Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:05
Behavioral task
behavioral1
Sample
JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe
-
Size
1.3MB
-
MD5
1e97f4637f20042dd5d1c10bd45e60d3
-
SHA1
920f17f555a93fe04f3a60fa1742d3f137d6fa5b
-
SHA256
e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2
-
SHA512
ff866fc2589ea6efc5030756a601b70772387312a89eef198f210902949ed362667ff0567e7bf0ed6bd4f7a20a31f615f1ca0f9706bcc81ce472ee13addab83b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2900 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2900 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000019cba-9.dat dcrat behavioral1/memory/2880-13-0x0000000001110000-0x0000000001220000-memory.dmp dcrat behavioral1/memory/1624-64-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/2760-216-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/2428-337-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/768-398-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/952-459-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/3024-520-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/1100-580-0x0000000001250000-0x0000000001360000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2188 powershell.exe 1612 powershell.exe 2688 powershell.exe 1348 powershell.exe 2812 powershell.exe 3020 powershell.exe 1452 powershell.exe 772 powershell.exe 2448 powershell.exe 2176 powershell.exe 2816 powershell.exe 2728 powershell.exe 2396 powershell.exe 2720 powershell.exe 2692 powershell.exe 3008 powershell.exe 3064 powershell.exe 2892 powershell.exe 2252 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2880 DllCommonsvc.exe 1624 smss.exe 2760 smss.exe 2512 smss.exe 2428 smss.exe 768 smss.exe 952 smss.exe 3024 smss.exe 1100 smss.exe 1532 smss.exe 2484 smss.exe 2144 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2896 cmd.exe 2896 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 38 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Chess\en-US\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logs\DISM\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Web\Wallpaper\Scenes\dllhost.exe DllCommonsvc.exe File created C:\Windows\Web\Wallpaper\Scenes\5940a34987c991 DllCommonsvc.exe File created C:\Windows\Logs\DISM\spoolsv.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 956 schtasks.exe 2980 schtasks.exe 592 schtasks.exe 2524 schtasks.exe 1672 schtasks.exe 1796 schtasks.exe 2008 schtasks.exe 1216 schtasks.exe 2064 schtasks.exe 2128 schtasks.exe 2636 schtasks.exe 2108 schtasks.exe 1192 schtasks.exe 2076 schtasks.exe 832 schtasks.exe 2016 schtasks.exe 316 schtasks.exe 2776 schtasks.exe 1012 schtasks.exe 2360 schtasks.exe 2172 schtasks.exe 1924 schtasks.exe 2764 schtasks.exe 1868 schtasks.exe 1652 schtasks.exe 2660 schtasks.exe 2192 schtasks.exe 2700 schtasks.exe 1408 schtasks.exe 1788 schtasks.exe 2624 schtasks.exe 1608 schtasks.exe 2744 schtasks.exe 2308 schtasks.exe 2312 schtasks.exe 1092 schtasks.exe 2404 schtasks.exe 3032 schtasks.exe 2588 schtasks.exe 580 schtasks.exe 3016 schtasks.exe 552 schtasks.exe 2276 schtasks.exe 2956 schtasks.exe 2148 schtasks.exe 2608 schtasks.exe 2100 schtasks.exe 2740 schtasks.exe 2412 schtasks.exe 2616 schtasks.exe 2640 schtasks.exe 1576 schtasks.exe 1860 schtasks.exe 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2252 powershell.exe 2692 powershell.exe 772 powershell.exe 2816 powershell.exe 2448 powershell.exe 2812 powershell.exe 1612 powershell.exe 2396 powershell.exe 3020 powershell.exe 3008 powershell.exe 2688 powershell.exe 2176 powershell.exe 1348 powershell.exe 2720 powershell.exe 2188 powershell.exe 3064 powershell.exe 1452 powershell.exe 2728 powershell.exe 2892 powershell.exe 1624 smss.exe 2760 smss.exe 2512 smss.exe 2428 smss.exe 768 smss.exe 952 smss.exe 3024 smss.exe 1100 smss.exe 1532 smss.exe 2484 smss.exe 2144 smss.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2880 DllCommonsvc.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1624 smss.