Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 19:36
Behavioral task
behavioral1
Sample
JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe
-
Size
1.3MB
-
MD5
7eca7694e78a6975896268ad0c5948f5
-
SHA1
5e012926fde5f131c71c4e5f83f65298e75ec128
-
SHA256
d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3
-
SHA512
2aa45b80fa311f52b8148fe1f222b2018f5975b5971c6ebb5b80493420bf8baaa3c50eefbb6a281e7e60c573f1323281112946a9d4894588e2fce5b60598d2dc
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2824 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2824 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000019030-9.dat dcrat behavioral1/memory/1056-13-0x00000000008F0000-0x0000000000A00000-memory.dmp dcrat behavioral1/memory/2604-116-0x0000000001140000-0x0000000001250000-memory.dmp dcrat behavioral1/memory/2224-336-0x00000000012E0000-0x00000000013F0000-memory.dmp dcrat behavioral1/memory/2216-573-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/2212-634-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/1580-694-0x00000000000E0000-0x00000000001F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1268 powershell.exe 2600 powershell.exe 2692 powershell.exe 1716 powershell.exe 3060 powershell.exe 1324 powershell.exe 2696 powershell.exe 2740 powershell.exe 2572 powershell.exe 704 powershell.exe 912 powershell.exe 1748 powershell.exe 3036 powershell.exe 940 powershell.exe 1628 powershell.exe 612 powershell.exe 1652 powershell.exe 2460 powershell.exe 1700 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1056 DllCommonsvc.exe 1320 DllCommonsvc.exe 2604 csrss.exe 2136 csrss.exe 2624 csrss.exe 2224 csrss.exe 2272 csrss.exe 1548 csrss.exe 2692 csrss.exe 2216 csrss.exe 2212 csrss.exe 1580 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 3052 cmd.exe 3052 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 27 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 24 raw.githubusercontent.com 31 raw.githubusercontent.com 34 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\Internet Explorer\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\ja-JP\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2872 schtasks.exe 408 schtasks.exe 1552 schtasks.exe 2560 schtasks.exe 2132 schtasks.exe 2672 schtasks.exe 1808 schtasks.exe 1760 schtasks.exe 2560 schtasks.exe 2628 schtasks.exe 2372 schtasks.exe 2152 schtasks.exe 2664 schtasks.exe 1664 schtasks.exe 1992 schtasks.exe 2264 schtasks.exe 1108 schtasks.exe 1696 schtasks.exe 2832 schtasks.exe 2032 schtasks.exe 2708 schtasks.exe 2324 schtasks.exe 1816 schtasks.exe 680 schtasks.exe 2880 schtasks.exe 2720 schtasks.exe 2384 schtasks.exe 2804 schtasks.exe 2968 schtasks.exe 3048 schtasks.exe 448 schtasks.exe 2328 schtasks.exe 780 schtasks.exe 2592 schtasks.exe 2628 schtasks.exe 1220 schtasks.exe 1688 schtasks.exe 2528 schtasks.exe 1860 schtasks.exe 2828 schtasks.exe 1960 schtasks.exe 1372 schtasks.exe 2216 schtasks.exe 1504 schtasks.exe 692 schtasks.exe 2456 schtasks.exe 1564 schtasks.exe 988 schtasks.exe 2616 schtasks.exe 1644 schtasks.exe 2136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1056 DllCommonsvc.exe 1056 DllCommonsvc.exe 1056 DllCommonsvc.exe 704 powershell.exe 612 powershell.exe 1324 powershell.exe 1748 powershell.exe 1652 powershell.exe 1268 powershell.exe 940 powershell.exe 1628 powershell.exe 912 powershell.exe 2460 powershell.exe 1700 powershell.