Analysis
-
max time kernel
144s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:00
Behavioral task
behavioral1
Sample
JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe
-
Size
1.3MB
-
MD5
2138db9c69014b6f16e27559f7c303d0
-
SHA1
d716531badf6ed4189ad0759b2bcbb52c2061948
-
SHA256
b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b
-
SHA512
7556400609383526a3a70ff557405e67dd743d91a5b091eba3fb986e00ea13515ec62fca5cb514a9b64af9174bb79f9b20455075faa38aac1e92d111c3527040
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 3016 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3016 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00070000000186ed-9.dat dcrat behavioral1/memory/2780-13-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2948-132-0x0000000000B20000-0x0000000000C30000-memory.dmp dcrat behavioral1/memory/2012-191-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/2456-251-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat behavioral1/memory/1236-370-0x0000000000ED0000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/2608-431-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2408-551-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/1404-611-0x0000000000160000-0x0000000000270000-memory.dmp dcrat behavioral1/memory/2132-672-0x0000000000970000-0x0000000000A80000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2848 powershell.exe 3012 powershell.exe 2828 powershell.exe 2512 powershell.exe 2152 powershell.exe 2592 powershell.exe 1684 powershell.exe 2388 powershell.exe 2712 powershell.exe 3004 powershell.exe 652 powershell.exe 2628 powershell.exe 1988 powershell.exe 2860 powershell.exe 2816 powershell.exe 2796 powershell.exe 2568 powershell.exe 2608 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2780 DllCommonsvc.exe 2948 audiodg.exe 2012 audiodg.exe 2456 audiodg.exe 1652 audiodg.exe 1236 audiodg.exe 2608 audiodg.exe 868 audiodg.exe 2408 audiodg.exe 1404 audiodg.exe 2132 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 cmd.exe 2544 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 29 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 32 raw.githubusercontent.com -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Google\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\de-DE\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\de-DE\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Google\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\7-Zip\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\DVD Maker\taskhost.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Google\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\56085415360792 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-p..alcontrolsmigration_31bf3856ad364e35_6.1.7600.16385_none_a722cd63cf18943a\csrss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2308 schtasks.exe 2692 schtasks.exe 2244 schtasks.exe 1712 schtasks.exe 696 schtasks.exe 2112 schtasks.exe 2504 schtasks.exe 1688 schtasks.exe 2564 schtasks.exe 2012 schtasks.exe 1716 schtasks.exe 852 schtasks.exe 2392 schtasks.exe 796 schtasks.exe 2052 schtasks.exe 3036 schtasks.exe 3012 schtasks.exe 2132 schtasks.exe 2888 schtasks.exe 1696 schtasks.exe 2784 schtasks.exe 2992 