Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:21
Behavioral task
behavioral1
Sample
JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe
-
Size
1.3MB
-
MD5
ef34fc6d3f55b68d4c5ec2fe4f86204b
-
SHA1
07c79d701c1cc7d7e0a71e9010f2d4905bdd1b3b
-
SHA256
50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91
-
SHA512
d0c4e4dee957c9456ef88f93ef73355e803a0a558342cbbf38e989f94f29aa16221ed87902a05a6e8e6df7dc46f61ea53887cdfb90bbcc4139a57376574d09fb
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2648 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2648 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d36-12.dat dcrat behavioral1/memory/2672-13-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/920-238-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/1860-297-0x00000000003C0000-0x00000000004D0000-memory.dmp dcrat behavioral1/memory/2724-357-0x0000000000E30000-0x0000000000F40000-memory.dmp dcrat behavioral1/memory/3040-417-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1748-477-0x0000000001320000-0x0000000001430000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2424 powershell.exe 3016 powershell.exe 1004 powershell.exe 2828 powershell.exe 2468 powershell.exe 1696 powershell.exe 1864 powershell.exe 1592 powershell.exe 568 powershell.exe 2564 powershell.exe 1768 powershell.exe 2132 powershell.exe 1504 powershell.exe 2804 powershell.exe 1284 powershell.exe 1600 powershell.exe 1140 powershell.exe 3028 powershell.exe 1904 powershell.exe 576 powershell.exe 968 powershell.exe 1304 powershell.exe 2972 powershell.exe 1576 powershell.exe 3020 powershell.exe 2520 powershell.exe 908 powershell.exe 2700 powershell.exe 2360 powershell.exe 900 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2672 DllCommonsvc.exe 1944 DllCommonsvc.exe 920 conhost.exe 1860 conhost.exe 2724 conhost.exe 3040 conhost.exe 1748 conhost.exe 2536 conhost.exe 1812 conhost.exe 800 conhost.exe 1632 conhost.exe 1644 conhost.exe 852 conhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1964 cmd.exe 1964 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 29 raw.githubusercontent.com 36 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\DVD Maker\es-ES\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\e978f868350d50 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\wininit.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\56085415360792 DllCommonsvc.exe File created C:\Program Files\DVD Maker\es-ES\lsm.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\powershell.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\3a6fe29a7ceee6 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows Mail\ja-JP\886983d96e3d3e DllCommonsvc.exe File opened for modification C:\Program Files\Uninstall Information\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Defender\en-US\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\system\088424020bedd6 DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\powershell.exe DllCommonsvc.exe File created C:\Windows\Registration\CRMLog\e978f868350d50 DllCommonsvc.exe File created C:\Windows\system\conhost.exe DllCommonsvc.exe File opened for modification C:\Windows\system\conhost.