Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:19
Behavioral task
behavioral1
Sample
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
-
Size
1.3MB
-
MD5
bc088505e2522ab98217205c4d01bace
-
SHA1
6fff4b2725c066519eedf14c5bd9e5e71b8382b5
-
SHA256
4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43
-
SHA512
493be489851159f6858217df1b663ecc3751bcb1b4d7126e33c125615b2640e0a2e5ee92cc2046ad6f07d00625b3d11fed228ac84ef0984e41796d5b8e9047ed
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2724 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2724 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001932a-9.dat dcrat behavioral1/memory/2756-13-0x0000000001190000-0x00000000012A0000-memory.dmp dcrat behavioral1/memory/2904-136-0x0000000001290000-0x00000000013A0000-memory.dmp dcrat behavioral1/memory/2444-432-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/2980-492-0x0000000000C50000-0x0000000000D60000-memory.dmp dcrat behavioral1/memory/980-611-0x0000000001000000-0x0000000001110000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2000 powershell.exe 2696 powershell.exe 2940 powershell.exe 2844 powershell.exe 1092 powershell.exe 2116 powershell.exe 2584 powershell.exe 2680 powershell.exe 396 powershell.exe 2868 powershell.exe 2188 powershell.exe 1608 powershell.exe 2528 powershell.exe 2644 powershell.exe 580 powershell.exe 2720 powershell.exe 2088 powershell.exe 2304 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2756 DllCommonsvc.exe 2904 lsm.exe 2620 lsm.exe 1976 lsm.exe 1264 lsm.exe 2384 lsm.exe 2444 lsm.exe 2980 lsm.exe 2220 lsm.exe 980 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 3036 cmd.exe 3036 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 9 raw.githubusercontent.com 24 raw.githubusercontent.com 31 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 21 raw.githubusercontent.com 28 raw.githubusercontent.com 13 raw.githubusercontent.com 17 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Uninstall Information\audiodg.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\addins\csrss.exe DllCommonsvc.exe File created C:\Windows\addins\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1952 schtasks.exe 956 schtasks.exe 1696 schtasks.exe 1044 schtasks.exe 2080 schtasks.exe 756 schtasks.exe 2064 schtasks.exe 2184 schtasks.exe 1120 schtasks.exe 1672 schtasks.exe 108 schtasks.exe 2132 schtasks.exe 2972 schtasks.exe 1256 schtasks.exe 2372 schtasks.exe 3016 schtasks.exe 1616 schtasks.exe 2900 schtasks.exe 2352 schtasks.exe 1096 schtasks.exe 1868 schtasks.exe 1732 schtasks.exe 1016 schtasks.exe 2244 schtasks.exe 1704 schtasks.exe 2292 schtasks.exe 1212 schtasks.exe 1060 schtasks.exe 1816 schtasks.exe 2260 schtasks.exe 912 schtasks.exe 1036 schtasks.exe 2424 schtasks.exe 1964 schtasks.exe 716 schtasks.exe 2576 schtasks.exe 1492 schtasks.exe 1156 schtasks.exe 808 schtasks.exe 2396 schtasks.exe 2228 schtasks.exe 1792 schtasks.exe 1440 schtasks.exe 1408 schtasks.exe 2792 schtasks.exe 2944 schtasks.exe 984 schtasks.exe 1584 schtasks.exe 2584 schtasks.exe 1932 schtasks.exe 2660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 2756 DllCommonsvc.exe 580 powershell.exe 2720 powershell.exe 2940 powershell.exe 2868 powershell.exe 2088 powershell.exe 2528 powershell.exe 2000 powershell.exe 2680 powershell.exe 2696 powershell.exe 2116 powershell.exe 2844 powershell.exe 2644 powershell.exe 2188 powershell.exe 1608 powershell.exe 396 powershell.exe 2584 powershell.exe 1092 powershell.exe 2304 powershell.exe 2904 lsm.exe 2620 lsm.exe 1976 lsm.exe 1264 lsm.exe 2384 lsm.exe 2444 lsm.exe 2980 lsm.exe 2220 lsm.exe 980 lsm.