schtasks.exe 704 schtasks.exe 2668 schtasks.exe 2984 schtasks.exe 1728 schtasks.exe 1804 schtasks.exe 1004 schtasks.exe 1852 schtasks.exe 1300 schtasks.exe 1640 schtasks.exe 1580 schtasks.exe 2648 schtasks.exe 1596 schtasks.exe 2376 schtasks.exe 1928 schtasks.exe 1620 schtasks.exe 2736 schtasks.exe 2792 schtasks.exe 1552 schtasks.exe 556 schtasks.exe 2524 schtasks.exe 2744 schtasks.exe 1672 schtasks.exe 1456 schtasks.exe 1108 schtasks.exe 2408 schtasks.exe 2492 schtasks.exe 3028 schtasks.exe 2208 schtasks.exe 1040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2780 DllCommonsvc.exe 2780 DllCommonsvc.exe 2780 DllCommonsvc.exe 2152 powershell.exe 2796 powershell.exe 652 powershell.exe 3004 powershell.exe 2388 powershell.exe 1988 powershell.exe 2592 powershell.exe 2608 powershell.exe 1684 powershell.exe 2860 powershell.exe 2712 powershell.exe 2628 powershell.exe 2828 powershell.exe 2816 powershell.exe 2512 powershell.exe 3012 powershell.exe 2568 powershell.exe 2848 powershell.exe 2948 audiodg.exe 2012 audiodg.exe 2456 audiodg.exe 1652 audiodg.exe 1236 audiodg.exe 2608 audiodg.exe 868 audiodg.exe 2408 audiodg.exe 1404 audiodg.exe 2132 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2780 DllCommonsvc.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2948 audiodg.exe Token: SeDebugPrivilege 2012 audiodg.exe Token: SeDebugPrivilege 2456 audiodg.exe Token: SeDebugPrivilege 1652 audiodg.exe Token: SeDebugPrivilege 1236 audiodg.exe Token: SeDebugPrivilege 2608 audiodg.exe Token: SeDebugPrivilege 868 audiodg.exe Token: SeDebugPrivilege 2408 audiodg.exe Token: SeDebugPrivilege 1404 audiodg.exe Token: SeDebugPrivilege 2132 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2420 2396 JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe 30 PID 2396 wrote to memory of 2420 2396 JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe 30 PID 2420 wrote to memory of 2544 2420 WScript.exe 32 PID 2420 wrote to memory of 2544 2420 WScript.exe 32 PID 2420 wrote to memory of 2544 2420 WScript.exe 32 PID 2420 wrote to memory of 2544 2420 WScript.exe 32 PID 2544 wrote to memory of 2780 2544 cmd.exe 34 PID 2544 wrote to memory of 2780 2544 cmd.exe 34 PID 2544 wrote to memory of 2780 2544 cmd.exe 34 PID 2544 wrote to memory of 2780 2544 cmd.exe 34 PID 2780 wrote to memory of 2388 2780 DllCommonsvc.exe 87 PID 2780 wrote to memory of 2388 2780 DllCommonsvc.exe 87 PID 2780 wrote to memory of 2388 2780 DllCommonsvc.exe 87 PID 2780 wrote to memory of 2152 2780 DllCommonsvc.exe 89 PID 2780 wrote to memory of 2152 2780 DllCommonsvc.exe 89 PID 2780 wrote to memory of 2152 2780 DllCommonsvc.exe 89 PID 2780 wrote to memory of 1988 2780 DllCommonsvc.exe 90 PID 2780 wrote to memory of 1988 2780 DllCommonsvc.exe 90 PID 2780 wrote to memory of 1988 2780 DllCommonsvc.exe 90 PID 2780 wrote to memory of 2628 2780 DllCommonsvc.exe 93 PID 2780 wrote to memory of 2628 2780 DllCommonsvc.exe 93 PID 2780 wrote to memory of 2628 2780 DllCommonsvc.exe 93 PID 2780 wrote to memory of 652 2780 DllCommonsvc.exe 95 PID 2780 wrote to memory of 652 2780 DllCommonsvc.exe 95 PID 2780 wrote to memory of 652 2780 DllCommonsvc.exe 95 PID 2780 wrote to memory of 2608 2780 DllCommonsvc.exe 96 PID 2780 wrote to memory of 2608 2780 