Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:48
Behavioral task
behavioral1
Sample
JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe
-
Size
1.3MB
-
MD5
6ea2495f6deb155db8f8ab16abaf1aae
-
SHA1
2c7d09f58725f1eb60f8a6bdd56db837a6f87263
-
SHA256
631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438
-
SHA512
07cf80bd506e8375a9a88c308016fe753be5277967444514d378a00aca54a5808f91d04ab2fd8e744c006a24e2c62d106c99290aca92b4f0d68fdbe0a6a01c37
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2828 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2828 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019cba-10.dat dcrat behavioral1/memory/2816-13-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/2348-129-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/1100-188-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/2660-248-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/2872-309-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/3016-370-0x0000000000F20000-0x0000000001030000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1416 powershell.exe 2652 powershell.exe 2460 powershell.exe 1400 powershell.exe 1596 powershell.exe 1572 powershell.exe 2456 powershell.exe 3052 powershell.exe 2608 powershell.exe 1704 powershell.exe 3048 powershell.exe 2972 powershell.exe 2572 powershell.exe 568 powershell.exe 2596 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2816 DllCommonsvc.exe 2348 audiodg.exe 1100 audiodg.exe 2660 audiodg.exe 2872 audiodg.exe 3016 audiodg.exe 2692 audiodg.exe 2612 audiodg.exe 668 audiodg.exe 916 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2948 cmd.exe 2948 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 26 raw.githubusercontent.com 5 raw.githubusercontent.com 23 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\PLA\Reports\de-DE\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\AppPatch\fr-FR\taskhost.exe DllCommonsvc.exe File created C:\Windows\AppPatch\fr-FR\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\PLA\Reports\de-DE\cmd.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2076 schtasks.exe 1632 schtasks.exe 1816 schtasks.exe 2996 schtasks.exe 856 schtasks.exe 2404 schtasks.exe 916 schtasks.exe 2368 schtasks.exe 1348 schtasks.exe 2012 schtasks.exe 2408 schtasks.exe 1720 schtasks.exe 1728 schtasks.exe 1076 schtasks.exe 2444 schtasks.exe 1964 schtasks.exe 2052 schtasks.exe 2180 schtasks.exe 1584 schtasks.exe 1328 schtasks.exe 1872 schtasks.exe 2764 schtasks.exe 2396 schtasks.exe 1504 schtasks.exe 2752 schtasks.exe 2300 schtasks.exe 1680 schtasks.exe 3028 schtasks.exe 2344 schtasks.exe 1768 schtasks.exe 2040 schtasks.exe 1160 schtasks.exe 1840 schtasks.exe 1868 schtasks.exe 2204 schtasks.exe 1224 schtasks.exe 876 schtasks.exe 2064 schtasks.exe 1804 schtasks.exe 2692 schtasks.exe 2708 schtasks.exe 1336 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 2816 DllCommonsvc.exe 3052 powershell.exe 1416 powershell.exe 2456 powershell.exe 2572 powershell.exe 568 powershell.exe 2460 powershell.exe 2608 powershell.exe 1400 powershell.exe 2972 powershell.exe 1596 powershell.exe 2652 powershell.exe 1704 powershell.exe 2596 powershell.exe 3048 powershell.exe 1572 powershell.exe 2348 audiodg.exe 1100 audiodg.exe 2660 audiodg.exe 2872 audiodg.exe 3016 audiodg.exe 2692 audiodg.exe 2612 audiodg.exe 668 audiodg.exe 916 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2816 DllCommonsvc.