Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:21
Behavioral task
behavioral1
Sample
JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe
-
Size
1.3MB
-
MD5
ca00d75fa2f031429cd175b8b7d52d99
-
SHA1
c275a7fa05d4ea6c60a08cc816f40591d521ce57
-
SHA256
bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8
-
SHA512
50b3052283cee67726e61c4308d08f37a512ea2a1d00e7ca0fd5dd9f4e412ca608044828a95ebcb0bb893a1de69d9fae7e0a299fef667b5ee66a51b5377ade31
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1060 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 472 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2880 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2880 schtasks.exe 33 -
resource yara_rule behavioral1/files/0x0007000000018b50-9.dat dcrat behavioral1/memory/2316-13-0x00000000012F0000-0x0000000001400000-memory.dmp dcrat behavioral1/memory/1552-253-0x0000000000830000-0x0000000000940000-memory.dmp dcrat behavioral1/memory/3068-312-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/1688-373-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat behavioral1/memory/2636-434-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2832-494-0x0000000000AC0000-0x0000000000BD0000-memory.dmp dcrat behavioral1/memory/436-554-0x0000000001270000-0x0000000001380000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2100 powershell.exe 2320 powershell.exe 1644 powershell.exe 2808 powershell.exe 2444 powershell.exe 3068 powershell.exe 3052 powershell.exe 2948 powershell.exe 2808 powershell.exe 2968 powershell.exe 2016 powershell.exe 2504 powershell.exe 2800 powershell.exe 1656 powershell.exe 2424 powershell.exe 580 powershell.exe 2024 powershell.exe 2416 powershell.exe 2540 powershell.exe 2780 powershell.exe 2284 powershell.exe 2808 powershell.exe 2472 powershell.exe 2176 powershell.exe 2252 powershell.exe 2568 powershell.exe 1144 powershell.exe 2068 powershell.exe 2100 powershell.exe 2228 powershell.exe 2980 powershell.exe 2108 powershell.exe 1768 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2316 DllCommonsvc.exe 1148 DllCommonsvc.exe 2268 DllCommonsvc.exe 1552 Idle.exe 3068 Idle.exe 1688 Idle.exe 2636 Idle.exe 2832 Idle.exe 436 Idle.exe 1576 Idle.exe 1944 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2984 cmd.exe 2984 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\101b941d020240 DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\csrss.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\f3b6ecef712a24 DllCommonsvc.exe File opened for modification C:\Program Files\Uninstall Information\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\56085415360792 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\lsm.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088 DllCommonsvc.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_de-de_202a7c4eaae8e08d\taskhost.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\fr-FR\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\Speech\Engines\lsm.exe DllCommonsvc.exe File created C:\Windows\Speech\Engines\101b941d020240 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\fr-FR\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\System.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe 2300 schtasks.exe 2684 schtasks.exe 1620 schtasks.exe 2144 schtasks.exe 1640 schtasks.exe 2552 schtasks.exe 2416 schtasks.exe 1552 schtasks.exe 2640 schtasks.exe 1124 schtasks.exe 1456 schtasks.exe 900 schtasks.exe 680 schtasks.exe 2720 schtasks.exe 2936 schtasks.exe 2072 schtasks.exe 2532 schtasks.exe 2692 schtasks.exe 2584 schtasks.exe 3032 schtasks.exe 368 schtasks.exe 1992 schtasks.exe 1608 schtasks.exe 2552 schtasks.exe 2076 schtasks.exe 1512 schtasks.exe 2616 schtasks.exe 288 schtasks.exe 112 schtasks.exe 2724 schtasks.exe 1052 schtasks.exe 1620 schtasks.exe 2380 schtasks.exe 2440 schtasks.exe 3036 schtasks.exe 2480 schtasks.exe 848 schtasks.exe 1356 schtasks.exe 2272 schtasks.exe 640 schtasks.exe 780 schtasks.exe 2900 schtasks.exe 2900 schtasks.exe 2240 schtasks.exe 2072 schtasks.exe 3040 schtasks.exe 1984 schtasks.exe 2312 schtasks.exe 2740 schtasks.exe 1292 schtasks.exe 472 schtasks.exe 972 schtasks.exe 2020 schtasks.exe 2460 schtasks.exe 2616 schtasks.exe 1916 schtasks.exe 2860 schtasks.exe 2692 schtasks.exe 2260 schtasks.exe 580 schtasks.exe 2076 schtasks.exe 2280 schtasks.exe 2356 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2316 DllCommonsvc.exe 2808 powershell.exe 2472 powershell.exe 2100 powershell.