Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:34
Behavioral task
behavioral1
Sample
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe
-
Size
1.3MB
-
MD5
2566e9a0059f9fac9e4e999937f0d94f
-
SHA1
418d6ffcffd6eb1ba7b6966ca5437ebc3c4615a0
-
SHA256
19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415
-
SHA512
6dfd6f0a0aa78dfb7eb3117f645e35ae52d52b641886b9041a8cb8856228914426f97eecabd1b911c0ce3309c345e7a38015f0b2239f87571e958c4577131966
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2700 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2700 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001868b-9.dat dcrat behavioral1/memory/2996-13-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/796-149-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2400-208-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/1708-386-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2680-446-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/2480-506-0x0000000000350000-0x0000000000460000-memory.dmp dcrat behavioral1/memory/1256-566-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/1584-627-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2368-687-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2496 powershell.exe 2480 powershell.exe 2092 powershell.exe 2540 powershell.exe 2408 powershell.exe 2504 powershell.exe 1556 powershell.exe 2260 powershell.exe 3036 powershell.exe 1356 powershell.exe 836 powershell.exe 1636 powershell.exe 996 powershell.exe 2848 powershell.exe 444 powershell.exe 1788 powershell.exe 1444 powershell.exe 2120 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2996 DllCommonsvc.exe 1856 DllCommonsvc.exe 796 System.exe 2400 System.exe 1608 System.exe 1860 System.exe 1708 System.exe 2680 System.exe 2480 System.exe 1256 System.exe 1584 System.exe 2368 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2480 cmd.exe 2480 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 23 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\it-IT\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Sidebar\it-IT\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\powershell.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\fonts\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\OSPPSVC.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\1610b97d3ab4a7 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Uninstall Information\lsass.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\inf\TermService\0409\WMIADAP.exe DllCommonsvc.exe File created C:\Windows\inf\TermService\0409\75a57c1bdf437c DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\System.exe DllCommonsvc.exe File opened for modification C:\Windows\Performance\WinSAT\DataStore\System.exe DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\SchCache\powershell.exe DllCommonsvc.exe File created C:\Windows\SchCache\e978f868350d50 DllCommonsvc.exe File created C:\Windows\inf\TermService\0409\WMIADAP.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1724 schtasks.exe 2364 schtasks.exe 2608 schtasks.exe 2648 schtasks.exe 2000 schtasks.exe 2788 schtasks.exe 2704 schtasks.exe 3052 schtasks.exe 2164 schtasks.exe 2124 schtasks.exe 2640 schtasks.exe 2984 schtasks.exe 3048 schtasks.exe 2660 schtasks.exe 1012 schtasks.exe 1800 schtasks.exe 2716 schtasks.exe 1932 schtasks.exe 2308 schtasks.exe 1056 schtasks.exe 2960 schtasks.exe 2840 schtasks.exe 1664 schtasks.exe 1536 schtasks.exe 2296 schtasks.exe 884 schtasks.exe 2596 schtasks.exe 2696 schtasks.exe 2624 schtasks.exe 1808 schtasks.exe 2896 schtasks.exe 2116 schtasks.exe 780 schtasks.exe 1748 schtasks.exe 2616 schtasks.exe 2632 schtasks.exe 2596 schtasks.exe 484 schtasks.exe 2104 schtasks.exe 1288 schtasks.exe 872 schtasks.exe 2624 schtasks.exe 2664 schtasks.exe 2816 schtasks.exe 2580 schtasks.exe 2492 schtasks.exe 1928 schtasks.exe 1576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2996 DllCommonsvc.exe 1788 powershell.exe 1556 powershell.exe 1444 powershell.exe 2504 powershell.exe 2408 powershell.exe 2496 powershell.