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2348 audiodg.exe Token: SeDebugPrivilege 1100 audiodg.exe Token: SeDebugPrivilege 2660 audiodg.exe Token: SeDebugPrivilege 2872 audiodg.exe Token: SeDebugPrivilege 3016 audiodg.exe Token: SeDebugPrivilege 2692 audiodg.exe Token: SeDebugPrivilege 2612 audiodg.exe Token: SeDebugPrivilege 668 audiodg.exe Token: SeDebugPrivilege 916 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2784 2296 JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe 30 PID 2296 wrote to memory of 2784 2296 JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe 30 PID 2296 wrote to memory of 2784 2296 JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe 30 PID 2296 wrote to memory of 2784 2296 JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe 30 PID 2784 wrote to memory of 2948 2784 WScript.exe 31 PID 2784 wrote to memory of 2948 2784 WScript.exe 31 PID 2784 wrote to memory of 2948 2784 WScript.exe 31 PID 2784 wrote to memory of 2948 2784 WScript.exe 31 PID 2948 wrote to memory of 2816 2948 cmd.exe 33 PID 2948 wrote to memory of 2816 2948 cmd.exe 33 PID 2948 wrote to memory of 2816 2948 cmd.exe 33 PID 2948 wrote to memory of 2816 2948 cmd.exe 33 PID 2816 wrote to memory of 2456 2816 DllCommonsvc.exe 77 PID 2816 wrote to memory of 2456 2816 DllCommonsvc.exe 77 PID 2816 wrote to memory of 2456 2816 DllCommonsvc.exe 77 PID 2816 wrote to memory of 2572 2816 DllCommonsvc.exe 78 PID 2816 wrote to memory of 2572 2816 DllCommonsvc.exe 78 PID 2816 wrote to memory of 2572 2816 DllCommonsvc.exe 78 PID 2816 wrote to memory of 3052 2816 DllCommonsvc.exe 79 PID 2816 wrote to memory of 3052 2816 DllCommonsvc.exe 79 PID 2816 wrote to memory of 3052 2816 DllCommonsvc.exe 79 PID 2816 wrote to memory of 568 2816 DllCommonsvc.exe 80 PID 2816 wrote to memory of 568 2816 DllCommonsvc.exe 80 PID 2816 wrote to memory of 568 2816 DllCommonsvc.exe 80 PID 2816 wrote to memory of 1416 2816 DllCommonsvc.exe 82 PID 2816 wrote to memory of 1416 2816 DllCommonsvc.exe 82 PID 2816 wrote to memory of 1416 2816 DllCommonsvc.exe 82 PID 2816 wrote to memory of 2460 2816 DllCommonsvc.exe 83 PID 2816 wrote to memory of 2460 2816 DllCommonsvc.exe 83 PID 2816 wrote to memory of 2460 2816 DllCommonsvc.exe 83 PID 2816 wrote to memory of 1400 2816 DllCommonsvc.exe 88 PID 2816 wrote to memory of 1400 2816 DllCommonsvc.exe 88 PID 2816 wrote to memory of 1400 2816 DllCommonsvc.exe 88 PID 2816 wrote to memory of 2972 2816 DllCommonsvc.exe 90 PID 2816 wrote to memory of 2972 2816 DllCommonsvc.exe 90 PID 2816 wrote to memory of 2972 2816 DllCommonsvc.exe 90 PID 2816 wrote to memory of 3048 2816 DllCommonsvc.exe 91 PID 2816 wrote to memory of 3048 2816 DllCommonsvc.exe 91 PID 2816 wrote to memory of 3048 2816 DllCommonsvc.exe 91 PID 2816 wrote to memory of 2608 2816 DllCommonsvc.exe 93 PID 2816 wrote to memory of 2608 2816 DllCommonsvc.exe 93 PID 2816 wrote to memory of 2608 2816 DllCommonsvc.exe 93 PID 2816 wrote to memory of 2596 2816 DllCommonsvc.exe 94 PID 2816 wrote to memory of 2596 2816 DllCommonsvc.exe 94 PID 2816 wrote to memory of 2596 2816 DllCommonsvc.exe 94 PID 2816 wrote to memory of 1596 2816 DllCommonsvc.exe 95 PID 2816 wrote to memory of 1596 2816 DllCommonsvc.exe 95 PID 2816 wrote to memory of 1596 2816 DllCommonsvc.exe 95 PID 2816 wrote to memory of 1572 2816 DllCommonsvc.exe 97 PID 2816 wrote to memory of 1572 2816 DllCommonsvc.exe 97 PID 2816 wrote to memory of 1572 2816 DllCommonsvc.exe 97 PID 2816 wrote to memory of 2652 2816 DllCommonsvc.exe 98 PID 2816 wrote to memory of 2652 2816 DllCommonsvc.exe 98 PID 2816 wrote to memory of 2652 2816 DllCommonsvc.exe 98 PID 2816 wrote to memory of 1704 2816 DllCommonsvc.exe 99 PID 2816 wrote to memory of 1704 2816 DllCommonsvc.exe 99 PID 2816 wrote to memory of 1704 2816 DllCommonsvc.exe 99 PID 2816 wrote to memory of 3024 2816 DllCommonsvc.exe 103 PID 2816 wrote to memory of 3024 2816 DllCommonsvc.exe 103 PID 2816 wrote to memory of 3024 2816 DllCommonsvc.exe 103 PID 3024 wrote to memory of 2540 3024 cmd.exe 109 PID 3024 wrote to memory of 2540 3024 cmd.exe 109 PID 3024 wrote to memory of 2540 3024 cmd.exe 109 PID 3024 wrote to memory of 2348 3024 cmd.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_631be6d15c6d5ec0f53ebc1cca87e24b7288570d71c22789fb694d900bcbd438.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\de-DE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ErLC8AtReh.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2540
