Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 18:52
Behavioral task
behavioral1
Sample
JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe
-
Size
1.3MB
-
MD5
8131ad0751651e8b589c792e7ab051e8
-
SHA1
52ee387141b497b3f6719038bc15966de82f7641
-
SHA256
b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38
-
SHA512
454c1a1aa29931e9e22d7267e5f4188d9f638957fe14f79d2f1e360511cc1c954d23975d701e6c26409df70f361b697fb4104a10705ef810e9d707502d81f2f1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1340 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2252 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2252 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016458-9.dat dcrat behavioral1/memory/2904-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp dcrat behavioral1/memory/2596-79-0x0000000000FE0000-0x00000000010F0000-memory.dmp dcrat behavioral1/memory/3236-279-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/3352-339-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/3164-399-0x00000000002E0000-0x00000000003F0000-memory.dmp dcrat behavioral1/memory/640-460-0x0000000000C20000-0x0000000000D30000-memory.dmp dcrat behavioral1/memory/848-579-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/648-639-0x00000000010A0000-0x00000000011B0000-memory.dmp dcrat behavioral1/memory/1696-699-0x00000000012A0000-0x00000000013B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2120 powershell.exe 2112 powershell.exe 1260 powershell.exe 2820 powershell.exe 1072 powershell.exe 2696 powershell.exe 2284 powershell.exe 2640 powershell.exe 1148 powershell.exe 2888 powershell.exe 1328 powershell.exe 2940 powershell.exe 1612 powershell.exe 1264 powershell.exe 1948 powershell.exe 592 powershell.exe 1476 powershell.exe 2380 powershell.exe 1920 powershell.exe 2232 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2904 DllCommonsvc.exe 2596 cmd.exe 3984 cmd.exe 3236 cmd.exe 3352 cmd.exe 3164 cmd.exe 640 cmd.exe 1764 cmd.exe 848 cmd.exe 648 cmd.exe 1696 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2916 cmd.exe 2916 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 17 raw.githubusercontent.com 31 raw.githubusercontent.com 39 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 28 raw.githubusercontent.com 35 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2024 schtasks.exe 936 schtasks.exe 1772 schtasks.exe 2032 schtasks.exe 2336 schtasks.exe 1936 schtasks.exe 2404 schtasks.exe 544 schtasks.exe 2168 schtasks.exe 2532 schtasks.exe 1252 schtasks.exe 2616 schtasks.exe 2376 schtasks.exe 2624 schtasks.exe 3004 schtasks.exe 992 schtasks.exe 2928 schtasks.exe 1572 schtasks.exe 1360 schtasks.exe 1660 schtasks.exe 640 schtasks.exe 2860 schtasks.exe 2892 schtasks.exe 1300 schtasks.exe 2104 schtasks.exe 2712 schtasks.exe 1704 schtasks.exe 1992 schtasks.exe 612 schtasks.exe 2596 schtasks.exe 1340 schtasks.exe 684 schtasks.exe 2128 schtasks.exe 1928 schtasks.exe 2664 schtasks.exe 520 schtasks.exe 1688 schtasks.exe 2432 schtasks.exe 2176 schtasks.exe 2956 schtasks.exe 916 schtasks.exe 2348 schtasks.exe 856 schtasks.exe 1516 schtasks.exe 1008 schtasks.exe 2492 schtasks.exe 2444 schtasks.exe 536 schtasks.exe 2440 schtasks.exe 2468 schtasks.exe 2212 schtasks.exe 2756 schtasks.exe 