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2756 DllCommonsvc.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2904 lsm.exe Token: SeDebugPrivilege 2620 lsm.exe Token: SeDebugPrivilege 1976 lsm.exe Token: SeDebugPrivilege 1264 lsm.exe Token: SeDebugPrivilege 2384 lsm.exe Token: SeDebugPrivilege 2444 lsm.exe Token: SeDebugPrivilege 2980 lsm.exe Token: SeDebugPrivilege 2220 lsm.exe Token: SeDebugPrivilege 980 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2088 2884 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 30 PID 2884 wrote to memory of 2088 2884 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 30 PID 2884 wrote to memory of 2088 2884 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 30 PID 2884 wrote to memory of 2088 2884 JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe 30 PID 2088 wrote to memory of 3036 2088 WScript.exe 31 PID 2088 wrote to memory of 3036 2088 WScript.exe 31 PID 2088 wrote to memory of 3036 2088 WScript.exe 31 PID 2088 wrote to memory of 3036 2088 WScript.exe 31 PID 3036 wrote to memory of 2756 3036 cmd.exe 33 PID 3036 wrote to memory of 2756 3036 cmd.exe 33 PID 3036 wrote to memory of 2756 3036 cmd.exe 33 PID 3036 wrote to memory of 2756 3036 cmd.exe 33 PID 2756 wrote to memory of 2940 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 2940 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 2940 2756 DllCommonsvc.exe 86 PID 2756 wrote to memory of 2088 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 2088 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 2088 2756 DllCommonsvc.exe 87 PID 2756 wrote to memory of 2868 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 2868 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 2868 2756 DllCommonsvc.exe 88 PID 2756 wrote to memory of 2720 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2720 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2720 2756 DllCommonsvc.exe 90 PID 2756 wrote to memory of 2696 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 2696 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 2696 2756 DllCommonsvc.exe 91 PID 2756 wrote to memory of 580 2756 DllCommonsvc.exe 94 PID 2756 wrote to memory of 580 2756 DllCommonsvc.exe 94 PID 2756 wrote to memory of 580 2756 DllCommonsvc.exe 94 PID 2756 wrote to memory of 396 2756 DllCommonsvc.exe 95 PID 2756 wrote to memory of 396 2756 DllCommonsvc.exe 95 PID 2756 wrote to memory of 396 2756 DllCommonsvc.exe 95 PID 2756 wrote to memory of 2000 2756 DllCommonsvc.exe 96 PID 2756 wrote to memory of 2000 2756 DllCommonsvc.exe 96 PID 2756 wrote to memory of 2000 2756 DllCommonsvc.exe 96 PID 2756 wrote to memory of 2680 2756 DllCommonsvc.exe 97 PID 2756 wrote to memory of 2680 2756 DllCommonsvc.exe 97 PID 2756 wrote to memory of 2680 2756 DllCommonsvc.exe 97 PID 2756 wrote to memory of 2644 2756 DllCommonsvc.exe 98 PID 2756 wrote to memory of 2644 2756 DllCommonsvc.exe 98 PID 2756 wrote to memory of 2644 2756 DllCommonsvc.exe 98 PID 2756 wrote to memory of 2116 2756 DllCommonsvc.exe 99 PID 2756 wrote to memory of 2116 2756 DllCommonsvc.exe 99 PID 2756 wrote to memory of 2116 2756 DllCommonsvc.exe 99 PID 2756 wrote to memory of 1092 2756 DllCommonsvc.exe 100 PID 2756 wrote to memory of 1092 2756 DllCommonsvc.exe 100 PID 2756 wrote to memory of 1092 2756 DllCommonsvc.exe 100 PID 2756 wrote to memory of 2844 2756 DllCommonsvc.exe 101 PID 2756 wrote to memory of 2844 2756 DllCommonsvc.exe 101 PID 2756 wrote to memory of 2844 2756 DllCommonsvc.exe 101 PID 2756 wrote to memory of 2528 2756 DllCommonsvc.exe 102 PID 2756 wrote to memory of 2528 2756 DllCommonsvc.exe 102 PID 2756 wrote to memory of 2528 2756 DllCommonsvc.exe 102 