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"7⤵PID:1800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1736
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"9⤵PID:2756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2260
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"11⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2868
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"13⤵PID:2772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1568
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"15⤵PID:2236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1612
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"17⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2868
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"19⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1736
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"21⤵PID:2980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1996
-
-
C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"23⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\de-DE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Reports\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\fr-FR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\SpeechEngines\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6dcf32edd2acd5f5a0cb24c8e755b75
SHA11f61d9fc74b61045d1db64e69319e2f00d2297ac
SHA256d588986fe07f65af5af9f9ef364a966310d1a52e951d9bfd2c39890b61a5fb86
SHA51275182b3cc2c0cb50d1661f31f4160ee5e696d9086a5bde81e1f8dde8f37f021bf5d9420e381fa275011a4131a0ed2689cdcb678cdf30fca502d94ed8cea58938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe990e2d92182b96858d6221de272c07
SHA1ce4656a1029e8e6b541bf4caf5ed1032401e8d65
SHA25686b0b87099469450ecb55b71b2dc19bd4c18a043f259cad23c653245aec72f31
SHA512db5337d91b1ed87b10a30db76f68c7d4ded6a021aef0a29b3e6bcbb5a7df2a2242cc82ed02e0ece9ec9e0e089e5513974742fd4a874e38bc700e6019b1de9b8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b36eec49ab68286345b07d8e5a036a8a
SHA19c873ac69b111632ec6aa30ac81efd1ca672aa2e
SHA25699048642bed3b3213cf549922a7836913c67b8f5c628bf97af3379358535d49e
SHA5123f1d1b3a01e8dfa9f7eb3b464703c41427f42680088aa55f0c1042ec7e4f2cfc1c086f4185b3d20c9999787d3368296ad4ff6d5fea2041e96de39fb5cebcfb7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52dc27345db764b668b57f1d7ff33b1e1
SHA126fc8deb806830053f6c93d16535bcc0147a76bc
SHA256b0eab0f323d4d83188ef0e11f3bbd64541da4bb4082c6ee505ccdc99c382495e
SHA5124835fb5a87e221c4882b85de40ed925ecb0b071fc35e725453d96433116823a2c4bfb303b2ad2f541b558299e78bd8d43b0ac631da2cb2d611ac56e02c810be9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d02a2a28969a9ed318f30ee9998afa0
SHA1330b86c99378d2b1674ef711db3253c55d8811da
SHA2564f3b58176a1f5d5fa80befeacd0ccd71832d910e5c5ba8eca2226d8d4e0f90c6
SHA5121a95e255bfc9a89a10e955342b293ae059870ce87f60c49573ad707802d38f964e520b8fc5a4f269de511b8073f867ddc8453ddc47da2c30293bd0408c0f41ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5abca9171197679fa6978991f0baed84a
SHA1160d2c2657ea4735d539b16e388449e022617e62
SHA25612aaf7a0714bfd1fa78de5385c7b1c93a128c3a17293ea69a2c68ed1e0f5109f
SHA512dc56abd8c58d2e6f656ebf830019e4574257f25c38de873df111b281a3fa1aa245c07dad8b8711156c273fcbc72e6c1db2a56e4b75b624f500d6e1a5fe859f1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a322d5464d57af622d0132cf31b12e7
SHA1c2ecf8ed167ee0a2320a0931c3f91b33646c2484
SHA256bea8005806b4533c7aaf2e59a3aeb2ce8abee394f81564895ae10bccf7b0e165
SHA51277fca74088c00554a8c008312514c68398cfd9549f4fa105748c6ab93a8bb5941757507825941a06f48c7d0f483bc2444a241a323aed8086b55851373e1c8ca9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f191a9147a69395006d761fd04651e3