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3064 schtasks.exe 2920 schtasks.exe 532 schtasks.exe 2760 schtasks.exe 1508 schtasks.exe 708 schtasks.exe 2008 schtasks.exe 628 schtasks.exe 2020 schtasks.exe 3032 schtasks.exe 2784 schtasks.exe 1628 schtasks.exe 2008 schtasks.exe 2604 schtasks.exe 3036 schtasks.exe 3060 schtasks.exe 1000 schtasks.exe 1768 schtasks.exe 2152 schtasks.exe 2216 schtasks.exe 2036 schtasks.exe 1672 schtasks.exe 2584 schtasks.exe 1588 schtasks.exe 2788 schtasks.exe 768 schtasks.exe 1840 schtasks.exe 1220 schtasks.exe 2628 schtasks.exe 1916 schtasks.exe 2432 schtasks.exe 2096 schtasks.exe 1548 schtasks.exe 1664 schtasks.exe 764 schtasks.exe 1160 schtasks.exe 1484 schtasks.exe 444 schtasks.exe 2644 schtasks.exe 2156 schtasks.exe 1760 schtasks.exe 2888 schtasks.exe 1208 schtasks.exe 2424 schtasks.exe 2532 schtasks.exe 1164 schtasks.exe 2880 schtasks.exe 1260 schtasks.exe 1516 schtasks.exe 1564 schtasks.exe 1860 schtasks.exe 1928 schtasks.exe 1948 schtasks.exe 2556 schtasks.exe 2984 schtasks.exe 908 schtasks.exe 2596 schtasks.exe 1796 schtasks.exe 2716 schtasks.exe 2032 schtasks.exe 2356 schtasks.exe 1940 schtasks.exe 1680 schtasks.exe 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2672 DllCommonsvc.exe 2424 powershell.exe 3028 powershell.exe 1004 powershell.exe 1904 powershell.exe 1944 DllCommonsvc.exe 1696 powershell.exe 1284 powershell.exe 1864 powershell.exe 2972 powershell.exe 1576 powershell.exe 1600 powershell.exe 1592 powershell.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 2468 powershell.exe 3020 powershell.exe 3016 powershell.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1944 DllCommonsvc.exe 1304 powershell.exe 968 powershell.exe 2520 powershell.exe 2804 powershell.exe 2700 powershell.exe 568 powershell.exe 908 powershell.exe 2564 powershell.exe 1140 powershell.exe 900 powershell.exe 2828 powershell.exe 2132 powershell.exe 576 powershell.exe 1504 powershell.exe 2360 powershell.exe 1768 powershell.exe 920 conhost.exe 1860 conhost.exe 2724 conhost.exe 3040 conhost.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2672 DllCommonsvc.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1944 DllCommonsvc.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 920 conhost.exe Token: SeDebugPrivilege 1860 conhost.exe Token: SeDebugPrivilege 2724 conhost.exe Token: SeDebugPrivilege 3040 conhost.exe Token: SeDebugPrivilege 1748 conhost.exe Token: SeDebugPrivilege 2536 conhost.exe Token: SeDebugPrivilege 1812 conhost.exe Token: SeDebugPrivilege 800 conhost.exe Token: SeDebugPrivilege 1632 conhost.exe Token: SeDebugPrivilege 1644 conhost.exe Token: SeDebugPrivilege 852 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2316 2016 JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe 31 PID 2016 wrote to memory of 2316 2016 JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe 31 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 2316 wrote to memory of 1964 2316 WScript.exe 32 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 1964 wrote to memory of 2672 1964 cmd.exe 34 PID 2672 wrote to memory of 1284 2672 DllCommonsvc.exe 75 PID 2672 wrote to memory of 1284 2672 DllCommonsvc.exe 75 PID 2672 wrote to memory of 1284 2672 DllCommonsvc.exe 75 PID 2672 wrote to memory of 3028 2672 DllCommonsvc.exe 76 PID 2672 wrote to memory of 3028 2672 DllCommonsvc.exe 76 PID 2672 wrote to memory of 3028 2672 