Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:17
Behavioral task
behavioral1
Sample
JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe
-
Size
1.3MB
-
MD5
e1d3b3250a258e30c5fcff5ede8c87c2
-
SHA1
b5c0c519f6f740758adbfd4a3f994d8280515a5d
-
SHA256
d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94
-
SHA512
d7ed87a4e722863349f40a41d8728b541618fad80f2996c7693130e87f5a815ddf6e2aef6287e432c16b11b7fb1ca97a3f3739ce786fb53a2b2e12fd1ec61c0e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1240 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2904 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 2904 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000800000001706d-9.dat dcrat behavioral1/memory/2712-13-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/1976-120-0x0000000000F90000-0x00000000010A0000-memory.dmp dcrat behavioral1/memory/1636-180-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/2244-240-0x0000000000960000-0x0000000000A70000-memory.dmp dcrat behavioral1/memory/1896-301-0x0000000001260000-0x0000000001370000-memory.dmp dcrat behavioral1/memory/1972-360-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/2496-421-0x0000000000EB0000-0x0000000000FC0000-memory.dmp dcrat behavioral1/memory/1576-481-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/2704-541-0x0000000000390000-0x00000000004A0000-memory.dmp dcrat behavioral1/memory/1504-601-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/1492-661-0x0000000001010000-0x0000000001120000-memory.dmp dcrat behavioral1/memory/1092-721-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/2384-781-0x0000000000C10000-0x0000000000D20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1728 powershell.exe 1000 powershell.exe 888 powershell.exe 1492 powershell.exe 1768 powershell.exe 1588 powershell.exe 1432 powershell.exe 872 powershell.exe 1044 powershell.exe 112 powershell.exe 1732 powershell.exe 1252 powershell.exe 3044 powershell.exe 2336 powershell.exe 2276 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2712 DllCommonsvc.exe 1976 lsm.exe 1636 lsm.exe 2244 lsm.exe 1896 lsm.exe 1972 lsm.exe 2496 lsm.exe 1576 lsm.exe 2704 lsm.exe 1504 lsm.exe 1492 lsm.exe 1092 lsm.exe 2384 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 cmd.exe 3064 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 36 raw.githubusercontent.com 40 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\088424020bedd6 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\56085415360792 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\0a1fd5f707cd16 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Fonts\taskhost.exe DllCommonsvc.exe File created C:\Windows\Fonts\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\spoolsv.exe DllCommonsvc.exe File created C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe 2140 schtasks.exe 1636 schtasks.exe 1356 schtasks.exe 396 schtasks.exe 1928 schtasks.exe 1240 schtasks.exe 1988 schtasks.exe 1484 schtasks.exe 1556 schtasks.exe 2768 schtasks.exe 2400 schtasks.exe 2052 schtasks.exe 2884 schtasks.exe 2848 schtasks.exe 796 schtasks.exe 2360 schtasks.exe 2440 schtasks.exe 2428 schtasks.exe 672 schtasks.exe 2236 schtasks.exe 2648 schtasks.exe 2976 schtasks.exe 1088 schtasks.exe 776 schtasks.exe 1840 schtasks.exe 2288 schtasks.exe 1748 schtasks.exe 448 schtasks.exe 1736 schtasks.exe 108 schtasks.exe 236 schtasks.exe 2552 schtasks.exe 2120 schtasks.exe 2268 schtasks.exe 2316 schtasks.exe 2988 schtasks.exe 2652 schtasks.exe 2704 schtasks.exe 852 schtasks.exe 2004 schtasks.exe 2152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2712 DllCommonsvc.exe 2276 powershell.exe 1432 powershell.exe 888 powershell.exe 1768 powershell.exe 1492 powershell.exe 1732 powershell.exe 1588 powershell.exe 1252 powershell.exe 112 powershell.exe 1044 powershell.exe 1000 powershell.exe 872 powershell.exe 1728 powershell.exe 3044 powershell.exe 1976 lsm.exe 1636 lsm.exe 2244 lsm.exe 1896 lsm.exe 1972 lsm.exe 2496 lsm.exe 1576 lsm.exe 2704 lsm.exe 1504 lsm.exe 1492 lsm.exe 1092 lsm.exe 2384 lsm.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2712 DllCommonsvc.