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 1320 DllCommonsvc.exe 2600 powershell.exe 2740 powershell.exe 2696 powershell.exe 3060 powershell.exe 3036 powershell.exe 1716 powershell.exe 2692 powershell.exe 2572 powershell.exe 2604 csrss.exe 2136 csrss.exe 2624 csrss.exe 2224 csrss.exe 2272 csrss.exe 1548 csrss.exe 2692 csrss.exe 2216 csrss.exe 2212 csrss.exe 1580 csrss.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 1056 DllCommonsvc.exe Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1320 DllCommonsvc.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2604 csrss.exe Token: SeDebugPrivilege 2136 csrss.exe Token: SeDebugPrivilege 2624 csrss.exe Token: SeDebugPrivilege 2224 csrss.exe Token: SeDebugPrivilege 2272 csrss.exe Token: SeDebugPrivilege 1548 csrss.exe Token: SeDebugPrivilege 2692 csrss.exe Token: SeDebugPrivilege 2216 csrss.exe Token: SeDebugPrivilege 2212 csrss.exe Token: SeDebugPrivilege 1580 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2520 2340 JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe 30 PID 2340 wrote to memory of 2520 2340 JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe 30 PID 2340 wrote to memory of 2520 2340 JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe 30 PID 2340 wrote to memory of 2520 2340 JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe 30 PID 2520 wrote to memory of 3052 2520 WScript.exe 32 PID 2520 wrote to memory of 3052 2520 WScript.exe 32 PID 2520 wrote to memory of 3052 2520 WScript.exe 32 PID 2520 wrote to memory of 3052 2520 WScript.exe 32 PID 3052 wrote to memory of 1056 3052 cmd.exe 34 PID 3052 wrote to memory of 1056 3052 cmd.exe 34 PID 3052 wrote to memory of 1056 3052 cmd.exe 34 PID 3052 wrote to memory of 1056 3052 cmd.exe 34 PID 1056 wrote to memory of 704 1056 DllCommonsvc.exe 124 PID 1056 wrote to memory of 704 1056 DllCommonsvc.exe 124 PID 1056 wrote to memory of 704 1056 DllCommonsvc.exe 124 PID 1056 wrote to memory of 612 1056 DllCommonsvc.exe 67 PID 1056 wrote to memory of 612 1056 DllCommonsvc.exe 67 PID 1056 wrote to memory of 612 1056 DllCommonsvc.exe 67 PID 1056 wrote to memory of 1324 1056 DllCommonsvc.exe 68 PID 1056 wrote to memory of 1324 1056 DllCommonsvc.exe 68 PID 1056 wrote to memory of 1324 1056 DllCommonsvc.exe 68 PID 1056 wrote to memory of 1628 1056 DllCommonsvc.exe 69 PID 1056 wrote to memory of 1628 1056 DllCommonsvc.exe 69 PID 1056 wrote to memory of 1628 1056 DllCommonsvc.exe 69 PID 1056 wrote to memory of 940 1056 DllCommonsvc.exe 71 PID 1056 wrote to memory of 940 1056 DllCommonsvc.exe 71 PID 1056 wrote to memory of 940 1056 DllCommonsvc.exe 71 PID 1056 wrote to memory of 1700 1056 DllCommonsvc.exe 75 PID 1056 wrote to memory of 1700 1056 DllCommonsvc.exe 75 PID 1056 wrote to memory of 1700 1056 DllCommonsvc.exe 75 PID 1056 wrote to memory of 2460 1056 DllCommonsvc.exe 76 PID 1056 wrote to memory of 2460 1056 DllCommonsvc.exe 76 PID 1056 wrote to memory of 2460 1056 DllCommonsvc.exe 76 PID 1056 wrote to memory of 1748 1056 DllCommonsvc.exe 77 PID 1056 wrote to memory of 1748 1056 DllCommonsvc.exe 77 PID 1056 wrote to memory of 1748 1056 DllCommonsvc.exe 77 PID 1056 wrote to memory of 1268 1056 