DllCommonsvc.exe 76 PID 2672 wrote to memory of 2972 2672 DllCommonsvc.exe 78 PID 2672 wrote to memory of 2972 2672 DllCommonsvc.exe 78 PID 2672 wrote to memory of 2972 2672 DllCommonsvc.exe 78 PID 2672 wrote to memory of 1576 2672 DllCommonsvc.exe 79 PID 2672 wrote to memory of 1576 2672 DllCommonsvc.exe 79 PID 2672 wrote to memory of 1576 2672 DllCommonsvc.exe 79 PID 2672 wrote to memory of 2424 2672 DllCommonsvc.exe 81 PID 2672 wrote to memory of 2424 2672 DllCommonsvc.exe 81 PID 2672 wrote to memory of 2424 2672 DllCommonsvc.exe 81 PID 2672 wrote to memory of 3016 2672 DllCommonsvc.exe 84 PID 2672 wrote to memory of 3016 2672 DllCommonsvc.exe 84 PID 2672 wrote to memory of 3016 2672 DllCommonsvc.exe 84 PID 2672 wrote to memory of 1904 2672 DllCommonsvc.exe 85 PID 2672 wrote to memory of 1904 2672 DllCommonsvc.exe 85 PID 2672 wrote to memory of 1904 2672 DllCommonsvc.exe 85 PID 2672 wrote to memory of 1004 2672 DllCommonsvc.exe 88 PID 2672 wrote to memory of 1004 2672 DllCommonsvc.exe 88 PID 2672 wrote to memory of 1004 2672 DllCommonsvc.exe 88 PID 2672 wrote to memory of 2468 2672 DllCommonsvc.exe 89 PID 2672 wrote to memory of 2468 2672 DllCommonsvc.exe 89 PID 2672 wrote to memory of 2468 2672 DllCommonsvc.exe 89 PID 2672 wrote to memory of 1696 2672 DllCommonsvc.exe 90 PID 2672 wrote to memory of 1696 2672 DllCommonsvc.exe 90 PID 2672 wrote to memory of 1696 2672 DllCommonsvc.exe 90 PID 2672 wrote to memory of 1864 2672 DllCommonsvc.exe 92 PID 2672 wrote to memory of 1864 2672 DllCommonsvc.exe 92 PID 2672 wrote to memory of 1864 2672 DllCommonsvc.exe 92 PID 2672 wrote to memory of 3020 2672 DllCommonsvc.exe 96 PID 2672 wrote to memory of 3020 2672 DllCommonsvc.exe 96 PID 2672 wrote to memory of 3020 2672 DllCommonsvc.exe 96 PID 2672 wrote to memory of 1600 2672 DllCommonsvc.exe 97 PID 2672 wrote to memory of 1600 2672 DllCommonsvc.exe 97 PID 2672 wrote to memory of 1600 2672 DllCommonsvc.exe 97 PID 2672 wrote to memory of 1592 2672 DllCommonsvc.exe 98 PID 2672 wrote to memory of 1592 2672 DllCommonsvc.exe 98 PID 2672 wrote to memory of 1592 2672 DllCommonsvc.exe 98 PID 2672 wrote to memory of 1944 2672 DllCommonsvc.exe 103 PID 2672 wrote to memory of 1944 2672 DllCommonsvc.exe 103 PID 2672 wrote to memory of 1944 2672 DllCommonsvc.exe 103 PID 1944 wrote to memory of 576 1944 DllCommonsvc.exe 149 PID 1944 wrote to memory of 576 1944 DllCommonsvc.exe 149 PID 1944 wrote to memory of 576 1944 DllCommonsvc.exe 149 PID 1944 wrote to memory of 2360 1944 DllCommonsvc.exe 150 PID 1944 wrote to memory of 2360 1944 DllCommonsvc.exe 150 PID 1944 wrote to memory of 2360 1944 DllCommonsvc.exe 150 PID 1944 wrote to memory of 1768 1944 DllCommonsvc.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_50e084f718746b0599c5cfc48f8e86032d24a3f9e29d716533b205cad3cabd91.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\779qc6ONGy.bat"6⤵PID:1628
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:936
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"8⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"10⤵PID:996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"12⤵PID:2312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"14⤵PID:2152
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:572
