Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:39
Behavioral task
behavioral1
Sample
JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe
-
Size
1.3MB
-
MD5
9fc4cfa3e04730f1809f4c6f1af4372f
-
SHA1
281ce35c070b075e8d871e5603eb654c4006e8a3
-
SHA256
4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca
-
SHA512
3df27f66fe80cc5895b0b9e7ac0bc1b55216f60084874bd9b5cc7aaaafe62809d0998f152dc35b06faf6c6ffd15902d6365939ee7fd3ed2bf6e167220ec69e90
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2996 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016cab-11.dat dcrat behavioral1/memory/2872-13-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2308-127-0x00000000008C0000-0x00000000009D0000-memory.dmp dcrat behavioral1/memory/2952-186-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat behavioral1/memory/2748-306-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/2744-366-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/1268-427-0x0000000000C00000-0x0000000000D10000-memory.dmp dcrat behavioral1/memory/2880-487-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/2400-547-0x0000000000050000-0x0000000000160000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2524 powershell.exe 1564 powershell.exe 2200 powershell.exe 1516 powershell.exe 2268 powershell.exe 2456 powershell.exe 1600 powershell.exe 2532 powershell.exe 2548 powershell.exe 2812 powershell.exe 1620 powershell.exe 2372 powershell.exe 1720 powershell.exe 1116 powershell.exe 2188 powershell.exe 1988 powershell.exe -
Executes dropped EXE 9 IoCs
pid Process 2872 DllCommonsvc.exe 2308 cmd.exe 2952 cmd.exe 1996 cmd.exe 2748 cmd.exe 2744 cmd.exe 1268 cmd.exe 2880 cmd.exe 2400 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2728 cmd.exe 2728 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 16 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\fr-FR\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ShellNew\wininit.exe DllCommonsvc.exe File created C:\Windows\ShellNew\56085415360792 DllCommonsvc.exe File created C:\Windows\LiveKernelReports\csrss.exe DllCommonsvc.exe File created C:\Windows\LiveKernelReports\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1184 schtasks.exe 1060 schtasks.exe 2488 schtasks.exe 2616 schtasks.exe 1136 schtasks.exe 2608 schtasks.exe 2404 schtasks.exe 880 schtasks.exe 1692 schtasks.exe 2420 schtasks.exe 1412 schtasks.exe 2116 schtasks.exe 1284 schtasks.exe 1624 schtasks.exe 2960 schtasks.exe 1360 schtasks.exe 2852 schtasks.exe 1964 schtasks.exe 688 schtasks.exe 1816 schtasks.exe 2004 schtasks.exe 2356 schtasks.exe 2784 schtasks.exe 2668 schtasks.exe 1752 schtasks.exe 1332 schtasks.exe 2024 schtasks.exe 2252 schtasks.exe 1632 schtasks.exe 1416 schtasks.exe 1580 schtasks.exe 2296 schtasks.exe 2832 schtasks.exe 1628 schtasks.exe 1996 schtasks.exe 2580 schtasks.exe 2740 schtasks.exe 1948 schtasks.exe 1156 schtasks.exe 328 schtasks.exe 1704 schtasks.exe 2576 schtasks.exe 740 schtasks.exe 852 schtasks.exe 2288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 2872 DllCommonsvc.exe 1564 powershell.exe 1720 powershell.exe 2532 powershell.exe 2188 powershell.exe 1516 powershell.exe 2524 powershell.exe 1620 powershell.exe 2812 powershell.exe 2456 powershell.exe 2268 powershell.exe 2200 powershell.exe 1116 powershell.exe 1600 powershell.exe 2548 powershell.exe 1988 powershell.exe 2308 cmd.exe 2952 cmd.exe 1996 cmd.exe 2748 cmd.exe 2744 cmd.exe 1268 cmd.exe 2880 cmd.exe 2400 cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2872 DllCommonsvc.