2580 schtasks.exe 1180 schtasks.exe 2648 schtasks.exe 2984 schtasks.exe 2204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2904 DllCommonsvc.exe 2940 powershell.exe 1920 powershell.exe 2888 powershell.exe 2112 powershell.exe 1260 powershell.exe 2380 powershell.exe 1072 powershell.exe 2232 powershell.exe 2640 powershell.exe 1264 powershell.exe 2596 cmd.exe 2120 powershell.exe 2696 powershell.exe 1148 powershell.exe 1948 powershell.exe 2820 powershell.exe 2284 powershell.exe 1328 powershell.exe 1476 powershell.exe 1612 powershell.exe 592 powershell.exe 3984 cmd.exe 3236 cmd.exe 3352 cmd.exe 3164 cmd.exe 640 cmd.exe 1764 cmd.exe 848 cmd.exe 648 cmd.exe 1696 cmd.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2904 DllCommonsvc.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2596 cmd.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 3984 cmd.exe Token: SeDebugPrivilege 3236 cmd.exe Token: SeDebugPrivilege 3352 cmd.exe Token: SeDebugPrivilege 3164 cmd.exe Token: SeDebugPrivilege 640 cmd.exe Token: SeDebugPrivilege 1764 cmd.exe Token: SeDebugPrivilege 848 cmd.exe Token: SeDebugPrivilege 648 cmd.exe Token: SeDebugPrivilege 1696 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2864 2496 JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe 30 PID 2496 wrote to memory of 2864 2496 JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe 30 PID 2496 wrote to memory of 2864 2496 JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe 30 PID 2496 wrote to memory of 2864 2496 JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe 30 PID 2864 wrote to memory of 2916 2864 WScript.exe 31 PID 2864 wrote to memory of 2916 2864 WScript.exe 31 PID 2864 wrote to memory of 2916 2864 WScript.exe 31 PID 2864 wrote to memory of 2916 2864 WScript.exe 31 PID 2916 wrote to memory of 2904 2916 cmd.exe 33 PID 2916 wrote to memory of 2904 2916 cmd.exe 33 PID 2916 wrote to memory of 2904 2916 cmd.exe 33 PID 2916 wrote to memory of 2904 2916 cmd.exe 33 PID 2904 wrote to memory of 2940 2904 DllCommonsvc.exe 92 PID 2904 wrote to memory of 2940 2904 DllCommonsvc.exe 92 PID 2904 wrote to memory of 2940 2904 DllCommonsvc.exe 92 PID 2904 wrote to memory of 1612 2904 DllCommonsvc.exe 93 PID 2904 wrote to memory of 1612 2904 DllCommonsvc.exe 93 PID 2904 wrote to memory of 1612 2904 DllCommonsvc.exe 93 PID 2904 wrote to memory of 1920 2904 DllCommonsvc.exe 95 PID 2904 wrote to memory of 1920 2904 DllCommonsvc.exe 95 PID 2904 wrote to memory of 1920 2904 DllCommonsvc.exe 95 PID 2904 wrote to memory of 2232 2904 DllCommonsvc.exe 96 PID 2904 wrote to memory of 2232 2904 DllCommonsvc.exe 96 PID 2904 wrote to memory of 2232 2904 DllCommonsvc.exe 96 PID 2904 wrote to memory of 2640 2904 DllCommonsvc.exe 97 PID 2904 wrote to memory of 2640 2904 DllCommonsvc.exe 97 PID 2904 wrote to memory of 2640 2904 DllCommonsvc.exe 97 PID 2904 wrote to memory of 2120 2904 DllCommonsvc.exe 98 PID 2904 wrote to memory of 2120 2904 DllCommonsvc.exe 98 PID 2904 wrote to memory of 2120 2904 DllCommonsvc.exe 98 PID 2904 wrote to memory of 1148 2904 DllCommonsvc.exe 99 PID 2904 wrote to memory of 1148 2904 DllCommonsvc.exe 99 PID 2904 wrote to memory of 1148 2904 DllCommonsvc.exe 99 PID 2904 wrote to memory of 2112 2904 DllCommonsvc.exe 