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2760 smss.exe Token: SeDebugPrivilege 2512 smss.exe Token: SeDebugPrivilege 2428 smss.exe Token: SeDebugPrivilege 768 smss.exe Token: SeDebugPrivilege 952 smss.exe Token: SeDebugPrivilege 3024 smss.exe Token: SeDebugPrivilege 1100 smss.exe Token: SeDebugPrivilege 1532 smss.exe Token: SeDebugPrivilege 2484 smss.exe Token: SeDebugPrivilege 2144 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2044 2316 JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe 30 PID 2316 wrote to memory of 2044 2316 JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe 30 PID 2316 wrote to memory of 2044 2316 JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe 30 PID 2316 wrote to memory of 2044 2316 JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe 30 PID 2044 wrote to memory of 2896 2044 WScript.exe 31 PID 2044 wrote to memory of 2896 2044 WScript.exe 31 PID 2044 wrote to memory of 2896 2044 WScript.exe 31 PID 2044 wrote to memory of 2896 2044 WScript.exe 31 PID 2896 wrote to memory of 2880 2896 cmd.exe 33 PID 2896 wrote to memory of 2880 2896 cmd.exe 33 PID 2896 wrote to memory of 2880 2896 cmd.exe 33 PID 2896 wrote to memory of 2880 2896 cmd.exe 33 PID 2880 wrote to memory of 2892 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 2892 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 2892 2880 DllCommonsvc.exe 89 PID 2880 wrote to memory of 2188 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 2188 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 2188 2880 DllCommonsvc.exe 90 PID 2880 wrote to memory of 2252 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 2252 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 2252 2880 DllCommonsvc.exe 92 PID 2880 wrote to memory of 2816 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 2816 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 2816 2880 DllCommonsvc.exe 94 PID 2880 wrote to memory of 3064 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 3064 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 3064 2880 DllCommonsvc.exe 95 PID 2880 wrote to memory of 3020 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 3020 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 3020 2880 DllCommonsvc.exe 97 PID 2880 wrote to memory of 3008 2880 DllCommonsvc.exe 99 PID 2880 wrote to memory of 3008 2880 DllCommonsvc.exe 99 PID 2880 wrote to memory of 3008 2880 DllCommonsvc.exe 99 PID 2880 wrote to memory of 2692 2880 DllCommonsvc.exe 100 PID 2880 wrote to memory of 2692 2880 DllCommonsvc.exe 100 PID 2880 wrote to memory of 2692 2880 DllCommonsvc.exe 100 PID 2880 wrote to memory of 2720 2880 DllCommonsvc.exe 101 PID 2880 wrote to memory of 2720 2880 DllCommonsvc.exe 101 PID 2880 wrote to memory of 2720 2880 DllCommonsvc.exe 101 PID 2880 wrote to memory of 2812 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 2812 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 2812 2880 DllCommonsvc.exe 102 PID 2880 wrote to memory of 1452 2880 DllCommonsvc.exe 103 PID 2880 wrote to memory of 1452 2880 DllCommonsvc.exe 103 PID 2880 wrote to memory of 1452 2880 DllCommonsvc.exe 103 PID 2880 wrote to memory of 1348 2880 DllCommonsvc.exe 104 PID 2880 wrote to memory of 1348 2880 DllCommonsvc.exe 104 PID 2880 wrote to memory of 1348 2880 DllCommonsvc.exe 104 PID 2880 wrote to memory of 2728 2880 DllCommonsvc.exe 106 PID 2880 wrote to memory of 2728 2880 DllCommonsvc.exe 106 PID 2880 wrote to memory of 2728 2880 DllCommonsvc.exe 106 PID 2880 wrote to memory of 2176 2880 DllCommonsvc.exe 107 PID 2880 wrote to memory of 2176 2880 DllCommonsvc.exe 107 PID 2880 wrote to memory of 2176 2880 DllCommonsvc.exe 107 PID 2880 wrote to memory of 2448 2880 DllCommonsvc.exe 109 PID 2880 wrote to memory of 2448 2880 DllCommonsvc.exe 109 PID 2880 wrote to memory of 2448 2880 DllCommonsvc.exe 109 PID 2880 wrote to memory of 2688 2880 DllCommonsvc.exe 111 PID 2880 wrote to memory of 2688 2880 DllCommonsvc.exe 111 PID 2880 wrote to memory of 2688 2880 DllCommonsvc.exe 111 PID 2880 wrote to memory of 1612 2880 DllCommonsvc.exe 112 PID 2880 wrote to memory of 1612 2880 DllCommonsvc.exe 112 PID 2880 wrote to memory of 1612 2880 DllCommonsvc.exe 112 PID 2880 wrote to memory of 772 2880 DllCommonsvc.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2e540951cb2cc1a417064cfe84b7c0bfe678facf1f3d2d98a84414b99802be2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"6⤵PID:1940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1576