DllCommonsvc.exe 96 PID 2780 wrote to memory of 2608 2780 DllCommonsvc.exe 96 PID 2780 wrote to memory of 3004 2780 DllCommonsvc.exe 98 PID 2780 wrote to memory of 3004 2780 DllCommonsvc.exe 98 PID 2780 wrote to memory of 3004 2780 DllCommonsvc.exe 98 PID 2780 wrote to memory of 2568 2780 DllCommonsvc.exe 99 PID 2780 wrote to memory of 2568 2780 DllCommonsvc.exe 99 PID 2780 wrote to memory of 2568 2780 DllCommonsvc.exe 99 PID 2780 wrote to memory of 2512 2780 DllCommonsvc.exe 100 PID 2780 wrote to memory of 2512 2780 DllCommonsvc.exe 100 PID 2780 wrote to memory of 2512 2780 DllCommonsvc.exe 100 PID 2780 wrote to memory of 2848 2780 DllCommonsvc.exe 102 PID 2780 wrote to memory of 2848 2780 DllCommonsvc.exe 102 PID 2780 wrote to memory of 2848 2780 DllCommonsvc.exe 102 PID 2780 wrote to memory of 2796 2780 DllCommonsvc.exe 103 PID 2780 wrote to memory of 2796 2780 DllCommonsvc.exe 103 PID 2780 wrote to memory of 2796 2780 DllCommonsvc.exe 103 PID 2780 wrote to memory of 2816 2780 DllCommonsvc.exe 104 PID 2780 wrote to memory of 2816 2780 DllCommonsvc.exe 104 PID 2780 wrote to memory of 2816 2780 DllCommonsvc.exe 104 PID 2780 wrote to memory of 2860 2780 DllCommonsvc.exe 106 PID 2780 wrote to memory of 2860 2780 DllCommonsvc.exe 106 PID 2780 wrote to memory of 2860 2780 DllCommonsvc.exe 106 PID 2780 wrote to memory of 2712 2780 DllCommonsvc.exe 107 PID 2780 wrote to memory of 2712 2780 DllCommonsvc.exe 107 PID 2780 wrote to memory of 2712 2780 DllCommonsvc.exe 107 PID 2780 wrote to memory of 2828 2780 DllCommonsvc.exe 108 PID 2780 wrote to memory of 2828 2780 DllCommonsvc.exe 108 PID 2780 wrote to memory of 2828 2780 DllCommonsvc.exe 108 PID 2780 wrote to memory of 1684 2780 DllCommonsvc.exe 109 PID 2780 wrote to memory of 1684 2780 DllCommonsvc.exe 109 PID 2780 wrote to memory of 1684 2780 DllCommonsvc.exe 109 PID 2780 wrote to memory of 2592 2780 DllCommonsvc.exe 112 PID 2780 wrote to memory of 2592 2780 DllCommonsvc.exe 112 PID 2780 wrote to memory of 2592 2780 DllCommonsvc.exe 112 PID 2780 wrote to memory of 3012 2780 DllCommonsvc.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7f3c21430ebaba10471237315b5df88ae20712d12064a31dd48b2bb4a51029b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links for United States\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5IvKsOZkKm.bat"5⤵PID:1732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2004
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"7⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:640
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"9⤵PID:1456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2040
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"11⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2668
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"13⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2868
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"15⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2724
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"17⤵PID:2728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2952
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"19⤵PID:2656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1044