100 PID 2904 wrote to memory of 2112 2904 DllCommonsvc.exe 100 PID 2904 wrote to memory of 2112 2904 DllCommonsvc.exe 100 PID 2904 wrote to memory of 1072 2904 DllCommonsvc.exe 101 PID 2904 wrote to memory of 1072 2904 DllCommonsvc.exe 101 PID 2904 wrote to memory of 1072 2904 DllCommonsvc.exe 101 PID 2904 wrote to memory of 2820 2904 DllCommonsvc.exe 103 PID 2904 wrote to memory of 2820 2904 DllCommonsvc.exe 103 PID 2904 wrote to memory of 2820 2904 DllCommonsvc.exe 103 PID 2904 wrote to memory of 2380 2904 DllCommonsvc.exe 106 PID 2904 wrote to memory of 2380 2904 DllCommonsvc.exe 106 PID 2904 wrote to memory of 2380 2904 DllCommonsvc.exe 106 PID 2904 wrote to memory of 1476 2904 DllCommonsvc.exe 107 PID 2904 wrote to memory of 1476 2904 DllCommonsvc.exe 107 PID 2904 wrote to memory of 1476 2904 DllCommonsvc.exe 107 PID 2904 wrote to memory of 592 2904 DllCommonsvc.exe 108 PID 2904 wrote to memory of 592 2904 DllCommonsvc.exe 108 PID 2904 wrote to memory of 592 2904 DllCommonsvc.exe 108 PID 2904 wrote to memory of 1328 2904 DllCommonsvc.exe 109 PID 2904 wrote to memory of 1328 2904 DllCommonsvc.exe 109 PID 2904 wrote to memory of 1328 2904 DllCommonsvc.exe 109 PID 2904 wrote to memory of 2696 2904 DllCommonsvc.exe 110 PID 2904 wrote to memory of 2696 2904 DllCommonsvc.exe 110 PID 2904 wrote to memory of 2696 2904 DllCommonsvc.exe 110 PID 2904 wrote to memory of 1260 2904 DllCommonsvc.exe 112 PID 2904 wrote to memory of 1260 2904 DllCommonsvc.exe 112 PID 2904 wrote to memory of 1260 2904 DllCommonsvc.exe 112 PID 2904 wrote to memory of 2888 2904 DllCommonsvc.exe 114 PID 2904 wrote to memory of 2888 2904 DllCommonsvc.exe 114 PID 2904 wrote to memory of 2888 2904 DllCommonsvc.exe 114 PID 2904 wrote to memory of 1264 2904 DllCommonsvc.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b549e4d3b566372561ed01c2d491e36e2d06d9fe7e5bcb5e7de1455f1d655c38.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"6⤵PID:3888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3928
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"8⤵PID:3148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1040
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"10⤵PID:2076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2704
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"12⤵PID:1932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3496
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"14⤵PID:2824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3520
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"16⤵PID:3840
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:3884
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"18⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:3140
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"20⤵PID:996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3424
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"22⤵PID:1460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2468
-
-
C:\Users\Public\Pictures\Sample Pictures\cmd.exe"C:\Users\Public\Pictures\Sample Pictures\cmd.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"24⤵PID:2220
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\en-US\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9985995871bf867493b870b1d9477e9