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"8⤵PID:1696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2576
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"10⤵PID:2232
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:808
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"12⤵PID:2340
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1768
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"14⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2344
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"16⤵PID:1516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2512
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"18⤵PID:2880
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:920
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"20⤵PID:988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:316
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"22⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2412
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"24⤵PID:1760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:408
-
-
C:\providercommon\smss.exe"C:\providercommon\smss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Chess\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d19d9cc0bcb7efa3ba277e63376b3ab4
SHA1e4245d80d1f3223a99a8d04cebedda6ee9804010
SHA256c6dacef36b1c73777a85c96c804cb7dc9e1a4f16baaee4254abd28553c0e49ed
SHA5128777a19dcf1e6121b8423b9fb3d4a33cffa849fb3b56f1a0ee297b460c44dd7dfb127b5244e42b8d27b95298f085d698d8010df11287716a8f83125b371803b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f88de198c2096810ae975f050994ad26
SHA15e82de9b682a7c51573ece0cff2fb6c6bd082277
SHA256737565a7b7e13d8a12b8c7b627c032f269a12a5b867a5641d0fa74c73f5bd38e
SHA5120590e44642f39c9c9d99978fafbf829a51dfb63c6181267ab89997904ad1c7d890e7a60ead6e4d97bcc3e5c4f2428c2b1ea0a4a472423c77fc910c75eb754984
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b4e3b165299ebe5887f3510c1300298
SHA113d1c0602a8e3a90265c6ae6d812aba5a13f4e73
SHA2560d34e2dd7752acf1f6e19a074744269d72c48027154e7864a28acc45ba19d03d
SHA512dae9bc2707abb29226863e5edb698092076acdb8046c999298d664ac9031bd21bbb9565a192367bcc10a2dc5da2eb69ea85682997c055e3f4ee6fe49aac06953
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e315fc88e524ec36f7c3619545ba278
SHA1a526e3e185b18d5f7286f03d4e83b1a726797f9e
SHA256b3a6b79add215ff3475ac7de17f0cfc0effda1ee56cd1ecf80f053c014c98280
SHA5126fce4fec3a39734697092acfe84c55440b5295516ada3b9092691708c85c889494288dec7e814b28a7a3dd0397c02204c7ba9c385b0a3df4657a6194431c7f09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54a842f4d94c9220b15503e4e3e8ffa45
SHA11aa7efbc99a2b6edee8ed124426c5adf3bcbfe4e
SHA256a2d993d3487f10558ccb7c2c276e3678c039e6d99da8b06c2baf15f002bdc9d9
SHA512902d5b260da77edd8669de6f0d1cbca79b7f49aaca1f1b51ecfc4ec465b9fceff5eb74aced7696e43efce5c685bbddc2bcbc376dcc1890e13c28670e5f0ccc53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d680f70dca318da0fdba6b75ffeda800
SHA13cdc17844a9ac9b2f28385937cd04328946a27bc
SHA256e11926aae931fe4a24efab1fa0c0044e1a543b59adcf1cc4bcbce2a2d4e6d2dd
SHA5124e093da5263771527907d6ad50793118013c061aeb8ed188d6ab80f4dcb416cc35a3e8560de71137eca6f22b32bd6a769a082667bb2ef05fc133dc32b8c47068
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524c2ff1fdc8893700268be8f54caaa4c
SHA1011d73ca7562bbdfe3fd02ca0656e4273be5ab5e
SHA256cade0b4a0dca65b23caa519abbbfc2b95de554b19e2cf20a7bd3b1d61342b028
SHA5125663e94c3224f6b75296daf0345a70d4171e6afde6d53f740d44bcd378d3f5b57a7ec1eb019f22685aa8c52373fcfe3a8d81c35b3b85f5fabf4f304b02f9cfa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e472bf8631a613085345aefaf2d045a3
SHA17f65ebc2556facacf8c08286ddc26dadb5bb7dcd