DllCommonsvc.exe 78 PID 1056 wrote to memory of 1268 1056 DllCommonsvc.exe 78 PID 1056 wrote to memory of 1268 1056 DllCommonsvc.exe 78 PID 1056 wrote to memory of 1652 1056 DllCommonsvc.exe 79 PID 1056 wrote to memory of 1652 1056 DllCommonsvc.exe 79 PID 1056 wrote to memory of 1652 1056 DllCommonsvc.exe 79 PID 1056 wrote to memory of 912 1056 DllCommonsvc.exe 80 PID 1056 wrote to memory of 912 1056 DllCommonsvc.exe 80 PID 1056 wrote to memory of 912 1056 DllCommonsvc.exe 80 PID 1056 wrote to memory of 1320 1056 DllCommonsvc.exe 88 PID 1056 wrote to memory of 1320 1056 DllCommonsvc.exe 88 PID 1056 wrote to memory of 1320 1056 DllCommonsvc.exe 88 PID 1320 wrote to memory of 2696 1320 DllCommonsvc.exe 110 PID 1320 wrote to memory of 2696 1320 DllCommonsvc.exe 110 PID 1320 wrote to memory of 2696 1320 DllCommonsvc.exe 110 PID 1320 wrote to memory of 2600 1320 DllCommonsvc.exe 111 PID 1320 wrote to memory of 2600 1320 DllCommonsvc.exe 111 PID 1320 wrote to memory of 2600 1320 DllCommonsvc.exe 111 PID 1320 wrote to memory of 2740 1320 DllCommonsvc.exe 112 PID 1320 wrote to memory of 2740 1320 DllCommonsvc.exe 112 PID 1320 wrote to memory of 2740 1320 DllCommonsvc.exe 112 PID 1320 wrote to memory of 2572 1320 DllCommonsvc.exe 113 PID 1320 wrote to memory of 2572 1320 DllCommonsvc.exe 113 PID 1320 wrote to memory of 2572 1320 DllCommonsvc.exe 113 PID 1320 wrote to memory of 1716 1320 DllCommonsvc.exe 114 PID 1320 wrote to memory of 1716 1320 DllCommonsvc.exe 114 PID 1320 wrote to memory of 1716 1320 DllCommonsvc.exe 114 PID 1320 wrote to memory of 3060 1320 DllCommonsvc.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5b9de29cfe9f7e39de10a08b31e41bcc5abb783a6d39ae7c45237a18bf011b3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"7⤵PID:1552
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1760
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"9⤵PID:792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:824
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"11⤵PID:2812
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1268
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"13⤵PID:1056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2592
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"15⤵PID:2712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2864
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"17⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2232
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"19⤵PID:2260
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:988
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"21⤵PID:2368
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2904
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"23⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2936
-
-
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"25⤵PID:888
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14469815232102867804-7791087271000934453-2103102970-55733652012843289202138473764"1⤵PID:704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58dbf5cba7c6d0adf71ec6feba7b19c66
SHA1aab3e4d9261e57a8cb90cd44dfb33f1ac8fa779b
SHA256bbf0ae31173600b54a1ab7eef875bf77c52580a7a0242dfa53b2aa53e7b17b8c
SHA51273e8cbb1b0496d9337f239ffdcc1961c9d2dbd6b4331ae70202c7b49dd07ab6f4eb2b278d55a66154cda3ff77411fec83a920528cf2d3894f272c0fa0bf86788
