2488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"12⤵PID:2676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"14⤵PID:2016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"16⤵PID:3700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"18⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"20⤵PID:1916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:928
-
-
C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\it-IT\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\it-IT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524fccc0b93a9896c6a1d68a132f6df08
SHA1d9b039e301d5b47ca421ebefe4d83afb44a2f301
SHA2564bb271f854eaf3812dbd45f84648c89331e95d7b4e3139099368a20ef222a727
SHA5129400d7942c7b3788a0be3817c7c60062a128fa55ca83bec2e1899b3734e74323d1846511d50677ef92614fbcea1cfbc019997825b33481b260027392a97a0e94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a676dd5930a89418aa891d47544f1515
SHA1b1af25433d004800a9081fb67812bc87e09f5713
SHA2560705dd96e90b1727b3e406d88f9fe0084a8c2f13fb9dde7525ce035b5d2a6e57
SHA5129eaf8dff024414ed9b5d2a35008cc674fc3e5c616180ec9054b9aad1d54f591cddd9453a3cfabc8ea59ce3f2c52cdca74b43abfdb77ea8fe5a5584e925f522fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bc5d3dd6f9cb5d64577419c5770fc8e
SHA19b4530ce810d05d7e80a110a45bd87854f52f738
SHA25649098bd3a82c2cfcbfd6c1b45baa31410b6eb75af8974ab612235b0636bae0af
SHA512ef44d3bc5688b21d086704ccf58bf6591000df14f0184de0aadd3a969ba887179093f550efd3217aae25030fdf4dae880193734eddfe028b064a04ba077e0dff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ccdfe41291c3d6dfc71aaff441b2287
SHA153b385ba072d885ea302590981faf0c4ccb4e899
SHA256226beac439b038e30bbae8ac2c939e7e875810cc520b084bc7c53d8bc590deaf
SHA512fd720413f46c852eb5268500704b89228ac635f6d6a5d3370bb7bf3c6f0aa7cf0522fbf3ffc4b01e5ae56053e821dd9c5834100c5d9c733437f006a7ab86ecb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b4a07f53fa7abbfc89ccc3358908e87
SHA1c8453d92a440b2a7d320222b23a0e2898933e410
SHA25615d8fdf98fcd0aa44ad37c0f94750c0a000492cfce5260420aef7094f5d0d962
SHA5125c45bf5d0ffc7982d395d3dde77eed3452c13fceb6307706b8d23fe81a5e3cb69818f620ee08894cb14e6f6e64c27d3e8ee4b31e2d837970162d7696db7b61b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b729c139ef1a8e4d729dde5343e2c2b
SHA1a343f10376f616e56cdc9b9ee69c0d1c1fcaab9c
SHA25658428ec55d2c788b5e1e02dcc40ce97b4eb542f1b42eff265dd641c3673fb1b3
SHA51288afab9cb685704085436b0100ff198806ea56b2dd22471b0801e396061b67be9afbd520adf805414039d3577e636a9ab2cd7757a234ad80627aaf3212c5b5e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b9776c5323231a5bd34711c2689507b
SHA18fee31fe7759cf879875727946dcd2ac8603e23f
SHA256a69f97f2d431273371197c8b40238affb3365612fe637168f265ececd752e56f
SHA512484bdd6e0c373e62bbf79d35c28c5017b216f18a36d2d317fa3535def67ce326195361aec7559bb87f07b1b38498d06db796c5e87cc1d4cef576ceb3217692e4
-
Filesize
229B