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 1976 lsm.exe Token: SeDebugPrivilege 1636 lsm.exe Token: SeDebugPrivilege 2244 lsm.exe Token: SeDebugPrivilege 1896 lsm.exe Token: SeDebugPrivilege 1972 lsm.exe Token: SeDebugPrivilege 2496 lsm.exe Token: SeDebugPrivilege 1576 lsm.exe Token: SeDebugPrivilege 2704 lsm.exe Token: SeDebugPrivilege 1504 lsm.exe Token: SeDebugPrivilege 1492 lsm.exe Token: SeDebugPrivilege 1092 lsm.exe Token: SeDebugPrivilege 2384 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1256 1716 JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe 31 PID 1716 wrote to memory of 1256 1716 JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe 31 PID 1716 wrote to memory of 1256 1716 JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe 31 PID 1716 wrote to memory of 1256 1716 JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe 31 PID 1256 wrote to memory of 3064 1256 WScript.exe 32 PID 1256 wrote to memory of 3064 1256 WScript.exe 32 PID 1256 wrote to memory of 3064 1256 WScript.exe 32 PID 1256 wrote to memory of 3064 1256 WScript.exe 32 PID 3064 wrote to memory of 2712 3064 cmd.exe 34 PID 3064 wrote to memory of 2712 3064 cmd.exe 34 PID 3064 wrote to memory of 2712 3064 cmd.exe 34 PID 3064 wrote to memory of 2712 3064 cmd.exe 34 PID 2712 wrote to memory of 1000 2712 DllCommonsvc.exe 78 PID 2712 wrote to memory of 1000 2712 DllCommonsvc.exe 78 PID 2712 wrote to memory of 1000 2712 DllCommonsvc.exe 78 PID 2712 wrote to memory of 1252 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 1252 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 1252 2712 DllCommonsvc.exe 79 PID 2712 wrote to memory of 872 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 872 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 872 2712 DllCommonsvc.exe 80 PID 2712 wrote to memory of 1732 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 1732 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 1732 2712 DllCommonsvc.exe 82 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 1728 2712 DllCommonsvc.exe 84 PID 2712 wrote to memory of 112 2712 DllCommonsvc.exe 85 PID 2712 wrote to memory of 112 2712 DllCommonsvc.exe 85 PID 2712 wrote to memory of 112 2712 DllCommonsvc.exe 85 PID 2712 wrote to memory of 3044 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 3044 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 3044 2712 DllCommonsvc.exe 86 PID 2712 wrote to memory of 888 2712 DllCommonsvc.exe 87 PID 2712 wrote to memory of 888 2712 DllCommonsvc.exe 87 PID 2712 wrote to memory of 888 2712 DllCommonsvc.exe 87 PID 2712 wrote to memory of 1492 2712 DllCommonsvc.exe 88 PID 2712 wrote to memory of 1492 2712 DllCommonsvc.exe 88 PID 2712 wrote to memory of 1492 2712 DllCommonsvc.exe 88 PID 2712 wrote to memory of 1432 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 1432 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 1432 2712 DllCommonsvc.exe 89 PID 2712 wrote to memory of 2276 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 2276 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 2276 2712 DllCommonsvc.exe 90 PID 2712 wrote to memory of 1044 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 1044 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 1044 2712 DllCommonsvc.exe 92 PID 2712 wrote to memory of 2336 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 2336 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 2336 2712 DllCommonsvc.exe 94 PID 2712 wrote to memory of 1768 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 1768 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 1768 2712 DllCommonsvc.exe 95 PID 2712 wrote to memory of 1588 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 1588 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 1588 2712 DllCommonsvc.exe 96 PID 2712 wrote to memory of 2784 2712 DllCommonsvc.exe 108 PID 2712 wrote to memory of 2784 2712 DllCommonsvc.exe 108 PID 2712 wrote to memory of 2784 2712 DllCommonsvc.exe 108 PID 2784 wrote to memory of 2356 2784 cmd.exe 110 PID 2784 wrote to memory of 2356 2784 cmd.exe 110 PID 2784 wrote to memory of 2356 2784 cmd.exe 110 PID 2784 wrote to memory of 1976 2784 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0cd6a65031ca35cc534b69899d724a668d22af2f4d27b07808cae9d80b49e94.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rXxenmB2Ly.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2356