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 1856 DllCommonsvc.exe 2848 powershell.exe 2540 powershell.exe 3036 powershell.exe 2092 powershell.exe 444 powershell.exe 1356 powershell.exe 996 powershell.exe 2120 powershell.exe 1636 powershell.exe 2260 powershell.exe 836 powershell.exe 2480 powershell.exe 796 System.exe 2400 System.exe 1608 System.exe 1860 System.exe 1708 System.exe 2680 System.exe 2480 System.exe 1256 System.exe 1584 System.exe 2368 System.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2996 DllCommonsvc.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 1856 DllCommonsvc.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 444 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 796 System.exe Token: SeDebugPrivilege 2400 System.exe Token: SeDebugPrivilege 1608 System.exe Token: SeDebugPrivilege 1860 System.exe Token: SeDebugPrivilege 1708 System.exe Token: SeDebugPrivilege 2680 System.exe Token: SeDebugPrivilege 2480 System.exe Token: SeDebugPrivilege 1256 System.exe Token: SeDebugPrivilege 1584 System.exe Token: SeDebugPrivilege 2368 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2016 3024 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 31 PID 3024 wrote to memory of 2016 3024 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 31 PID 3024 wrote to memory of 2016 3024 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 31 PID 3024 wrote to memory of 2016 3024 JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe 31 PID 2016 wrote to memory of 2480 2016 WScript.exe 32 PID 2016 wrote to memory of 2480 2016 WScript.exe 32 PID 2016 wrote to memory of 2480 2016 WScript.exe 32 PID 2016 wrote to memory of 2480 2016 WScript.exe 32 PID 2480 wrote to memory of 2996 2480 cmd.exe 34 PID 2480 wrote to memory of 2996 2480 cmd.exe 34 PID 2480 wrote to memory of 2996 2480 cmd.exe 34 PID 2480 wrote to memory of 2996 2480 cmd.exe 34 PID 2996 wrote to memory of 1788 2996 DllCommonsvc.exe 51 PID 2996 wrote to memory of 1788 2996 DllCommonsvc.exe 51 PID 2996 wrote to memory of 1788 2996 DllCommonsvc.exe 51 PID 2996 wrote to memory of 2408 2996 DllCommonsvc.exe 52 PID 2996 wrote to memory of 2408 2996 DllCommonsvc.exe 52 PID 2996 wrote to memory of 2408 2996 DllCommonsvc.exe 52 PID 2996 wrote to memory of 1556 2996 DllCommonsvc.exe 54 PID 2996 wrote to memory of 1556 2996 DllCommonsvc.exe 54 PID 2996 wrote to memory of 1556 2996 DllCommonsvc.exe 54 PID 2996 wrote to memory of 2496 2996 DllCommonsvc.exe 55 PID 2996 wrote to memory of 2496 2996 DllCommonsvc.exe 55 PID 2996 wrote to memory of 2496 2996 DllCommonsvc.exe 55 PID 2996 wrote to memory of 2504 2996 DllCommonsvc.exe 56 PID 2996 wrote to memory of 2504 2996 DllCommonsvc.exe 56 PID 2996 wrote to memory of 2504 2996 DllCommonsvc.exe 56 PID 2996 wrote to memory of 1444 2996 DllCommonsvc.exe 57 PID 2996 wrote to memory of 1444 2996 DllCommonsvc.exe 57 PID 2996 wrote to memory of 1444 2996 DllCommonsvc.exe 57 PID 2996 wrote to memory of 1856 2996 DllCommonsvc.exe 63 PID 2996 wrote to memory of 1856 2996 DllCommonsvc.exe 63 PID 2996 wrote to memory of 1856 2996 DllCommonsvc.exe 63 PID 1856 wrote to memory of 2540 1856 DllCommonsvc.exe 97 PID 1856 wrote to memory of 2540 1856 DllCommonsvc.exe 97 PID 1856 wrote to memory of 2540 1856 DllCommonsvc.exe 97 PID 1856 wrote to memory of 2092 1856 DllCommonsvc.exe 98 PID 1856 wrote to memory of 2092 1856 DllCommonsvc.exe 98 PID 1856 wrote to memory of 2092 1856 DllCommonsvc.exe 98 PID 1856 wrote to memory of 444 1856 DllCommonsvc.exe 99 PID 1856 wrote to memory of 444 1856 DllCommonsvc.exe 99 PID 1856 wrote to memory of 444 1856 DllCommonsvc.exe 99 PID 1856 wrote to memory of 2848 1856 DllCommonsvc.exe 100 PID 1856 wrote to memory of 2848 1856 DllCommonsvc.exe 100 PID 1856 wrote to memory of 2848 1856 DllCommonsvc.exe 100 PID 1856 wrote to memory of 2480 1856 DllCommonsvc.exe 101 PID 1856 wrote to memory of 2480 1856 DllCommonsvc.exe 101 PID 1856 wrote to memory of 2480 1856 DllCommonsvc.exe 101 PID 1856 wrote to memory of 2120 1856 DllCommonsvc.exe 102 PID 1856 wrote to memory of 2120 1856 