MD58fb33d3ea69c2e7f48835ed34547bf12
SHA1a152d437fa7eb03909acf0b2383f8289108bba41
SHA256f058e83705abbddf745bb87fc27516315088f3249b5942f676ed3927d7fb0620
SHA512b69126fd50e845b80a3bed9b4e924228ba79d10c81f47a0815427880ae2e487c3cfd10f6c8812b3de0002f6b9906eba66acb0921e662dc5d194d00f4153003f7
-
Filesize
229B
MD50058ef0741eb9f6ba2974ddf315ab200
SHA1e6a348b58eb89cbab116a4fe69a317df4ee08937
SHA256f62456a50312f496ea4889496ae50abb9da165382dc9aba9b42149ff5ea27cf5
SHA512c653d62d82952e2b6c04ba61d2855653d74df53b1e2e4f5defd9e484a55c55693bbc0ff628329c98dd9a22939028327d37e2ea5e215d681cef68f03b66f1ed24
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
229B
MD5e797377e82d247ea8236effafd84359b
SHA1b244d4a99f6441d64435463bddf4df5a62e2b703
SHA256c640defea94effb2e33f6f3f4e6f4f7bfe2b6a2f9160a2ff6927aa1ee9876f50
SHA5129d3f9f305fc2315e801c3b8bb4014cefddd70fdb365aeb465c92692889f4266007892b7349a5834399c1423f08d7560cc30a2b7f1dc71035c276479e1e2f5050
-
Filesize
229B
MD5e8941353a2120ad914f832997ea0ed87
SHA10ca1466e4fdce52ab0cff50841758a1a1666a12d
SHA256e02a6a0bd45e714a17f10b4ca0a6a095a8b76d4ead55256e81891f60aa8a3dd8
SHA5123bcc9ef32e05ce58d638f841371355579cc8e0579edea7824bd8cc237b4dc3b33f3274336190e66b4d5f804ad9d47ceca8f097a37e7f94967874b4464fd185c3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
229B
MD528f81cb471249bf1b8f1a6cfb4e92c1d
SHA188001a7f1f797b231ac65f107b3f8c805e251cde
SHA2567331123072560fba91e6ce328ca1c808d66e15ff5a972e1145c2c4fa6a684cc7
SHA5123627c2cf509de29db6a3dfc60f99b022342a5b68b03465b3d2290216fefcf1d3c3638546eb81ccebbccdddc3298928d07c63e8f0c9be974833e26d47f0f9ea4d
-
Filesize
229B
MD547cdd8d140f039a11ee02435aae559a1
SHA17fe3c005355beb386513176228db8903f9c06c88
SHA2567409df83c9a185437b0e3d0a3514e0ca7bdef880cc3a16dc15cd6794fc67858e
SHA512c9af68c63afa7d3c46bdde424ef8e8604afae93c7d8399670a169147f9efeb9f4af5d5dfe8cf9a58f069c0388b6207d71ba2f38dabda72c0431f5ade2d30b67c
-
Filesize
229B
MD51e4e84cb21bfb7204b3e4fcfdc6878b7
SHA1f48c2628d6f2a3a3fb0be6446ac2167d4ed9dcd2
SHA2561541dee5aded6b115ea5a0789d592de8630e6db931c0ecf4aa5890445a6a1c1f
SHA512b018786da8de1f68cc50bb30462c58c29c1f6e875eb6db2e0dac0abdf82b722e4c689326311fdbc6b7320620a30a46e93de0142f9910b2b74a11e5d830744729
-
Filesize
229B
MD52e2460ea09b96ebc98b28720f394cad2
SHA14a445d2ff7c530b5db473a48ea4d35c8ef280d51
SHA256d2897a91ed5c269cf83b51049cc15ec0e4fa6c835a6954637b07d69c5a9ca270
SHA512e2ba3b808f8ea1f4dab4dab0b81be27a2127f0908c3b0ac49ad664a20006fecbd6a15ae8220835e8338c9e69ba9e19b16d0b126683788821fe1dd60278b5b05c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD571fb8ef1e07dcfc262f546f9ef705bd6
SHA1b7b1d992f85a235484031303452bd9cce9535980
SHA256b3344df1bb67aed3638d359ca86b8875a81a4a4e06a61479f3bd16082c00535e
SHA5123bb29844271978ce912d27e2c481239cafdf9fb731ac40d23943a787c582c30d19ceb2b45abf31c43e46e0878d80640de72992f9c47fdbbea75f136da697dd25
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394