PID 2756 wrote to memory of 2188 2756 DllCommonsvc.exe 114 PID 2756 wrote to memory of 2188 2756 DllCommonsvc.exe 114 PID 2756 wrote to memory of 2188 2756 DllCommonsvc.exe 114 PID 2756 wrote to memory of 2304 2756 DllCommonsvc.exe 116 PID 2756 wrote to memory of 2304 2756 DllCommonsvc.exe 116 PID 2756 wrote to memory of 2304 2756 DllCommonsvc.exe 116 PID 2756 wrote to memory of 2584 2756 DllCommonsvc.exe 118 PID 2756 wrote to memory of 2584 2756 DllCommonsvc.exe 118 PID 2756 wrote to memory of 2584 2756 DllCommonsvc.exe 118 PID 2756 wrote to memory of 1608 2756 DllCommonsvc.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u7id3hG60a.bat"5⤵PID:296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1156
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"7⤵PID:1652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1660
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"9⤵PID:548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2424
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"11⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2696
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"13⤵PID:3016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1684
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"15⤵PID:2252
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1088
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"17⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2596
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"19⤵PID:924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:900
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"21⤵PID:2432
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2600
-
-
C:\Users\Default\Templates\lsm.exe"C:\Users\Default\Templates\lsm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5912a7c6e7139b915a808e3eeb1ec9079
SHA1066e60ca7019d472b47e16a90d8407883488e4b0
SHA256c79609bba0f2c2efac21d56b01e0e6de199158e666c5e702698764a0f907626b
SHA512476c043268f3db9945adf45eb2d44231e092c010ebd3dc9e61c95f00491c1355e8b919efa69803a50e342847b09cb59bff658aa7e9c5ddef122212df55bb1a33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5520184d056f0061f13c8b99306bec9f9
SHA1bda6704bf6d8aa2583a47ebe11b877225679f1f6
SHA256aa62e2bf9f3d694f794ad62c11328c26e4ab9b5752edeab876c48e1b8579703e
SHA512c196e536fe8eafe9114bd917b8fcc2a624d1aa114c8abb3fcc78242e8699a8b23009f3aeb3a71ef1b3465cfabf4203489503f19402958b7b5fa76938169eb9d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c48f7fd33cb00b1ca6d33312c97f051
SHA1257395016576c59a189e38ae46741af152bad41f
SHA2568570611b196281cf17e5bbcf9734a4755752cb4b19a58129f1f817a618edfb34
SHA5128b890fe6c20d4990c61a34b6fe4487d745610197eacf9858850105e705b7ed22d60192de9b9220f57a4f8d641ac74fd5324bcd8e714739ef3e20ea9605a4185d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54d162e0d1ba82d316ef9c9a9ed4ecfb1
SHA191e1e972c98de5ed4394ded76cd9463caf05e82f
SHA256cc7a0fa77e2ba9476dce339d80f973e036dae557c5c42754da6b1238e3f8cf56
SHA5121cf2107ff7580b2260cb01bd90828e9945da5ecd88e4ebd8aed80740ab7ce5d35a40a7474ab2bd1677f44e734d3457723f59063a3d6924234b7a53bc9b02326e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e058748fe2ea523a09e7a0e7dbf6a87d
SHA1f0be22f03e24e4c513b1377a7f4c780ae2a33a0c
SHA256d114883e8ac7f77377971e0b71105243cf5d281970cfd968760915918b9f8682
SHA5120845209777a9d663c63791bb1181d12f89b1bdaaead9f20d0ace8f94b740f6fa94caaa9eca364a309dabaa032053a0549a98977b69d1a939a55e8acf9df05c30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad33dc471ce448766cd78290fa67cc15
SHA172bf51e72db6dba2a189b8c8deb798371c5c83db
SHA25644c97c311f28aa61b6dc6cf8904533db0362ad2804317696487675e7fef7ad7d