SHA157f31458dd488dfa84f4be8db8150bf446590d31
SHA2564eda66bef8de58418dff7669a0e68d8f0c045d013065785faa90c77c0f50dac7
SHA512306f2fa35446864f06f74e4546fc52b48daec3f69ed049c666316e249fcd3c14e2ff4e39a9c37f49b0bfd2b735c9709c9eadabca0018f0ee12e42a7f7ca0909a
-
Filesize
224B
MD5fbcc85e5d686540259d1fb3c451c8e19
SHA1b3f55382eecaad1bccbb0b49e1fc2216da18ac11
SHA2562c46a2f011c26c799e74bf705d6a063b654e5dfd1bbe6b38096196613c03d949
SHA512d9e9e512f23bfab187775a0869e72069a61fd5f2b9bb3b5b2e7c6621026f2eceb50bb242554b22cf184744e5aba4e069ee08e4619bca63975015549fe37725b3
-
Filesize
224B
MD518f6abe38c08cbb31e379cf1d6d9a1a3
SHA1b4173ac6b89817d2de5d1739dc3d8a2f6d4428f1
SHA256e186ee0d08a6efcbe5495af7e0be9299227a32130c44bf3cbc72b7ac850cc043
SHA512d5e2dd9600564307c0fd3a98e0db7407655a9ca918eaa61c5d9d5b3a9002ce0fcfeede26270c2184b9439eab8e69778335c60d436f8edb23db96ed4e7300b7e5
-
Filesize
224B
MD5fc776af804e8cc8f20742bef77d6a9c4
SHA1fc13e6cd5ff25035d7ed15e746c46ee97ff25618
SHA2567f8614657a4f5cb07b57f37361bc1997d6e2c63a4c8d687dbc2f2ba2c0b373c8
SHA512642d5652313c3ec7323aa052b1eca47430b16248a8d0d3280e6c2acadb1f6f49428cbee877a1b7661ff3ae7d3a39a010a72fdbebe000f8b59d3c2c5055febd35
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
224B
MD50c093371d837341524944dd782fb332b
SHA1f83d078953f8cf9f2b51db69efa880b1e1360c51
SHA256c38123aec97a2488bdd71e6311088782c5a44a59ade268647d174128c1ef6054
SHA5125b9c5897566b5717f0ec8467353ff984876d22462bb43ff268ea22bd43ba11bca8de09a6545ef55d147983f1fb78a6d63733695f41c64728f707c48bd589aebe
-
Filesize
224B
MD5a816fac6e4ee5e65db5a8c4a477dbbc6
SHA1e14662c71aac86f0a8c67fd8d1edb2cac813ac71
SHA25623a46d44a62cd4891146f8005e040e4973ea5543c569e0fd73d5a9d57ee796a4
SHA512c7097405fae8f6d5a465b359ed35453938fa4786d8fd38f490d32ade94671ef97699362b0fdecf3b4abdd7ff4c06e2158c434d3b43f3645e2603ef1511e9fd8b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
224B
MD5f6142dae369b19704db6428fbba4aaa8
SHA1165a5ebfe2f5070af8bc4ba4e2ed4e01eeb7c378
SHA256da51734d7b2bb3a09ec1f1763695baf5f6ea25d58385781a6521eec80cee366d
SHA512dcec2ce90399ba9ca0c53ab0df493fb9ea3f1a01b74472a59d9b28f57c08905b9f7c889312417225a9e4bcd8092aa8d6fa9905bdb9ab2da075055014890feac0
-
Filesize
224B
MD5a2eb4415bc6f63274be159127db454d9
SHA140b645460e3dd77d4305a0e269980b376dbbe8e7
SHA256e01db1f16681aeef5c66ab33488ac3f381cbe30ada4b3bc43c37feb0c48e8392
SHA5120198184fa7deb568bdf8b3aeda57d712ac97b66a15ffec143befae4949d8eb5e10ba6dfce26c9da6cfe1abfd7349d3a8eb5ea57057fde5c6f2a81125481e3384
-
Filesize
224B
MD56bd01f9181cb88bffed15ac98d763fed
SHA1b1a7747747a583e39cab58bc80fd34de82377bbb
SHA2568f875ee5a86fd6cd05a257c9e5ff92dbd2aa8a524be26dec1b94ff7790d90e8e
SHA512eaa9b7b6a4423525724cafaa1da849b4ae1b6ea3b9dc8adc2f22f4bab53674483cb85c513a868e97c299481362c193e62bc45fda26b0c91bc2356f3c69253e7d
-
Filesize
224B
MD5ca22e84b2480502e659dda8df147394e
SHA1abaf5f223f11d2870f511c95e997a72b669c5c9e
SHA2561f9f8b20a1009acea6b4edac0bba442a919f37ea05bf71e57273a5b34c5e332a
SHA5126eefc39a24ea77b2571ee5e7925fed27c288d2e99f49af9e23e55f54a4b2985dad803655fb72e43f3b7f262f9f74c83ac0898b375063ea5e63cc3f6c133f9a83
-
Filesize
224B
MD5b36218ebae1c6a9b86122ec1154af962
SHA1535c6db757b05a1321216eeffa0ad64e576e6cd2
SHA256005f458046a1ec6052b0eed9b05e4b8de16a6b30358c9b76ccb4973fc35d55b0
SHA51225073fa0ffe5ac7f0a26db4011b64310700fd7ba9f15f5bd7b202bea8d966c9fb96861e01d103832672f8a335dee0b0aa1922b2b8dbb39e553ea628ae3cf1d68
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ac5cb90594ab4a994971e3c6a20d7b43
SHA1b4e4412179b47b1d96b8c06ae7b9c448c85f735a
SHA256201cc21bac006226313a02c9a2bbece15c0b2ae2728bb733eabb33238e67cb48
SHA5122a960c791e356435460aeb0325154e9dcf049c83d384f185d6a26d0bb66dfb8d2fc87253160b256971d943a7c5c0e76b31318c2c8944d31f6b2550c6437651a5
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478