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 1148 DllCommonsvc.exe 2176 powershell.exe 580 powershell.exe 2808 powershell.exe 2320 powershell.exe 2568 powershell.exe 2800 powershell.exe 2016 powershell.exe 2100 powershell.exe 2504 powershell.exe 2068 powershell.exe 2968 powershell.exe 3052 powershell.exe 3068 powershell.exe 2252 powershell.exe 2416 powershell.exe 2024 powershell.exe 2228 powershell.exe 2540 powershell.exe 2268 DllCommonsvc.exe 2268 DllCommonsvc.exe 2268 DllCommonsvc.exe 2268 DllCommonsvc.exe 2268 DllCommonsvc.exe 1656 powershell.exe 2780 powershell.exe 2808 powershell.exe 2980 powershell.exe 2444 powershell.exe 2284 powershell.exe 1768 powershell.exe 2108 powershell.exe 1644 powershell.exe 2948 powershell.exe 1144 powershell.exe 2424 powershell.exe 1552 Idle.exe 3068 Idle.exe 1688 Idle.exe 2636 Idle.exe 2832 Idle.exe 436 Idle.exe 1576 Idle.exe 1944 Idle.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2316 DllCommonsvc.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1148 DllCommonsvc.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2268 DllCommonsvc.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 1552 Idle.exe Token: SeDebugPrivilege 3068 Idle.exe Token: SeDebugPrivilege 1688 Idle.exe Token: SeDebugPrivilege 2636 Idle.exe Token: SeDebugPrivilege 2832 Idle.exe Token: SeDebugPrivilege 436 Idle.exe Token: SeDebugPrivilege 1576 Idle.exe Token: SeDebugPrivilege 1944 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2184 2792 JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe 29 PID 2792 wrote to memory of 2184 2792 JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe 29 PID 2792 wrote to memory of 2184 2792 JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe 29 PID 2792 wrote to memory of 2184 2792 JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe 29 PID 2184 wrote to memory of 2984 2184 WScript.exe 30 PID 2184 wrote to memory of 2984 2184 WScript.exe 30 PID 2184 wrote to memory of 2984 2184 WScript.exe 30 PID 2184 wrote to memory of 2984 2184 WScript.exe 30 PID 2984 wrote to memory of 2316 2984 cmd.exe 32 PID 2984 wrote to memory of 2316 2984 cmd.exe 32 PID 2984 wrote to memory of 2316 2984 cmd.exe 32 PID 2984 wrote to memory of 2316 2984 cmd.exe 32 PID 2316 wrote to memory of 2472 2316 DllCommonsvc.exe 40 PID 2316 wrote to memory of 2472 2316 DllCommonsvc.exe 40 PID 2316 wrote to memory of 2472 2316 DllCommonsvc.exe 40 PID 2316 wrote to memory of 2100 2316 DllCommonsvc.exe 41 PID 2316 wrote to memory of 2100 2316 DllCommonsvc.exe 41 PID 2316 wrote to memory of 2100 2316 DllCommonsvc.exe 41 PID 2316 wrote to memory of 2808 2316 DllCommonsvc.exe 42 PID 2316 wrote to memory of 2808 2316 DllCommonsvc.exe 42 PID 2316 wrote to memory of 2808 2316 DllCommonsvc.exe 42 PID 2316 wrote to memory of 2320 2316 DllCommonsvc.exe 46 PID 2316 wrote to memory of 2320 2316 DllCommonsvc.exe 46 PID 2316 wrote to memory of 2320 2316 DllCommonsvc.exe 46 PID 2320 wrote to memory of 2016 2320 cmd.exe 48 PID 2320 wrote to memory of 2016 2320 cmd.exe 48 PID 2320 wrote to memory of 2016 2320 cmd.exe 48 PID 2320 wrote to memory of 1148 2320 cmd.exe 49 PID 2320 wrote to memory of 1148 2320 cmd.exe 49 PID 2320 wrote to memory of 1148 2320 cmd.exe 49 PID 1148 wrote to memory of 3068 1148 DllCommonsvc.exe 101 PID 1148 wrote to memory of 3068 1148 DllCommonsvc.exe 101 PID 1148 wrote to memory of 3068 1148 DllCommonsvc.exe 101 PID 1148 wrote to memory of 2176 1148 DllCommonsvc.exe 102 PID 1148 wrote to memory of 2176 1148 DllCommonsvc.exe 102 PID 1148 wrote to memory of 2176 1148 DllCommonsvc.exe 102 PID 1148 wrote to memory of 2808 1148 DllCommonsvc.exe 103 PID 1148 wrote to memory of 2808 1148 DllCommonsvc.exe 103 PID 1148 wrote to memory of 2808 1148 DllCommonsvc.exe 103 PID 1148 wrote to memory of 580 1148 DllCommonsvc.exe 104 PID 1148 wrote to memory of 580 1148 DllCommonsvc.exe 104 PID 1148 wrote to memory of 580 1148 DllCommonsvc.exe 104 PID 1148 wrote to memory of 2024 1148 DllCommonsvc.exe 105 PID 1148 wrote to memory of 2024 1148 DllCommonsvc.exe 105 PID 1148 wrote to memory of 2024 1148 DllCommonsvc.exe 105 PID 1148 wrote to memory of 3052 1148 DllCommonsvc.exe 106 PID 1148 wrote to memory of 3052 1148 DllCommonsvc.exe 106 PID 1148 wrote to memory of 3052 1148 DllCommonsvc.exe 106 PID 1148 wrote to memory of 2252 1148 DllCommonsvc.exe 109 PID 1148 wrote to memory of 2252 1148 DllCommonsvc.exe 109 PID 1148 wrote to memory of 2252 1148 DllCommonsvc.exe 109 PID 1148 wrote to memory of 2416 1148 DllCommonsvc.exe 110 PID 1148 wrote to memory of 2416 1148 DllCommonsvc.exe 110 PID 1148 wrote to memory of 2416 1148 DllCommonsvc.exe 110 PID 1148 wrote to memory of 2968 1148 DllCommonsvc.exe 111 PID 1148 wrote to memory of 2968 1148 DllCommonsvc.exe 111 PID 1148 wrote to memory of 2968 1148 DllCommonsvc.exe 111 PID 1148 wrote to memory of 2540 1148 DllCommonsvc.exe 112 PID 1148 wrote to memory of 2540 1148 DllCommonsvc.exe 112 PID 1148 wrote to memory of 2540 1148 DllCommonsvc.exe 112 PID 1148 wrote to memory of 2068 1148 DllCommonsvc.exe 117 PID 1148 wrote to memory of 2068 1148 DllCommonsvc.exe 117 PID 1148 wrote to memory of 2068 1148 DllCommonsvc.exe 117 PID 1148 wrote to memory of 2100 1148 DllCommonsvc.