DllCommonsvc.exe 102 PID 1856 wrote to memory of 2120 1856 DllCommonsvc.exe 102 PID 1856 wrote to memory of 836 1856 DllCommonsvc.exe 103 PID 1856 wrote to memory of 836 1856 DllCommonsvc.exe 103 PID 1856 wrote to memory of 836 1856 DllCommonsvc.exe 103 PID 1856 wrote to memory of 1356 1856 DllCommonsvc.exe 104 PID 1856 wrote to memory of 1356 1856 DllCommonsvc.exe 104 PID 1856 wrote to memory of 1356 1856 DllCommonsvc.exe 104 PID 1856 wrote to memory of 3036 1856 DllCommonsvc.exe 105 PID 1856 wrote to memory of 3036 1856 DllCommonsvc.exe 105 PID 1856 wrote to memory of 3036 1856 DllCommonsvc.exe 105 PID 1856 wrote to memory of 996 1856 DllCommonsvc.exe 106 PID 1856 wrote to memory of 996 1856 DllCommonsvc.exe 106 PID 1856 wrote to memory of 996 1856 DllCommonsvc.exe 106 PID 1856 wrote to memory of 2260 1856 DllCommonsvc.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19a30eba2f1f9f8b44ba1ced34cecdd5c70e6b9b8c331cf812494756a6566415.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SC1CH8sHf8.bat"6⤵PID:2512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1588
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"8⤵PID:1544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2152
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"10⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1720
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"12⤵PID:2000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1512
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"14⤵PID:2104
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1868
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"16⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2256
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"18⤵PID:2628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2040
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"20⤵PID:932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1856
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"22⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1132
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"24⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2876
-
-
C:\Windows\Performance\WinSAT\DataStore\System.exe"C:\Windows\Performance\WinSAT\DataStore\System.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592d2955b8b05d023e4122bdddea26d88
SHA10b05ac96e124b5122f1e8ba3b3f6a99771854b6a
SHA256a76266c4192377e4ce87627de5c1e99a4f2e7509bb4794a0f34c091c5c3c0f9c
SHA512f09761342f9818980dc93b22209515ae7d17e40e30f05d15ed007232cb66fdab08dad543fb1772844f7fd3f5c8e4a60cf80effb54f4fe21f35ac6f92a3c2772e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ad1645a58c58dea223ea30a8f2a11f6
SHA10d8bc6fd8648f8f559ffaa7b847e83cd6d26da65
SHA256879d9a9ead455ea1565f17b8521341908b150dff628b93aedea4714f8971e663
SHA512105b71ad2d18763c5f43e35a1c682e96a13358764b863b9db8ee0b93e216083cbc3e337cb42b0dd10f047c69990b9388ce35856b10e799eb2f2ca16a0740f889
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7741cd0a4f5cbe92d3ed3e7081bbfb5
SHA170c08bcbbe78ebb6edef7e070d4dedb72137763f
SHA2562e36719218c83e878d48f79d7a7af50d0ed0e4437363b6ef1d7589d986ca8014
SHA512fdc24960f500459ad0b346e2b488a931a6135d3c6e19eb3d01f15d2687f672bb8a5dab6d8e579ed32a738aa72055f4cc18add9a6085b243edecdea1c12ec7d09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590b6464d7e743ee0f7dbc5478c29a1f6
SHA1ab52ecd310545d88c72ed330bd599cf6465b0476
SHA256addd92524c92266772639a925e787ad9f1088ca865e142e1e94defad73fb1b61
SHA512288fe59273087049095867f6d4bfc40e068c577ba7950a226663bab5c4b5fa10265e48622c6e9f6e146a5e3e16cc5da9927e35bf71a45721b818202dc39e6c78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58349a4654e6530e08bfde2deb093f420
SHA133072db3c944fef34a07ed188f6e6b27ae02ac96
SHA256bb48df13dabf6f5f0535f6bce8197609cad3955ebbeaa035bcf297168f33334a
SHA5120b7a3e974d826d0a6952c54bd243d01f95c3bbb149f0c2615cfeac3c27f7d889016fbc33256b9708b49488300522bc32bab58ab2c44055d194536ca3b8958834
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab217d2bcc72642ba22af7624284df0f
SHA13a7d5d5cb92d345963a2aeccbe2e488e587510db