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51873e32318c073297b60d9f65f2e1ba0
SHA11dfe27b41db4116807d905975c3946ce8796727c
SHA25611984763156cb879055b2e9cf1a0bbdd3263b7dc02f620efc5ccd77c2946dbe8
SHA512bd8be42a538a702d817c1367b5c549daac9b1a163478d1f32cdc061ecfb28188b49eacdc31408e5cd7793e3121477ffddecb68c7c6f79544155a83ea32c7eff6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ab791af9b2dc8e1e5f2d36b3c78c496
SHA1e810757ad2da1a790d4e78294df4191debdec81f
SHA256aeabffe7be2b408d34fab8bad13894be76603a44fb38f7ffc3eea3b0acc93c7c
SHA5120d8bca013c0255907f909eba0dc836d4365d81c3fec590f737bc5c0001656d5802e684d573d09b11f1fb595e88276f3c78a57e3cf03085c8be44208ed904d79c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b3841d3f842bcb6c6d57ccab653f37b
SHA1a13b594ca449ecb35b54d24c030b170889e16c10
SHA2561a55ad46d8faf5a97f8db7424092127032e1fae47f6c76ad81f9056dea661a3a
SHA5127c2cdeb94a0679439981d1992b8667235b7016cef4f301fbe21cc0163bc607cc8cb968143e45373e657e8cd5fa4674a40da8f83fae931500cd225ef6c3c54716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba66240be672b2680b5b6eb4f91e80bd
SHA1c73c8bb866693d53d9d62c93fe5691230121c0fe
SHA2566243171136e12901d063c250686ade73aed871b98f68662fe6e591abc592b792
SHA51295af1d346914d140d65dbca25a67b9fa5187feb7046e278cdfdf9bbbfc7b835aa726df9f2fc4f9bd76fea70c5c239d223fdf413e06f8bf846984b4ef6dae799b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c366c60bbd333138afb0a53eca4e162e
SHA129ac9f44b6eecf192787ec75b91222f3acfb08ec
SHA2564c6e26eced2f3943df0e5e814053f283b68eed582afbbe7deccc049e63b0ef36
SHA512c5eb03e8de99b8ad4ba5a5192664ff5f198e38c5811c9263149f7cf93737adff8fbff4509ff7a19aa5a58e908ba037a1506a3041dc92ef68fb8a4c0b14a6dd2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e44adf972adde7690c4e13ad6756f02
SHA164ac812e2c15d1aeb5d6d69ab4b7360058a06175
SHA256a8651874de4158c9138d1921a9c06e28da18430ccacac71f1bc587918d14006f
SHA51237d02e89d217b4de0ab7fe7d587c9fd68fd7e4f2da483683ca93df89b57b74d170db1a29aefa7b277ef9ad54eb06fc7bcb68034205ee97c2a3751eba5fcfda37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f097efc2970212840c88e156fcc2f123
SHA1fcfe28d81e53fe1138068fda4d6096bf87297c55
SHA256707bfd2e585dc861d3569a0fa9af5e565b5c4d929d882a7571209c60032b5ebe
SHA512c955feb787443d49684f2e0eac41b8ac94875f9baf75ef8082c1fb38ee59da544599ff3193b4327ef8888023731a5db88df1b1b85048bace3ef10972d4c0d0ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c348fd34181e842db922a91987c792a9
SHA19d973658823c3d9f27e6ff9bdbae6898e3be67f8
SHA256d742485a3be749624bfd7faa878edd9261fda8e62af8adbb3121bf6835d17af6
SHA5120a21e9402edb88afdad85e6763a3344e164ddfc1d083e189fe114aca65d61d255d88ab08fa5ee95c54ab24fce5b445997142446fa1711bb99b40eab0d52de9f8
-
Filesize
289B
MD591e2bf5e5a4673c98c816df61342d57c
SHA14aeaea4ed1370d47b0819a518d3c8ad09d0e4202
SHA2565c34d720ba6c311c7890e1d5d13f0e9e9805677b0b72d58a874ff8ae666f69b2
SHA51214e0ac0f066faeedb49da0a52439b1ef9576f10683b6f2a5b1aa0b6bea7f9b2e74f4781e7a3856b68c94317124ab3a4def5cedacc6075a41aaacedcd68ed51c0
-
Filesize
289B
MD51cde496886753088cac6666da89ac982
SHA1438bfd28bed2a1dd4ce890f1cea7cb1125aea579
SHA256a6fe64794a7b447053016b38ac866f4bfe33e110da23b2f8d084c4642a99c051
SHA512e58feb1c5559f5f06c5ee4d51a2935611d1b86c7a2b62e9ba24b731a08d0c95187ebdc99e09e3c41a57674319c57dd5efb179adb3d20abfc5a3780bed540c961