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"21⤵PID:2592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2168
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"23⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:972
-
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links for United States\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5293aa6d1f23f6f638c8514e0ceb68642
SHA1d36eb1c882b42191fc555965c329ba9c515f3962
SHA256d77dc7a23ca70a433e22738060a9135acc1d4b2d57b6f104c2e9afdea9861ae5
SHA5123490e405b5fcc1a461ad848bf4400972733e03557f3365503bd3cccf4e1313a7c88c2b84782f447a392a4ae61d49a4fee4494ffb3a6e7a979e798403dfcebad6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575474c11cd1116caf7837f05e78c2259
SHA1d30976c0b132f9aebe0dee0a055bcdf25bf3558e
SHA2561dca09f1a9af6133461674a247b8258c7c9ef6725d11cd327590df62ec694ac9
SHA512b13c26759ae2386b30a4c8ef7be2febc37120c070d75e30eb2ca4b348728e575a6a13b31e0760a57c61baadeaae4b63949d456d9747671962ddea3ff29578415
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540c22aacc0d2354dc57c6dde3a2c4eb7
SHA18cb3e62faafd277cfd338ed634079dad78c03033
SHA256d8717b6d987677f264e63a8f3bbefafccbd205c5964836864a7a4aaa65ca14dd
SHA51291d8de4d38ef6487ea28392c9c1f040fa353668dfdb103d9b5ab8984b11f13b3f5a2686f522432c7dca4beeb02a2a6f0ec28f0d2360c7c28c2d2fe8ca84bd7b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c4278e5b35c5dfce55de8e98cf7da65
SHA1920ca576b936d3a4db1a9d3d04304c99fd3b6a50
SHA256588d1238e303ed2b33db890951ce2196be694905a8889a51678bc8584193e745
SHA512f5a2ff0a4e8c7e076c298eb977b1eaef3247820440972e2f505ae6b3151f0ca18ffb048af3e49234ac998cc50fdd33a0c98327f5cfa66c75f10f9ceec4778b3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57177e045d26d3179111cbe8ebf9dd39e
SHA1da4f9b1dee0ffb34a573a35d4545bf04f180ba29
SHA2568438e2755e2ee6ee72398c67c0b106f18d3206f5f5a1f3cf57083a64dd311c8d
SHA5121fb8a73bb7dcd45ec7cef93552d23d5b655376ca61697b85c33d04c78f1228a9f0578fe953b55c7ff9bb36a40a25b258958a09994c7bb8ca239b830dcb37f6b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53640048136a67eee08d4a3088700bb3e
SHA10bbb29c1ec0d9fc0b1e9d62024d66ad72ef6f11f
SHA256dc39b3b30e134b1e8e53d998196d8ea97f73dbc3683a04a514863482575822fa
SHA5121a2d9c2034200024789a56bf7e572ac9cb4c6dad344d779ad2be44ecc11840d6bad2d35a35b2d67abec2612923f93800644cb35df207ffff0df0a78f06f1cc79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee20e09c6311c5a5c8859a151b357e2d
SHA15f3a8393af0bfc598083d65919e8ba9870d67387
SHA256d3d4223d08fc357b58bc68f25e035b4018bf929764679f7f4fe55a316ae00f99
SHA5120fd73bd06a54579faa106f260e4895fc286413b94f7f31ced0e61160c6f2d344385b4509593d2d3746038a8c5af0b6cdfac61b8854b17290223311ee685f40f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51efa9887dd9916c2e26edf0e4a065174
SHA1bda0a015b2ae5dc7935c0b7d8a36771d90b73000
SHA2564119548c5e54796c031e1769d43b20022dbe769671be99dee0264f558e1d67d0
SHA5120a77327b059de3aa9ee6163002c29d59165b1041e096091fe5525b038b3652caa2d9bdc1bc9185b40e2857319b4e607e97cdff903e01a1487bb860d518919c32
-
Filesize
239B
MD5ff60eca041e1f809bc5f5674ed7d7240
SHA11b5dd47de3ac2f0ff1dfb7a5f5ecf9f3a2d55ce4
SHA256e4637d06cae5b77b1575ca159259246c6db91c155fc2bf0cfd2e4f874470a77b
SHA5121224e7c45f7dbd765626d4d10ddbe3d3c80f1c00bb2ae32032c80eb3ed40eed3636bfe7dafc8f111d541266e813fbc8ec11f711b0ac02259666069c727813d0b