SHA2564cef1f01653464e393ecebc9b0a7c217ab864fe61fd365a45cc40bfb1bb8ade4
SHA51202338fd2c05054c07785075e6f3b4d0e970a19e610e61e311e914311f3378ce5bcb3bebefe39224e5e0e569ecd8705c0bea35411234ad318563f5c63875e1b74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c36cc310862c89675357bb5aa548a2d4
SHA175f1b24e7d74571c55b48b6b5b3250309182baa5
SHA256240151b1b13e7f54234426389bd8dbe0e3258d36ec54739eb154da417c486069
SHA512add5b2ad6925d2dcb4484a541c709c41d6b029676c028909f0064c50cb54f6deddd0c9c2d771cb01546090b94ef497a1582c5bf8ddfb9eea33e57e6193af5a0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567a285133eb03e12262d9b514338e859
SHA1bdc2b18dba66b40e6e626ad15366882787bb45b8
SHA256b7ae10be8343c8ef81119fe65e7388aa34830a6ab63d5e962d991eae85bbcecf
SHA5123bd5f5d7d732feab7131f754bafe329c02988444174271ea0bcf4cdc52970337075712470893fe7ddb4b0892354146d6d44c7cbf14c8d8587aa08101c996074a
-
Filesize
215B
MD5745b9d95546203d57ddc8f9c45b773c0
SHA1194a91344ff92d6782b19c004dc6833362223307
SHA2560a9b52a77314e6b8b2da08d8adfd394bead80d71649b61ec42c355ab2793e7c2
SHA512e1edb86d32400a1250f332166b46fb9a0f80e4e0967d4147825f29c770206cef6839f23e33febf996bd808973f7ec1640b3db5b738d3b93c21dfe64932a689f5
-
Filesize
215B
MD51cc17bde7e27e6166eef062f4df8d427
SHA175a526624b86d50af9c9184de2693c96ab18090c
SHA256df09b190ceb0eae6fbee73d9581f128b86733a41ac3da6490ac08f25d7eb84dc
SHA512e7ca4ee93e748d0e2dc5ae34fd3b2a44957c4e447013895f7dc8e831222267e2c57cb1bb51e4311980e6c6ce49d1ebf9aed6245a3a36cd520f5bf649fd174fb1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
215B
MD5d9c91a3c460946c28d8a718dea8d7954
SHA14da509fd373b0faf6ad73c5a5917cc5059bea700
SHA256d60f1b9bdf09d214872498135a16ef1c7600927ac6043d39c91919c9a9833b1e
SHA5128dd7436bacf0c75ff70de878094816423afa70a40dfedaf81d2cf1ee5f7817cddade8acd5278c962198b64a18b77f60ac2e05623561e3f43309486a3dc9e48e1
-
Filesize
215B
MD5388832346eeae10af3cc439a94c974f5
SHA12d42e0b65ef064af5177fa46376fa0adc989b060
SHA2562305af3f2b3f3f384f0a7216665c5e13831c1ee9e37ab4ef35d16942e0452a7b
SHA512dd93750ad13d56d0f6589dada699566b370c903f6ca359148e83bc36f3af4a798efea18e416ee4a5c49ad0657ccd8b8509f0f58ebbff9f04390b77e24e5f8392
-
Filesize
215B
MD5113194eb27725630128a060946b9b785
SHA14b2d09580b2981edce0f5167fe52001f59b0517b
SHA2560b3bc539062df51b4cb6897cbe53e135de66c2e058652f958df5168024c2d570
SHA5128ab20f84d8ff8364a624c6a74c76e06b95369f1d7376c5dc8c8f321fb5da7bcda42ad194fe58c8983f4306606bb440f7cd9288a5d34bd9870c560ca102acb64a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
215B
MD5996daefb63f0e8bf79545c10096742ba
SHA1fa47a6804df200ac18326292a594395296f4858a
SHA256b750ba08fc3546fb2fa4d804633f227d93eb776c7ca8224823ad9cf3fca7bd6b
SHA512d795aa5fe2dbe55ca0b49d503d9c6df09c744e1905409d90b3013fe4aca3323d024d9534e4d06bc2d2fb2f3147cf6b657bdec3a3ea30fba30720cd96cbafac34
-
Filesize
215B
MD5b3886c7c0cf3e114776d2e87629c3e4a
SHA1f581c3ca6dac07831cc3d82a0748e169212a7947
SHA256fbd7fc1dd774e7700bf1c54a1dd32fb410201f6a667a8f40719afd546ed5183f
SHA51269f34e3db9f1ff7cde5ed71c5cf3215714ccf0e4830b23cdc7033f65602a563fb933cbd36f4adf3a5da8187eab11148ca09a26d4ac38681d673153530188bb96
-
Filesize
215B
MD5f28e9ecfe10a7022fd003ffebe650c91
SHA15a033fbd64ed8d7952532e85280bca60a210e4b1
SHA256e334fdfbedcd83cfd04b8aadd2e84596831018bf645f8e7b3520829d067cafbd
SHA512b3f04c098ef6530eddc5c2ce3125725094006824184f7ecb9f3ec20c034c57e1a1a4d76da2563657c0660d5110b39daa472bb5ce3f07c5b1f055d8924a9d558d
-
Filesize
215B
MD5a6fdaddd55dd2c344b7730e74677124a
SHA1b782249fa60d10a21d5645121086a19498d54c40
SHA25660ed70598d3c9c772e3109139ca21f96f67c9d756123a244fefc2dfb92b90ca0
SHA51240d0e3ebe9228b71932a3cc7891840e40808c152b24cdba4c31511923df4859dfb6c3741e61e3bbb7a7aee0edb1047b85193c3b036f2ce2d2b18295d26d4f4aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50aff3ddf3dd4c0c9d7da8d706b8086ab
SHA1093c0ec12cd814f1f345a830f077b89cdbd566e5
SHA256c89e92446a7f7523f7b8952270e09a6805211576d3af0ac58ad1f264c279740e
SHA512f90e8042df43a774476c1ae6378f6547a2a77facc9d438b1b6b90672420566ae71643c8d363c84788158aab5ef15aa041f17922fa286ee9704f367dd49c6d725
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394