SHA5120aa01060c24e8dbe50382879968e9ca145a8e019b8bef777da690b7f4a72f1ec22172c75e52a68de7069e6fc68225feb2a6029096aec614f7334d417010d2203
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5779fe4b06e874e614c29c0039be04fa0
SHA1556dc9c776121c34438db24aa214861ffbf1784b
SHA25615c92c50d670360a04f1a7a7962606ff8b5d40635671eb330f0e3639ce349faf
SHA512095f84f89cab23881d4549d68306d9b620976a40beeb3803fe5944706d3b964ddfcbb1c08cfd1335cd7dea97adaa66d3964518a136095332f0466813424389b1
-
Filesize
199B
MD5c988a6207f86072a3cffa75dc851c18f
SHA16b615b524481d44e655ac3e2d272b5e23673035b
SHA256bade979b0b47d9cde50aa0d10763461c383e0b52b73f79676fbb34007b3811c9
SHA5126f7384dd96da5839b7316fb373b0f4c1425290232c2bede6fca6c769dbddb1bf0eaf2d532699ca6e9343075e54463308d28a4c52e159350a4a5c691cd1441081
-
Filesize
199B
MD504ec1a204a6542b9c374e750f4fe48f7
SHA1402a3bbac923d9c492d36c7c30b451f8190fe080
SHA25620fa68418d44eb0d356ff51ef2ce79c8681e29bd891af3e0c2455c3eecdcc04e
SHA512ced3919c52ecd55a73ba47f6485d32034e00e3ff572d82bbc73f8003d177835ec087dbd7ed373718c4a2b8f9316f28a9474d21dd1896b9246fae4d26d9218543
-
Filesize
199B
MD5b309fc63dd46eb1750a88266a4bd5ff8
SHA1e6a1384e00a70102b8036c14d83e934c954bea04
SHA2569d233056249c8e9de825f9556e6b6392cf477b2175baf5896fdb67383c1c398f
SHA512f5c7f3f24714c7553d4f3dbf4fd22f71056e28638195052e00f305f99e4c0d1ac714c3db6bf06f172823a911966d15621fa292f9ae4ba899cd242e88f92d0900
-
Filesize
199B
MD5907eb9bb3992bcc83183183637329cce
SHA1762d492113aa2838427f000915f81677f1ab0941
SHA25687d855bc58fc395d1e5bf555984888890f497234713b17badea0b9e1822c33b8
SHA512c03da8e3285a325aa20c5f2fecfcdf8271fba8c53fe759e180caefb07d254c4acbc2bdd0051b944d31c98ff9d2e9f603fc2b7ba0d1c0f1e3f2e7f9963adc5ff1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
199B
MD572f79146e3fd8fa29e128e3db7347272
SHA194befa2dad1bd8f75e6eacf013d0f92f6a59018a
SHA25657fe68f776f0328e8be8136e9d5f6ec47eee51a5b5824af6e2d3dd530fd6588f
SHA51297c3bccbcab908d3ca132acf5da370969e983ef8311607cbe6f98f08754d92ccbd0116f6acbbfcd07be1e6c88c88f0bc11b1b22571eefc82ed2cdaa7ed6fd47b
-
Filesize
199B
MD51e6df2bd09228d528fb6016a3f017cda
SHA111df58b7dafa992a1fe0deff37769436a06e138d
SHA256fb5d9f413b4272ae47b8c011527d3a4e23d5bc3e63ff04319c05afb1f90bfecf
SHA512b8a36424ef2e3fb742ba9064818f783e2e9a1f09266c970e6591d4605bb2aa62102617c5229066f8ff2d40bd460802609d12a311433686b85f05572b488be8f5
-
Filesize
199B
MD514ccce57c2b811a9fcbfdb035b2891f1
SHA1efdd06a28e18d9e44ec36ebcd54375abb70a732c
SHA25681e6467816cc47fd589b01e0f518f3be163c0b9435c9156034348917509ac5fe
SHA51253dda58723110e45f01cc44a78fdaed79fb33c200ed985a001086d4453e6203eba435bb9faa1f796cfddfbf6dce5cf1fe62925e938cc46aacc6664943ae540f6
-
Filesize
199B
MD5a556dab8c2b424416c223cdf2fd14eb7
SHA1108f3af56b0f32074eb77cdc174e8c3732c67bc7
SHA256f03cbcf6a43c47f6d53048a8a4236070d5ffc0e80accdb767a17b086cd76552e
SHA5122503162cede34ed7188a7b58a868bb32df4cb5602df0c1b8d06376e23f1883788a13cebd808a757a1e435bfbf08ef2394c279f5bb7bfc9efdaf9b5eeaf7dcef2
-
Filesize
199B
MD57b47d6ad1a828ef97cfebb73aa5c1250
SHA1d14b76c2dbd91530ca2c6ac47bfe455ee6429eee
SHA2568f473eb730dc4c2764f035838995eba3c29deed89b856c476c13c330cef137d2
SHA5124b7b4baa1d5a4511005b589b0d7ada2a6535d9a76119a7ad2079964c1a36c80f880d3d61166340dd63a4211f6613a48396e1d2ecb8d2c21b251c066ccb31d533
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJSXCDLWFBA1MUI929LD.temp
Filesize7KB
MD502f711b093f12e7b68e427a84465e80e
SHA183f5bef94c8bb966d1694a9d789a748923155fad
SHA25604ebdef6c977e7498f607fdb9a5c318f3861a4ba19373119b1e20959891c6e20
SHA51299e9f2047f43afd772c53b093637b34d35fb5e8eca2553a518a80a1d9fae78c327b7ed22b71ae0a4a18230cef3494af742cd3483dd71f0fd1344a954a2c07a52
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394