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2308 cmd.exe Token: SeDebugPrivilege 2952 cmd.exe Token: SeDebugPrivilege 1996 cmd.exe Token: SeDebugPrivilege 2748 cmd.exe Token: SeDebugPrivilege 2744 cmd.exe Token: SeDebugPrivilege 1268 cmd.exe Token: SeDebugPrivilege 2880 cmd.exe Token: SeDebugPrivilege 2400 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2556 2260 JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe 31 PID 2260 wrote to memory of 2556 2260 JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe 31 PID 2260 wrote to memory of 2556 2260 JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe 31 PID 2260 wrote to memory of 2556 2260 JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe 31 PID 2556 wrote to memory of 2728 2556 WScript.exe 32 PID 2556 wrote to memory of 2728 2556 WScript.exe 32 PID 2556 wrote to memory of 2728 2556 WScript.exe 32 PID 2556 wrote to memory of 2728 2556 WScript.exe 32 PID 2728 wrote to memory of 2872 2728 cmd.exe 34 PID 2728 wrote to memory of 2872 2728 cmd.exe 34 PID 2728 wrote to memory of 2872 2728 cmd.exe 34 PID 2728 wrote to memory of 2872 2728 cmd.exe 34 PID 2872 wrote to memory of 2524 2872 DllCommonsvc.exe 81 PID 2872 wrote to memory of 2524 2872 DllCommonsvc.exe 81 PID 2872 wrote to memory of 2524 2872 DllCommonsvc.exe 81 PID 2872 wrote to memory of 2372 2872 DllCommonsvc.exe 82 PID 2872 wrote to memory of 2372 2872 DllCommonsvc.exe 82 PID 2872 wrote to memory of 2372 2872 DllCommonsvc.exe 82 PID 2872 wrote to memory of 1564 2872 DllCommonsvc.exe 83 PID 2872 wrote to memory of 1564 2872 DllCommonsvc.exe 83 PID 2872 wrote to memory of 1564 2872 DllCommonsvc.exe 83 PID 2872 wrote to memory of 1720 2872 DllCommonsvc.exe 84 PID 2872 wrote to memory of 1720 2872 DllCommonsvc.exe 84 PID 2872 wrote to memory of 1720 2872 DllCommonsvc.exe 84 PID 2872 wrote to memory of 1600 2872 DllCommonsvc.exe 86 PID 2872 wrote to memory of 1600 2872 DllCommonsvc.exe 86 PID 2872 wrote to memory of 1600 2872 DllCommonsvc.exe 86 PID 2872 wrote to memory of 2188 2872 DllCommonsvc.exe 87 PID 2872 wrote to memory of 2188 2872 DllCommonsvc.exe 87 PID 2872 wrote to memory of 2188 2872 DllCommonsvc.exe 87 PID 2872 wrote to memory of 1116 2872 DllCommonsvc.exe 88 PID 2872 wrote to memory of 1116 2872 DllCommonsvc.exe 88 PID 2872 wrote to memory of 1116 2872 DllCommonsvc.exe 88 PID 2872 wrote to memory of 2532 2872 DllCommonsvc.exe 90 PID 2872 wrote to memory of 2532 2872 DllCommonsvc.exe 90 PID 2872 wrote to memory of 2532 2872 DllCommonsvc.exe 90 PID 2872 wrote to memory of 1516 2872 DllCommonsvc.exe 91 PID 2872 wrote to memory of 1516 2872 DllCommonsvc.exe 91 PID 2872 wrote to memory of 1516 2872 DllCommonsvc.exe 91 PID 2872 wrote to memory of 2548 2872 DllCommonsvc.exe 92 PID 2872 wrote to memory of 2548 2872 DllCommonsvc.exe 92 PID 2872 wrote to memory of 2548 2872 DllCommonsvc.exe 92 PID 2872 wrote to memory of 2268 2872 DllCommonsvc.exe 93 PID 2872 wrote to memory of 2268 2872 DllCommonsvc.exe 93 PID 2872 wrote to memory of 2268 2872 DllCommonsvc.exe 93 PID 2872 wrote to memory of 1988 2872 DllCommonsvc.exe 94 PID 2872 wrote to memory of 1988 2872 DllCommonsvc.exe 94 PID 2872 wrote to memory of 1988 2872 DllCommonsvc.exe 94 PID 2872 wrote