-
Filesize
239B
MD5e03818f1c0bd9431e0819a070fc792ac
SHA1cd8c99a2c6fbce32c0b8d5202f6f849e9e39bd20
SHA256bb4085b65cb7521b1d37652fccb44b7658e152185ca5a6ff6fa27b784b8faf14
SHA5129450b2794b3bfdfc4df4b179b6b418ba5de5c5383d5c6ebd4a72af0f777d708a779b6f5e3b04fc0fed58fe05f7925b25e09fb9187c4decbeaa0f5bcefdb61717
-
Filesize
239B
MD5dc4d2d0f50f5b4ff65911dde3cd688e0
SHA1d66308198b97d11c0563a092f01dc2c9d4caf99b
SHA256adafc8c2cc8c91888f30e0ee1fcd47bfaa61d5a4452c88a59bef440700678fb9
SHA512e2966995d61659ac4139ab91ce1da1197cf9852a3fe02e7963f9071c8560b498a20167a10a7a73c6eecc0eb7b75b1b357476f218fb0dac8f38573413c4f2275f
-
Filesize
239B
MD580d4a5a52ea749c7bc170971a65de203
SHA1a4b6afa5235f6b4a152c7d3ded78278f581aea53
SHA25678c9f77e28b2665bcd52c9202a61550b407d5c64f4412aa36c9b6b6b972d85ac
SHA512433ee9484234c38550680353dede6e000c981d68c0e3d748c0d45589741aa6089032c66fd69274ac41536bfa36ae66d936aba7ae8f67d9b0c9ae1afa748d9263
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD58e50776f35b052af019a1bcf2f188df8
SHA14dbaa3c5fe76c86a3f4b305b6c87fd8b92045549
SHA2560fe2aa4e28355342dd2e2b5e1d8b77fbc493af787b0c313acd33a6991a431df6
SHA51233d8ca52fde61c68a6ae6271bec4160eda0e8419e4cf889443c244a01916e45e8a57c0c946a3ef9f218d741ff05c9721508a18cb419c07b1cd27fd8333172ae9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD58511296031286c2291cdc594a54c40ae
SHA1f3f804146778c27dab14d57aed66ed20e58a3a35
SHA256682fdf88ff174d513fe1a3c2d0601a9615d654adf89eb6e06cd72decebc64d4b
SHA51255fb5d816e8a0dc612c22f3603067cda79022eac90ea402d32742a6b93ea66bd81548ea009f8268b670959128cda16df009eb9ad74d08fdaef1b5bfb6f9c0bf1
-
Filesize
239B
MD5b0b4177f59f88fe0cea4cbc116f89315
SHA18f8ed4fb7a9ac3d55f0659c10bb42df913a3e031
SHA2568abcc2e110886a948c89b2c9b954ae4896f174ea783280c926ec7c703f6fad29
SHA512b17e7a64558190d144eb471ec817799ca2a97ed2e202eb9dbbd9c125f23a1c34379c23fd2cb65fd2a3cc9244a116db044947336e0b9dcc6b957613656422cd7f
-
Filesize
239B
MD5bea24eeb1d13801f5436ce3dbb860366
SHA1b8711e0b283ed5389a741f2f578444ffed042a07
SHA2567f49c0a335d60fda01362c3b819907779231e9b229ff15258d22d12d00e690f0
SHA5123358841ecb6682dcb4d4f64cbf168349f6a0cfe8b524619e336c9d9fa749f6bc3307301c388d2a4f8b6ad33a49dd863ed84a15640b0d96cbef3855a498531899
-
Filesize
239B
MD5bd8ad7fc1d270e95096d820a228a08a1
SHA11664134d6271156b094c4beee1e4bb2889b207fc
SHA25649fea6506f7b53b10eb1f64cb7ffa7b19ccc9433d1e8c00998b40c1970452cdd
SHA5129410d6e058d044aa014cb646b8759b7f6e877f3d31a85b8b1e640ec57ef9a2bb422515f0cef9f248577cb89c1c028484772242556c766578ba72bbea937fbc9d
-
Filesize
239B
MD5b80be0b3adeffc45c5455afebb7982ad
SHA1cb87db7d10cc90df6168993485f7cf9dee2c997f
SHA25677ef34a7675898417c5dcb57d99ea3f4ed076cd70d15f25e5ef4a118ec7251a6
SHA512f4ddf1c5d03164fc3e5d146f54e2edbd74d09b7be9db006795c49a970afb7fe5cbbdaefc4e82b7f76d410e740d934d426ed65e6c6805b60ccd19581b52dc87e3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a639c8adf90f29b2947265ce1858d9a4
SHA1335818e7f95bcdfcbb1855f4e2fa46fc2849bc2a
SHA256ff673b9d1fedcfe57e9f86ebc46128d4fc373e00d08f9e85e8cc4ac443ab9f49
SHA512a6295ed223820dd88f83e2eab6c337540c0b47a78ff726a1a29228640ddf709a79bb8d0dceb94951c85dc0b86c35c1a3963b67b27ee2687d8979bc54fe237afa
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394