SHA25601fb5cfa9a4d4e8f8671a95356c93f36418783a7b7f2a01b4e877a64ea0ea0b0
SHA512c970864398d31be31f59f21340b5344296b7675d8ea8998ebf65f6f1f415e1f48f79cffea8da10eec95402697b1ef5400804d848cbb1e15c9b00b9ab14cc6c62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c38bc76a342018ce16ea516678767938
SHA1ab7b17b9ea31264a01cd8f4ba4fddc47fc1045a2
SHA256db70da41611d3301d4328211f707400f34a7afa2f0dc16ac1bd2afbe2844fa2c
SHA5128b3656caa691aaeb96c8357e1792d27253a68cf3bc53e973a5efa185aa4fd00ede169e4e48713a143778a54b8fe2e652f4eedc7fe6327c5650106db34d95fd93
-
Filesize
191B
MD5df8f1694ddb6cd301d1c8c108659a4c9
SHA1eb6e578b75aee2d66d79bb2c1fbb663ae9e388d3
SHA256f7b7a8bf2eb43d0f5f8ad9c9196c8902552777b8f29081fd44dbce8102646e8f
SHA512d09257a7dd72c7ddb5fa8f3bf363468f57ed68259113c61139d0b88b6bbb103a2fb0c2664e6d96516920e8367f72f380c4261961b9ed48053a88b8cc3dfe6050
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
191B
MD51552a345f606b887129d32acdb81e6c9
SHA1a13f2b2cfbb94f6162195ba3a965a18c0b422d88
SHA25634541f9c4d6183387195afa3a393a7f58cbd6aa0790cfde092b32885fcc256c4
SHA5120746744d01b34047038b08b63d2c42df3dee8659a0aa3f075a5f30bee131332bbe92b805ae024d36e59c68da2a9b8a1b000307f02a26bd3afaa399f4db20aae5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD5177c50df1f09644a84cd66dac7827c84
SHA107cce867f6ee9240800172034dab84c890a0ef1b
SHA2563c561c0fdef3684f8cd3721c97687a7e7c8cfbf3387e5a2510e08c0df6db7369
SHA51282feb5301027b1aed940bd29ad31c435c54249d9ccdf2f85b14633609ce10afa016f4c4769338f15e856af25257dad02ecbaf19d1a14ad68679b33b597bde51f
-
Filesize
191B
MD51a288c0edbcf30d1ba27f356ece0309c
SHA120a4e6df37036dde7ac3a7df02bcb197eb20393d
SHA256f472f11a03871fc793d727940e02b56519d96ae98ca6346dc305348a4bf54e7a
SHA512ff12d3a6a7673a0ee4d43b1924fd4165d154e658e3f375ad97b9d011d9ec3132d41a69609abff33933848a7c4debee8f5235515a1f97205fedbb2f5fb2ed9ef8
-
Filesize
191B
MD5afaface201281907da8ecb7f69dee075
SHA1e6f63e210a0e085eea41e5ccd9494b75db4978ab
SHA2563f258f4fcd210aae717842eb16dde2a0dc49b490269eb070471427818f46c6cb
SHA512e6a3d168073dd47299101102f537aabd1e6026900b48733738b3fd7a9d09203c6aeb969d9d3b794cda24c4a17d7c558a6735323f8fe48db80b4f39c96db3b9b9
-
Filesize
191B
MD5dada77dd59bdca6f3ec6f3df009b2c28
SHA11d70495fe9b7524f76af0cd711afcf3f834a1594
SHA2567e5a609a4e0d3c5e0d8af0dd2d7b791750be703d00bfa09416debab987c903ad
SHA5121b490046d26dc1874130cc81e5aee2a9b6de036d88b995a0e702ac0a88f712327256fe53c1d4a337d241b13aa7c66049609ec1508183610389b51820c4a6f1cd
-
Filesize
191B
MD52b71d79a4afd0dcd97304ef93f3dab93
SHA1ef0afade4282f923f5ea7dba5be7c35805018835
SHA25690906f1ce33c644525524cca37bf2927ed871a9ccb78f028ff2148020a149cb9
SHA5122df830cfc37f38fa87b33473a6a4c9f13f7294936fea7ebe80f4049a75e6a0aa8aca0b30c04c9ecaa753316dca5f006c0f73d4a65fead86609a68749c6b167ec
-
Filesize
191B
MD5dd922653072f6a773a65c3cb0d88a50c
SHA1dca896f7703300f44879c079567338345b23ea5a
SHA256e048aeb93a1164cceda696a3e3079d50f341c773ecd5cb0d3500e3026429f9d7
SHA512b09f84b254d026515f052dc01ae0f5149fc80569c3b543539535efb11b1762a4bde182231e2ba2921695b2abafd880d1c4b98bcf6af00eb9aebd42533f4ec0b1
-
Filesize
191B
MD50886335fefc50072435dc9ebed3b6612
SHA15ac2a62a314b630027283325e8bd010e7edc3658
SHA256a4ae46c548e1746c33b30cb2052945093a10dee94b3e1f12e01b3c7af9eab209
SHA512d126ae978175d44a106d6bcdf922dd2123903af26a992d907f8759246dccb34556b4aa35bf17fba50bd6936d097e2b948f2939d8be836a10a113d1d3dd876cbe
-
Filesize
191B
MD566b07c2fe1a3be7b88f743b02355527b
SHA19b40e8a824fac5aabf82b7a523a063a3b1dc2905
SHA25654d70b23902d67c269141f5907aec4f5aba929fb9ce9f3910752fa94e0b232d0
SHA5121816fecd9fedf7cd7863a9e3fb5ed6fd7c4136e74eedbc2241a211a49239333cb7b5c64b947bae7316ea94f5ab2dc54d06152fb47ac8f151881ed252098ed0ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD558753b26524560ee6ba944ac3bc60ecc
SHA1b961d8e015d42f1e16e2bbc7e307da3b1e6d469f
SHA2568d085ce296d7f2417f4091d4aaf23067dd879911a0842e11d5772bb6a10710f5
SHA512e4d2ade5355423204abace0dd212e2aed45377e299d72d187c661b1a9e3f02a498791fad652bd9cf1ab8bbb827b078d6961ecd037e63cccd3b8fa6a13326a3c7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394