to memory of 2812 2872 DllCommonsvc.exe 95 PID 2872 wrote to memory of 2812 2872 DllCommonsvc.exe 95 PID 2872 wrote to memory of 2812 2872 DllCommonsvc.exe 95 PID 2872 wrote to memory of 2200 2872 DllCommonsvc.exe 96 PID 2872 wrote to memory of 2200 2872 DllCommonsvc.exe 96 PID 2872 wrote to memory of 2200 2872 DllCommonsvc.exe 96 PID 2872 wrote to memory of 2456 2872 DllCommonsvc.exe 97 PID 2872 wrote to memory of 2456 2872 DllCommonsvc.exe 97 PID 2872 wrote to memory of 2456 2872 DllCommonsvc.exe 97 PID 2872 wrote to memory of 1620 2872 DllCommonsvc.exe 98 PID 2872 wrote to memory of 1620 2872 DllCommonsvc.exe 98 PID 2872 wrote to memory of 1620 2872 DllCommonsvc.exe 98 PID 2872 wrote to memory of 2124 2872 DllCommonsvc.exe 106 PID 2872 wrote to memory of 2124 2872 DllCommonsvc.exe 106 PID 2872 wrote to memory of 2124 2872 DllCommonsvc.exe 106 PID 2124 wrote to memory of 2728 2124 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QoMnQPSfsQ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2728
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"7⤵PID:2296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"9⤵PID:2536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2836
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"11⤵PID:1364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1212
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"13⤵PID:1884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1360
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"15⤵PID:2672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2924
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"17⤵PID:1408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2820
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"19⤵PID:656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1104
-
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD589413e84575a14c1605d6a49237740d2
SHA1de6e323c52099254ca76a77b89e2c58f319946e8
SHA256cac68d963197ea90c5e94c4bac184050c432242bcbf70ba4335c55051a5ad176
SHA5125e0a7b3ee2d47b9bc390874e5382d6aff96347debc133b8fc1582112ba6d51e45ef457c84a2f20300787bac7bee4f76780cf40617aee17d07f5dfb2e0b8b6c8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505d05eb66c1afc313ddaf77e609690ae
SHA1ef7e86afbf56a406ff3988ccf032030d75891c2b
SHA256bbf8f50724ca86a5bc51e3044c4fcfd7ab696731aa00bd9227a8050f45464cd4
SHA5121562d45f076b35d16b95011d90189f09587a4a5a79d8b761c0342e67466aec7ed0b5a30a4f1f4b366a7dc6db339adb356d29f393a4a82256eb2c6e7d1e71d271
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c8ee121c631b4dcb205907bddda6f3d
SHA1099b02792914a05d978fd85d157d6f9f40678cfe
SHA256870bf723643726e3b7953be19b369c86183e2859d9a9c59d130e29b713ef9f1e
SHA512da8fcf36e29320a060b5067db0f62f96011b9a665c6b6cc896b323e424f21750b94267f52fb141e73773eee84c6d4c328302e7864254c92facb862d5c804e8f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7e0a08e01413998cd2045c16e5e4f5f
SHA10dacb42f30fc44597c7deee327109df61fb74a81
SHA2567f7dcf53562305a8447453acd833b0a4e5ea1e31c0cc8d055c97b5f559c78026
SHA5123dee82cc4fb9bdd57006b112b6c8edbaf3eb2ad26eaddd24ce68858ea138eb983d2033ccf0a831c115be617a398fa292be0448e4d17e1cbfeefc3f6aeaed7986
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d361c22c750e1bf6cb70cb4386bfaed
SHA1a4093c2223edae2fc4208d29c02a0302e3cd0930
SHA256a3a413042f336152cc23915d943964f98ad4c6774bee3f4bc754e15b33c2f6cd