SHA1efcf819d24c70d0271dfc9aafda5fcaa08a17a9e
SHA256023fc74baeece6981e0a31f2907cfafb53ebde8787777dc11064cff42e247ad7
SHA512d0141f073da6839c16fbf321bb31a66e1f95f9c69da01093d11b4f16ccd7959fc055587e0da5fe47e3caeba1e4da292edac77f7ac657c37e5a99d02a82b69a95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e9b606da5762e71701ec89661d00612
SHA1494a487f7e144797dbd4b93d906de1701185c32d
SHA256f8dacc044d3c0c6ddeec04e820e32886a7d625c807bd1aeaa5d3455ff96f96a0
SHA5122a94022d5a9cbba52c2d28071ecee0fc4a5deaf76f6060af7f825525af6d6838f97efed94c349794734a3968f1e665c5b1235f46d3a2cc2d80d4a20c6594bda6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a811e0f745da2607c20960d66a0163c
SHA1d4e40d5b9bf571a8d62e696b6985c65307e512fd
SHA25606bf84e221261550e228cd0f27d8ef4f91663aed66dafa3a64b368e743466a74
SHA512b1e11d18399b656627c8ed776ae9833c0eede0a219581aaa29705d73bbde3c63e1fa328bab083f107086245a9a9168fb4413d391d2f5169d06f55d9ca83f7017
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0c042043747e14a2df78930bcbc6f35
SHA170e34397bd84c31dfc4fc5cdf8eb59ad401f5dad
SHA25664e7c78db82b940953c18d02d977a4ee4610f5b15c768894e09e9e6b99ed8c7c
SHA51217facd556eb11b5702d6787fa8aa58bfce34f8fa2e25c3c3dcf49663553a7dedbc26275b5fb18e00d8e3f991c3d6bfeade1de7f407165f0d0a8faa4ceddb58cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f66f4b339491726095c0aa758217a636
SHA1713163bb6d670cc2edb3620512b614b8e3c37b43
SHA256b7a005a191018ee58fe5bf66e8c6b875fbcc21c787dd231b0c3f4416f10d8f63
SHA512fd20f2fecddbfd5a82af2eec4d8d97093b6cde5ee4ff04d6758e8360d06e5f103ed0d7598eea11a8b7b1f014155623579af9c8a8ac90890ffc7cbc9bd696ae0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50dcb8ba10f1d1847dd6f0c4a7ebca649
SHA1e3927119673bc5fe83cb1129b14eba0c6e30ad07
SHA25663591cc8453087d3a82e97a2d4f7519c87aa7c0bcba24fdacee57748d5e61604
SHA5127502bd085b49cd7f8470705f9d9d949ae2e7ce43605582d23eff3719bd27d13d8af0a03a5ca2cafe2902355409bba6d100d77599881923f695dd0804480653bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d22d9d878fe2179e04165514845c65fc
SHA153ccfc3164efc063127c7ae0565a2aabc110c3af
SHA2567507410ea9c3e2295226a37fdb3700b29bba2548cf9620cfbe4403007205a69e
SHA512ec7e9d50bdf0acd63b5cef612e834fbf6448f7fe12233d653bd773b8c5fbf89a838ca4d0d3a3e9cd8f6950630cf5db5a69b6f85372153858b56a501aed55d20c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56cec62c95ff4724b427c60b90a6c17b0
SHA1ddcf01309d972fab668fee0b9e3a3c8a794bd7a2
SHA2560c3adefc3ebc123df6102852507514fcfb841885c35ef2bf3fc850e7c82f6cfd
SHA512d464f875d9a1b918285e67c5fe2cbefc9f11fb7411aeb060cd4920c4fa7674d1c8c0bf25a4056d38fd9cf061cbc897fb879885c30e67188ad81acf0516ba1f03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5714200b32f86f165c3611b79b31aecc3
SHA14098e4a5de65be247247f6e2c82fe6499fe095b5
SHA256d0c2029c9871d78943a8c90e57c01f0945bb9b888dea8d41c77d5a382c54ddcb
SHA5123430f21d6dce9c3d709955b4a9608ca091f7b8ca91c590ab298b574bf3c1fbc6e90b54e20af00c6964a2c2cd2ec05696b1a8067cb0c9dd253d161dec84f65aba
-
Filesize
213B
MD5b0302222ea35ebb45bcccdb2500e4423
SHA1c8bd10d944bd76c8a04883c6b87ba2b968fcbc21
SHA25610e00c80fde03eb38757cfffb4cecb476a185c2893c54831112b8a156a9626ba
SHA512de807a60d9f4a80883a30b8fbc63337f43c33439a7d00b6aa4d04498b93c655c9974edbacb734fec9c2fbd319659bc82c636ffd1d42b325d3d9945e4616ce356