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
289B
MD5cb220dcec9a8d877bfa68b0572f8116d
SHA1c05e1ad0aa9ff0aee6e5a59e9053890d5ec12a0a
SHA256466defde2e41d88ebd91ceea316a4ae6384d63cb3cdafb51f56c92d77b9f7234
SHA512ccb6bfc7e954ec5937cffffcd7927f3dcb7d646bc7c5f1b9a6286479459659b9bc6502b1e3e2154b85feaa5a7cff9628c59c24d9a7b59e646cf93c6e71c2cf3b
-
Filesize
289B
MD593306f7bb330186f31999d74c83c445f
SHA1bc34e8bc19b9c3715424cb663ad606511bc39bc6
SHA256fe48006d5ea472f4cdd054e707640f1237e411bed818380bca1f2c0504402a96
SHA512e161af4db75f2a3da34154092ac844a1dd2635a8ea6fe24e4832845738504452af04696004439962422ddf6f60463ced2e4d555494b89a47d83081dbe6960077
-
Filesize
289B
MD5d9fc37a6336c2c64c659a00326e1e22c
SHA14c8ad7f49dae30c2d11ba71bee07f49396a47fb9
SHA256e3e1f76b225f7bbde0d96bb76460e4749295dc31fa8f45b58ba1205c163edc4b
SHA5123f751b01f4754dba2d1964d40c3d749d04eca0c62ae7ce53f405e93822bce893120d8b6fb4b6b1687ee18725f9a4f9f57e86277a0cdd56adb590e28538a5c7a1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
289B
MD54a3c427dbb5f73a1f21e8eaaefd6926e
SHA19e806d4755c2b799b3fe6f44922128c0a87de0ab
SHA2563527626078226da79360ac20a174ef40eca4f543a275a57f0d4d0c879ee36478
SHA512e7169d0ca7a60b51baa7004450b661307132d293e836ad1389e2485e16ef1328682351e9fdf07646bbc09a0e579af8e122b643e1ded69cec4b9e4f44b180d447
-
Filesize
289B
MD505f23aea730b92fcc1b0bb14b9bf8703
SHA1e70ae8f5e3da36e803d040229c8c8b26e5de0232
SHA25685d8e9b8bd3f503cea0910d894d878031c9677d0f307fc7729d640e0fa00bb96
SHA5125a73540b194e9f912329b4a71b4b6da446cf103e845ef9b3a46cd12b6181cbf78a6437c095cf3dd7f1b6c81f4ae4ab160c54e7cab6706df63febadcf498fd9e2
-
Filesize
289B
MD50c0ca458fc259bf4e16c5358071655d1
SHA18a72e8a9044ab3d5ce09bd3ef12fe64a612da1a2
SHA256d9220b4b4ffaa9f55f1aa4f64367e8060ce9c478acc7a9db2963e699521c62f7
SHA5126483364a28aa68820dbca5ad3f02cc31c7355eba554c6b35001e19be034936d5f0688cc1e09a2ffd73eb230c2b7f0db12f3b16371f486a0e335fec37c1ca5e6c
-
Filesize
289B
MD579a3dbad91e4db27545da6ce4fa44a81
SHA1a8d21222e13f804aed52bb11040785500ffbe8f8
SHA256ae534d58bc0f43e57d558c12ef23490741d00b1dfff54650f93d4763e5b1c5b7
SHA5127a767fdc306ad161ed917341b7fdd34b6c063b3980f272498ffb46a580d4094c30f24d56379abb67237cf14f510f4b263bd6eeb195114a5434275a846725c7b5
-
Filesize
289B
MD50d99a4880be5987dd833398cb2a828ab
SHA12c4b474fbde66e90fb1c12e5184924294169a4b2
SHA2564b421b6318cc9bb94e925a35dbd4bcfe4bf140d99d0a32209f43b6a4d9509331
SHA512f47e1ccb09a6cf95cf5bc1c70d26d3e99cc78b503a29629d11130593feaeb36d41eb83617d69d6f5a30f75c6eed2b14690150775d0fff3bf217069fe40c8b349
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c47a079b18035700214bc9b026c41531
SHA1d4876847a953cf8708ce0fc67c80f41f3de3f208
SHA25698c8c830c226abde147bcffc7bd9329a1273e321c4903706b8f66cc13a041640
SHA512c57e20871351f3bbecc8879794c049f1ff24b07ab4c1e15bbba617a1ad5287d41a11311c89ceb494e0735397801496bdc09de6bae05fb15742d97a5132c363d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5243172db0df8548ed8d5b56083bfd908
SHA199726070e89ae0df6d6b88841a0f9f83e2582fde
SHA256e51f0ce8aa5d034ee8978f8aacd4ccbef15f384aa2919cac217f06c4e8711c40
SHA51254c7d9bcb2c295c5c31db4c366c7b944e1c1b9e3eae93b2a027d4710083e4d226878481f93a2caffbb56b5de2e4fa72ad47e7034b8782208d1de6fcbe36db8b7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394