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"7⤵PID:380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2004
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"9⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2964
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"11⤵PID:1832
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2536
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"13⤵PID:2336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1780
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"15⤵PID:2716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1656
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"17⤵PID:1916
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:760
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"19⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3052
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"21⤵PID:884
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1180
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtVTp5BaF9.bat"23⤵PID:1296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2812
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"25⤵PID:2320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2396
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"27⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:1768
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bb69e200202de2c819c7bd146944b7a
SHA16ec67e8bac6634c42ada832d4caa34e9a823aba5
SHA25643d917032dc98cb3fd680026d9362da1a047481c1b689ca541a70c2dab975c9a
SHA512d327630935196c9fd167772d8de7caa721513aea4f2b551936254f1fa79b30b5738e73541871042bf6cada972d25a5ca4e8cf7306bf7c1bc90778d96e5a8d9b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe327841bb2e4127bc0c5b4f852a9b9b
SHA1b253b5e24a3db89927750c4a3777ed72e853567f
SHA256a478aa2a24b5e9748142aedcdf1e2932a9d3d3961f7d31f2777a870de00a2e44
SHA512842fec40e65640b918fab2a0110f82b1fc87c06d1eb224e03cdf0ed97493f7418850b91bfaee42b72335e24b05dc7d3147052a2d6f37e5ea1273e7699424f54b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd6be5698275f61bb739e259f4cdee28
SHA10fb9adcac676ef1ae24fce0086d375cffb98e1ee
SHA256bcf69b32bf71ebe773dfd955c4e63ebac80796e95bc340f2e563c33a7a8c3305
SHA5127f50cac2f6b3355a9e5ffd290a159da253dab6214b2123ec71cb6f3a8c9a2dd05c2c5231deaf45faa1001b9054cb03e70f979aa37ad867921f99c7d51399c0a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a15e90e5e794576e2182b678e06a867
SHA120ee0c76f7e9c8571127b621026a254f4e4099d7
SHA2562b54a4c54c27b3ff11b3be196f5308731f3b248996e0783d1e6946dc4ae24d94
SHA512c0d41b55ed56f924eb41894ff2e5338711e74461321a88255cce0dafd7d2a68ff5db891cf90b94c3837301d0f7399e7cac6cb2976189c239557b6dcf4c902703
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5529c3561dd9ca1ecff77b4f2343ce310
SHA13e5add30ae19e7ccc2c86c203979f27e20f2100e
SHA2564d665af6fafad2b67f8307b34dffbfbc6f1a91177a0da59e87acc116dc843d89
SHA512ab33374bf1cce639d2aadbb4b6d509279571cf9c00372064421109fb8da0c0efc3e6af0139f57a9c27aa289bee6a72ab0fb4ea420e16e9f9c1f58f4d3d16be8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bac2bb1ff264fa630eb931ba97bfb8e7
SHA19a23fc6cf7eb637959c0f30a09b2d9a5e459bb66
SHA256f866066b6b8b321976240c1169fca11ac3f745af50a2123fec33e157e42570f3
SHA51287c411b56543d250012774d6581ec975eadc24994d5c9eb6b07967ee3e79797177cc8bf5e4fbfc4aec2c268c7d9a36caeacf4775160fee553f21b69a707a9562
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d71fa4c0ab68279cb37d600f8c82f5f3
SHA13fe151077fdf858889ed052eaf9c12e291214e6c
SHA2568fc923a6f04305a46b0fb80fe558b144dffbb61d5258da63f62312a05f9daedc
SHA512a7eafa17c4ab9bd68458a79a5ceb300574f346b7363209b724ae2505a7077dba619fe82244cef137f6ce086621a32a1252ef3123907b38e9f8a722396d4d0945
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57bc913140b7213ac364af215d9ff3175
SHA1deb11adf128e044283636e8dbeda15b197cf97fb
SHA256f477c67666906e7cd061d6cc27e9e5ed216d4e3f66047f1cb46271494f540652
SHA512e32375b325d7ea92356a0030d1c87eeb89d32acfdea56c7b81e259d12ec75713d20f9c80d4c30ac055dbc1ae4afe9e46e71a51795fa73a35fc8a7db10b28fb6c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c0eb9dd103c2ae113c66b699642f9dfe