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"16⤵PID:1008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2868
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"18⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"20⤵PID:1048
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:544
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"22⤵PID:1304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"24⤵PID:1848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"26⤵PID:2684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\system\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /f1⤵
- Process spawned unexpected child process
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /f1⤵PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /f1⤵PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f1⤵PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /f1⤵PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\powershell.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\providercommon\schtasks.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c81bd34d0a6c96857472f48f57a2681e
SHA194c48f3a8e53d7575bb6e63fc4e96f8465add7ea
SHA2564108845e3361bee686996f2d081fcf8f07a0a03478c8841a6bb71734ed73f435
SHA51226ffa61f231571f0a879a84a92adcae82a64f393dcf6d5d9040794b5704a5f072e93f97bb8a33605070355cd8b294ec41da0934b546f45e083567347ddc68f16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536cd85ee7cd479462a796fd255919c66
SHA1c814229569d539da91c76d1350c286acbe0f0d8a
SHA2566523860bbfe41ef3b9c1de8bfe74c77426689e54802b65aaf2162832592b6297
SHA512483b4f83dc2d9c240b78619011882f570c46909ba43c7623c6c9c08a65aab976cf29820915f7e7aab8920ceba5341b817fafd2e7a7b15f24d16d982c7c1d6633
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a054778cc6164a02f3734cc2600853a
SHA167f5aed4cf0b0c21234ef3e73aef2f3cdc4383f6
SHA2568e08e13e6a78f37d5a4836f5ec6b1811221ff1711ddd7339ee8cdcf7b77e6800
SHA5123ed817798ed0a262f5d124ddc1aa9f7ada82d352060e269de554dd610758eb841b73920f7b2082ce49c32b7c7d95627d1f29cb241d2f56ed7d2d7373fe4d6a23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d8b0feb9c3a7c07b56582ff357d4791
SHA188015c4ef3ecbf864f000a6522361ead4bfee5fa
SHA25630a5f3b65f03b2dee98c31e8149c48bb096ad4d9d77564a1fbdc1507076dc00d
SHA512ffecdc894b1cd8da9ee6ab8dde1c33159a621f52b2138a14a500dc82aba92f71364c89dfff253e6cee9424c849835a6eb5a4f6c321da3c71ce08d176bc538e1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5155bf46ae751725d4a01adddeea844ff
SHA1f3e80f8453ba7b32066d9938c0c43a96772cfa24
SHA25668576d632ba988927cf8ffa09c3de795b3039d7b920e19f52932fc515ad82753
SHA512fc2adf5a4a295045be5e08989a7d5a3c62b6b03f72628394488349fa42123c10eba11e13cb9d291561baa70c8119198bbe4fdc6ae02a9d276b23d4cf4a7baf2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5471886f1671f4e83b08ddafa6004cc7b
SHA1aa956e5e0e8b3857dd56d110beba2feb29bf63ea
SHA25636a0852252f0dac82f8ddc1edc6f7436c9366094b14e1a04e8d4c3d0288e0c84
SHA512aedb6eea1c5f5eee5c30987ccb86c2c5439b3207980db0d0fd5a4fc4864322fbf7afeb2665719e452cc95fa90adda7ef66befaebba4dd52b74d3ae5196ac5b27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5180af8bae5995a64e9fafeae6058d785
SHA17d2204400e4b1e23d6f62ad5877d42183a17a5a5
SHA256f5af2ac8f734cf14bf901b3d6b78fd06dcce9113cea083f9ec02b8bb70e18bb8
SHA512fa6deaf96c9df7e356e71062132be1c0cff1c6247b63648072e302e8a29bc6735b7004d441cb3c580a6e24bb6d5ec00d2e4334c399cae76d7db33c860c26f994