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
213B
MD56dec9ad8d1587fa0b6279bda4bef5055
SHA1552020ba9e77bd3446bbc611989c5c9e170f2e52
SHA2560d14ec87651dd75e2934463352799c0f6d4d5f0d9502f2049b8e5d37adeb6fdd
SHA5125d7204d8d1cd1cd644849e9a934ba0c81a0aca82a30612fb60deeb14a07ca240aa2ac0c752ed0776e4f46d9d7b6f5861e10b2f81423dc692f44929f79fd85f46
-
Filesize
213B
MD5c68cb56dcc0f7d491a11356b5db227c3
SHA1eca5b3903bcf0a622bc5bd2d930cc5d6d61383de
SHA25602040baaa9c7018e74999d501982a52b65cf20a2a56abc6cf8b64dfb7b8e5a2b
SHA512b9bcf199675462621f9e61c85676febefda905e3b5976007aa8acd111d7a2638bb5dfc86261bf0e9357d77ccc2d3613dae77bf7f926ac38a5e9999d176b0b060
-
Filesize
213B
MD58302b43b9dbc68021e5925b70aa85977
SHA11cc340cdecc441179c49f697970f6dc24650b67d
SHA25623a5a23f1d8c366e65d90f9257f0096df624a92d7ca50d1963dce8a054722feb
SHA512ebfc1a3ec11db7b5d933b7c24b0174ab6d6deae7b68dd8bb0c09bb0b1d62244ee188c2ceda34e30258dd788c436d2a623fc28649a2cfb71387abf85e07a669c8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
213B
MD5c6fcb5ee86f026a34f300af994f543df
SHA1a7258e52c3dc31d3774346a97358bdf25f026dc4
SHA25615478079a69c6dbd836d6f02918b2f656284de23f5141e26008878b9a26e85c9
SHA512e6d929082451a401f310da35af57a24b015f106f6f7c6c5606a5e185af5baa75aba779331d6738a7229d2830ae3934a0900a71a0584bb0b97d229c74c0595935
-
Filesize
213B
MD5dd5b90e06ec63a7dc052d6fb899046fa
SHA1149f2b25d8fd55fc1a3b92ea1a6aceeca86f0bdb
SHA25627d4724dbccfce13f924a1350434d43cb0df68e0863bc357d9d9dbd8f55e3135
SHA512a3d7730a31ede2bacdbe2820001ea55fbf41713dc0767d7390c2afaec03bc23ceabcdfc45a9c6afb6df2ff2dab43661ab9d91dc386f1b8f3c762bc27add84de4
-
Filesize
213B
MD54b03af6eea41369f9b397228505aba04
SHA12284a9fc46e85bf4ea6e4ea80b9246f8c22331bb
SHA256cf53a95ca1fb46bee5090fa68ec3e53b2355b27a9abc8477450615f1cfb3342d
SHA5123c831c6dfd1920f370964663bfd330eeee9a7d380f1e6d7b1fe44f6fba1f4d2650f2302666763e0aa29d061081f59a7ae5a0771881a9afeaea88d6a71be7bcfe
-
Filesize
213B
MD58dd81c1406e03a6849403cfb75dbc9c9
SHA1e1e912b02843d9710d33faeddf374f2402ded967
SHA256e61ee8a0f9c8d8421dfc181ad92c62f2055ecb36fe9587d0ca11304c8c0ee6e0
SHA5123592323e65d2848def703177912906738b7d33791189154e1c7df8529428a194c35db448bd1f97bf832f416374dcbeb47a4c638692a096f8d60295cfd3104764
-
Filesize
213B
MD5adedfc13e9aa43d783e6cc36435ddcd8
SHA1deac86e835fcb3dc4ad4857d1346b226cc8d6daf
SHA256e10a9c4d3f5f504ba194f4d8a276b62a7dde4a1adddc7b8910830f5de648af22
SHA512e9b4949c1a36fc004141f2578ed4765118c0ed470fd413b4f9ef130f6b102eb17ca7e9fcb4ff92e2d472c8bda48ceff6a682cfa67a7c0d271a658f3e004b9ab7
-
Filesize
213B
MD5c774c0489c5eb090d1537fbcfb644b8b
SHA17bada1ecae0e9fbec2c1d9f621316af68838b7f4
SHA256bb17871c0ce38d7cf8b767eed29812ef25cbb5832dcf1bfee6cf488509e54577
SHA51283c10f346cb970c19714a23d383719b43508d058fe31ef2d649747e24a6cb97d9e0ffb2242737df4d4da216e5632b118d147f958de2b28dc87943f0fb432769f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b1af8269bf5c75643b12e427bd5dc375
SHA1cf4fa16500e073bd9dab0f92523f451c8fd76e21
SHA256d14c87fac94b6bc91c49b3f16f6b610e6d5e4a27e56c1cf7c30a7b94f8b71dd2
SHA5121bf61ee0dcf0e0a6460dda1a27e9e00af17f5c7cfc9d986cadf6300e17cacc8188129d0e56addaf806a68f260f814a7e2f25073852599debca1cdc00fe13ff3c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394