SHA1c064260951465981a103d1a8e24adf22eb758125
SHA25623394d6c8ac8b58ff22fe45d48f4fa4d7bd6ee56182bb74eb597c42cc8395f18
SHA5127a808b1ba8f2897a47055a2fdfb4c0219f12272df014f586e43098b1a9e34c08317095cd8b7bb977b95c538212b49acfc7da09fb1e899c279d849350e1844c9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a37d577f8636eb8ccdb7c6605abe1704
SHA1430c63f1ab52d3f8ea93094f77de596bddf85570
SHA256b24bc560b139a1084a03e9c985700c50e0d15b69b689e83e5c91e0a1d67d8f1b
SHA51218073360f73c3462bfb5b89025ee800f108ec31ef6f193de012f631f2a13928559c712cc6ea537ae03b1ed63a1bff641952db6599da8e6ba4c89e8b6123860f1
-
Filesize
235B
MD582d326bd03e3d7acfdc926b188238f4a
SHA1490f17512564c58486c2f7b70c0f746d0370b9aa
SHA256427e07ce3f983983b15fa3f13315ea563fb4572a23cb3cb74886039b2252e765
SHA512016b9a26ff077f268c341aba8d8a673f24be1f26284bc78ad109b0cdb1edf0f9a2dea381ae9cf01efb83df2fd9c3176b897ad17a021ee6e6597901316acae633
-
Filesize
235B
MD53433be2bbf51a74a541d00e7dd1c0fa8
SHA16ddd5f2225f928c3dfa510fa309ef865dc3bded3
SHA256df46592ee1e6ac052417fc25fcc8470eec04c73bad0176479ad1642d515ad8f1
SHA512e1e5d461b02bbe09fcc7017d7d5da8b90f118ddc39195e65ea18c3ca5d6db8f6daa04a80ab71335d9d61cfa59ef046f5db3463f6d4fdee0daedb3eae250c9b6d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
235B
MD591edfe7362309dba60aea903d4fb85f6
SHA1a098c9eee23af854bb07e8c200aa34a81de46028
SHA2561eafd41860f804127dbbd4b98859fe7db170aeaba58f5803165815be401fbe4a
SHA5120294f7b425d88cbf7718f348cb0cd9412ecd6dd32db3447d9b2932f35f2d12714312b0de1b2884ae97c96380c680dfa79095f1cbc1561660aa1c7603b433fd42
-
Filesize
235B
MD5cdcf008387a6da327afea61c6a8785f6
SHA1f349c6f7f58b5b7aa607c3528063cd56637b6fb5
SHA2560f6aedae97c421b77204f55953af03348d7f8a804d092f25660490267193a0e1
SHA512f0e3585ddbd1d82327cff6be2a15117e1ab36ec153398bbba7cfa7ce46b978441b709e62bdc9fc77792a354c93397570168ae187630f672e9a52f9bed7b7a90a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
235B
MD5d3d6da83fa8acad71eec6f5afde80bcc
SHA10dce14dd4e04b6befc54edf48684e130b80adfe3
SHA256963eecd195c408ca74d24cfbe16951163dc9b5030d806c05a3467c64b581c6fa
SHA512ad7253f074edfe9c13c9c4b5793a6d777ce2b739b1a75e91d37c073e93965cceb998a35f2f8e4fd5e972ff02cc6a4abeed70bd94befec273f867d1d579a1e9ac
-
Filesize
235B
MD533a60225635d17a512f778bf9dedb588
SHA1ed29b5f9551f93be96eb9f274eebf07c83927227
SHA256ab16149434c944ccb567ee875f81501d31587bda8f232ac28336c51f937161b5
SHA512096a73cbd26010d4e0ee2c2df38673274e6a8411082cf7702c52424939f429757a7ce195fa82e2411c7de29f4bf6907070ec9ca0aa3127ac03dd62c6b80b5626
-
Filesize
235B
MD5f3fe221d9ba85d9c5f15b7f0a3cfdd41
SHA140c77bd4d92a29b2d9e22b1bc1c218de3f9ea4b7
SHA256a67f8cd96c679cc237ac9bcf6c741804b4622a7bd8e05d32a3f70a76d9917379
SHA512ab261465641533246f13afafdb9f6942b2c135ab61706c32f4d5da1c0bcffe3702e0da1a99e93746f8e9ce7dca2f08efe6296c48af16f9ffbe00f4a7f1c75522
-
Filesize
235B
MD51364163902e6e55dfd613bb4ec2ec497
SHA14fbd8643c20afce324297428f576d74bedb48ce9
SHA2561766be548df176437222bee593841145f161e1e5e22e09cc41cf26b6dcbb3443
SHA5124171d7a8df8c26aa388bc336483809633f76ff85c541e5c785bb9a609c20e699731a28bfa3c25d4de35fe915031fc29e4e2826b58228b70976d638469b1a48e3
-
Filesize
235B
MD51123f96f654b7dcb284e7d0fd1cc2747
SHA18584a4f01a4998f68f3134de4a8bc2e60e8bd460
SHA2567e72735dec6454e05fee2806acb82ee05e6aef0c8356d62caae7af2bd7806e81
SHA5121bf70f518011c59b136c619f27b9f21f2ec39fd45e9a593c8f5ca4361ff4f6c6df2e807645eea450167d63c822d1fadce683f16a12ce26d5c5112ee5a09e72b1
-
Filesize
235B
MD5de3d10ba71d009aca9950b805ad3a026
SHA1c51dd3d966d40d059d223a7c91510f79fce03f34
SHA256acc726d01780b2c159f240be6d0f1cc8e99267fd019b4265940279215934dc79
SHA512fae34870843d92a2a19b89967cd67715b7937f155914a08e2ead00a6806428f40084fcf001d52401c466794e01a23c174dd8f8c0df4c7fd9fbfe17ca5e3348b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GILMNV5JQQVEZDGN0B7G.temp
Filesize7KB
MD5ff11f46ce925b9227df765dfe651d0a3
SHA1b0bb594fcf43eed689c2d37e60190cec84ca889e
SHA256b7abe587dfe2db8576989efe668dad539a634d0053a0e1445e05c588a9cd9335
SHA512ecfca99fe37b92f4c6f90678ae671f78ca787d4d90a8d7d2e5f4d36898ee8547e43dd1564509ebdd368154f5ac5a6cf46189856e4cb3d9901a534dbc01e87e4f
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394