-
Filesize
241B
MD5c077816d8eb0029f2a72790189fbe404
SHA1bf184c821926ce4c8418f5940e467b2be4bf11fe
SHA256032d432bd501536b34ed0e68417cc366f79a14d58ac7f642992657d1a0cfe82c
SHA512a23b4c06c65752218983cd99723f7589c5a96aa4ec71bbf99c810712e2110fca64411e3c2031a4fac01f7a1f453279ff1168ca893fb83e45bf3a43e3273273f5
-
Filesize
241B
MD5b3d8b1d8f9e84c3d29e0d3d2a2122efb
SHA1d8aa2dd94ff7bef4ad3e15a2e2faaf33988387d1
SHA25604f54c02a6ac9a3f363247f08cfb99f620d0484a7e7e555e1fd36a6e3de9501b
SHA5129570dabfed846f09f412c4a31d4f82745a6f603b45eb1554ead9056ad8c9fa5bf766af378c3a48db4f0bca42fec8f72174f72010a094577710924bf431eea168
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
241B
MD5a6d55e9a85d156f734845987865e312d
SHA1432dd079491b3f1a03e3979cf0b0f5c812f09513
SHA2569efe25c0625a5bcedf0261121e3aa19c83aac373c6945931f59a4ef466d2c328
SHA512f33e2a5958523ae4984d82f7644e10233d919b2ccd1a507c70cc012fbeca95ab3132abdedb1389f54b59a02f5a7031068b0fad1ca5f392e5dcfc28154c092701
-
Filesize
241B
MD5934388c370167440b73b5e9d494917b6
SHA1952916255ba144e43cd2235ad235cdc74019c19d
SHA2565c7c5bd18e8c15b6d20ae6df5d2ef48476369c0100bba9aa90920b5381eb40bc
SHA512b4aa62402f934f5812e70c4f14448545b20b67fb61b5d1024090147ab4299873af8c19913b8328a0aa92c91dd29f92f98f28bb1e701b0060d871955f9ab6b743
-
Filesize
241B
MD5787f867cd568dd3390f0828f26b57105
SHA1166b6a7728abacb2c6c2d3921466fa21963b6627
SHA25677d902a95bd9feded85b461b4e0aa02413322db2d993347a9705f58341884546
SHA51241bbb79ded44d79f7e65bb6ed05e9ffc4095eaf5fca24290c6027fe4982425f1a33e057d9386f8eff94c79a6280362f8ee0a5d02c29becc1da59b1b97c0aa7d4
-
Filesize
241B
MD56d3eb680853c9d94dd051bb4235418f7
SHA1af75b4a6a1f3a4879f151e99882409baefe67f67
SHA25640b0a36209c796082b31873753eca5fdfc25a15b9c14e496dc912251c97444ca
SHA5122f59dc539a73eea797c5c9093fab78242c48885a1d2b9d4f9f6438da95e10449635dbbdd8d8572619c9745da6ee6ba154a2db0ce18d675dcb691bff19883362d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
241B
MD5cd883d4a8d0a8b8e901713cd076d68b9
SHA1ad8f8afdb4cc0f27a839fbf12c51c1b7922dfdd3
SHA2568774238fbd788266654d1b92aa6cfdbda7fbb1b7421e7819c78226038202e6ce
SHA5122af1ec42007838522f02004bfc5a7040c2544fd5998e2091f16d2ad788c1246c09c2f5d34ad20326aafb57f3e7e45f41b0a4aaa93bfa43dcfb9cca99e581dd3c
-
Filesize
241B
MD5f53f39a240bcfce180aa29eebb76d774
SHA1c85bff5540138b68aaf9010c350ac48ad95aeeed
SHA2562c3f991c332a48b9d250d761a8988602b47b9cdb70b0f1b02ae926dddc7b97ab
SHA51280421b905b70ede07a8302fdc1108fadb4a09f1f4449c326945accef8d7aaf6b0930e619fd22dd1f94665552aec1debf839d46c952ce956c1796ce04b5f4f954
-
Filesize
241B
MD5c414d5fc7532e6ce3a32dff65e408f0d
SHA1ce6619414e295ad794209b5e77f797a62bb323b3
SHA25673c7278c305f4d7a954a21057de381b4b729515e0e0039c435b3fcc5a20f2b0b
SHA5127243040619f6da95bc43e018c00ac9b3161a1c11640dd400fa518acf6b5b5c70eac96283bc3f846243a2687e5306fb9b9ec175eeadceaabcc125b1ac135ffde0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KVWW43Y2AN13U8NT0FP4.temp
Filesize7KB
MD5a7eacb8c13014643eb42d41c48afff6b
SHA13c8f8f4b3964ccacd1ae4d42b81979c7f970377a
SHA25663328a5fb294955d38a77b7cdffd896f1bd91dc9336dcbdff99d868ff3aea6a2
SHA5129be09cebf287116956cc814b908e740298f7b4cc9be938ec103999c6dd1288a79c604d178d14928ad48c329d0bf715a6c2e910f3149ce5580a0badc13dc51dc4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478