SHA51242cb3017a3c5fd8dc6e060c4c5a0f3529e59dcb84994ca529c68d17d858366dfff27e9b2576f1b223c035d7096701fb4bddf8052fa9d7f2bacb048132ff93a17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551f9771b5d934cfeac454000ae3c5a5c
SHA11875512287291b04fcd7191281b8dd25c78702a5
SHA25633603cf43a9850555a9e4f857ad32d262bf633f596f57b49e4eaf8f0c1455456
SHA512daca928b1c95570c666c57c1a90d551311094609ab707ab41f67dde02d85c0a7f864a7d6864b7a888394d0209ce8db35445e69fcbb9908762c7f07610297005d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD52c79c409fda4e603cd46925b0446ed1e
SHA1c6959cfc5ccf00423e4ff14cb452569873525253
SHA256d59a962929d2ce6ee11d03051314364ebf0bb9f9b84490698101ccb195dee6b6
SHA51253dbb13dc3112a77cb01fe8cc228cad2029a30f003cc0b5e37b63c23eeba397cb683d1a58fba0d39a6d0e6ad96f171c42f409a56caf356cc8a9c8d0d6a0e646d
-
Filesize
235B
MD5d608a22338687b206a4a9bc1c072e964
SHA1c86b0dfa791f6ba5065facb4ad4aa9422168ee4d
SHA256ce6a8ef05f656c4ada0db88916a8d9e4296964329206cdfcbcadd7eecb5b8b0e
SHA5125ac086528e1444ae53ead11d3edff0c28e7d52d78c25a681081797a05328734d68f1b237175a907101d60783073cf31f7014e2bec93bb3b5abc261e426a19bcc
-
Filesize
235B
MD50ef7f3ccf8160ac2da674eb8ca060de9
SHA113c4d12b4ba398d4997d83ddada05ef99f6b0fee
SHA256c1065893a278c8c6f6795533220a76d8fceded49c28b427bb24f60f587bd42fe
SHA512786ac8c9c155fe8ada98285edd2456ec190f88cab0512d0f1b10ba9afc7266465686052ed12752daf153fe1aa290f147b8150d97a303c692860e84a0da87dcb3
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD588caa2e1f2f7d711e07785276788df31
SHA11d67339d8b833c549898f7888b890b5166ff1b48
SHA256b976f3aa672fdc26fea443d595d6acd7fe37b81afe0573c8fa638537a5ecc7ed
SHA512f8ef38175b5fc03dd3f264929ce48d8a065f1573ca11371038ff857f59277dd5b6d1528204678e6731c195b0786cccd34df6aee18137b8ded5885f6692a7bfcc
-
Filesize
235B
MD5942f5c8bf1b0de94adc9d757e053e940
SHA15e84f898e7b1dc261b49d713802a722ff521636a
SHA256681eacfd51ea9a234cd20ef9d559c9b686d20b974d98293cb075c5d4c6fd0ec3
SHA5126e5123582f4143c102f8e1be15eeddbbd6fb7a77ebe91e95a5488b955ef1336e0db45cbea6dc19a085ce2258b1193200f40f7f5f866184f6a048071f347f4e1b
-
Filesize
235B
MD5538234f563e05be2b20a0b74dd803284
SHA1e27675d0e7999a6bbc72189bad7594c49cdb26b8
SHA256ed7bf5bb9c24aaca01e09bc5144b83b4857c118adf1cc3e323e9c79867e61a1d
SHA5124b7cdbd7acf10d2556dc2ada227dcd52104633d28b2fa509b660ee8f90657e3dcfba9f4a420db321914a7869b85d25d0c8c4fe793f08dcf47065b87480f4eb8f
-
Filesize
235B
MD50b808b83436188c42fa2bbccfe9d4165
SHA142e1777fcd7263edbdd1b277b8127ccaf3c62d43
SHA25672ef496a723a3196e45848b5475948282b5ba33f0ed5877d654fc4c03e106174
SHA5124a9e026083814631060ebe0a17208c0efeb8d06343adb853619b63adeab259626d44cc815f6807e6d8cf3b1eb976b03c327920a4abc654117d062a9178b25bef
-
Filesize
235B
MD5b05082e1756d74d400c57d090d3d7af7
SHA10ff7c577840ac2e7ec0f0e22f704925e0a1d6689
SHA25618afa910b7400d7d16fb90b315a2786afc7ecea92625b67c46a92295591fbfca
SHA51235a428927805fbbd895d3975881f6b0851f3d4aa6a8630820936e8b4568a542af1a419f71497c51781b61c0453d3f541eed8c7801a25b7f8f18c2b06f9fc8914
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8S5XH4VXU0G09IJVW2W8.temp
Filesize7KB
MD56853416e801d22d545c15d3359b12a19
SHA17be6361e4344de04ea94ba43237d24c625eb3ec6
SHA2566af5e381aa605a457dc3de625c3009275a7e318f2bd14ae0a8641718e4b68bbe
SHA512872dccd27e2e0d5671ac0cb78e032d11b75709c3af834f13265e17b34566ed098deb60eec3729d8525c01149cc8c7690e7c584af82773863b8842075b15ded37
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394