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h7CoQcyUo6.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2016
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7DiEoI3Zf4.bat"7⤵PID:2096
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2772
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\DllCommonsvc.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V08IpBiAEb.bat"9⤵PID:2156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2440
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"11⤵PID:1728
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:920
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"13⤵PID:2352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2100
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"15⤵PID:2336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1708
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"17⤵PID:1964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2956
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"19⤵PID:2448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:900
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"21⤵PID:2744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2456
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"23⤵PID:1752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:972
-
-
C:\Users\Public\Favorites\Idle.exe"C:\Users\Public\Favorites\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f1⤵PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f1⤵PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /rl HIGHEST /f1⤵PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /f1⤵PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f1⤵PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5742d291ebee94790a90cf337524558dc
SHA10396bc4268fedf01e88d5d7eab3d51c1ef445e40
SHA2563802775e13b7af2b95596a54d1818661f77d2c2689aa67af9a18eeb415de8eed
SHA51233369c3856a1736ace58beb67a52e87844a2dcf17af7e56b1d5a5bac278ffd7f6e2e4c1aad6ad22e41a309c43f22dde8f1e283712921b017b19bdc78a8a5410f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b66ae09f465ad889ef00c2a2afeb4ca0
SHA19f549c7637992bfb79375e249bc727fa2e96c5f3
SHA25667c6d3dc96a2daead9bc81cb91190738cbb2e52e720185e904c8ed4a2d51d887
SHA51219294a2ddcd72f82afec27dc7a89ba39391afad5553b793efcab8b11cd5050d91263ed3a9c6a3ac0c24ade2e2bfdab12b5cbd635aebd875efaa45aac5ffb0e04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d421a0217a5cd6b6f4968338b46f9492
SHA1985c9781fce8d3bb17ea1ccfc91727b4b9502877
SHA256042a05b9854a16085af43eec2cb3f2ad8211ec1522a3ce9d80f80eb73bf53b28
SHA512c34eec54905be2b8416b8fe74da9732c2ab9888edbebb3ef51c7d2f378e01ab2598c34041acc2ba7104e4b03299e336b540e249cd7e96b74721aa3e9dadef65a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb84ccedd44bc9671086c4936fe0505b
SHA14229968f1dbe27d80f969ac07b8b69ff67d38e02
SHA256bb0ecb6d11ab7e5e99c0e3e1e3501f0c01be535a3d1ee42b29af984db1e74305
SHA5126705b74f8741739ccd35c84481fe639bb33a4eeb8ff78e568df14e4585b425edbad9c30446c5c83947e31d6daef6b5b7aacdd326b3939f903abe13fcb0026607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fb7c4a27b9e226dba5197f7d504ac74
SHA10b9f5afab6be94b61b07108a7f5d5e69a3701c6b
SHA2563df289a28c5efd915c4a317374eede706670a5cd55bd53358e56ffd1a42e62e3
SHA512d5e5c3063adc82b40148f528d3b0fab856a62c080ca25ecc0221004e1078210eeeea076fd669aa3afd29804245c025f44c775f94a6265119d736977969d94d41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57288a1767038e7d07b4b430a1b14ea0e
SHA1e88a6ff6cc44314d2a45123b573e75f3bb6ffcdb
SHA2560a04e3f3aa4d600f9d9be32dc8ce3f73ca34e546cb8508609088d599302cbf8d
SHA512d06a6575482f90dae7a7da88e3eab696c562666335336aed6dde8cb5b9d7ae15e8de7f1a7f5bf4bb20becc374f7d38a6e93f989513282058015212aa8e4ce596
-
Filesize
199B
MD51e13f330285db262dd5205d7a59ccfb3
SHA127654908427696f5d9be0c2a676cd80ef4d32b5b
SHA256d4dcbb8a012b93166af93ea35037e337b1f3ceaba90c950fc0a6d5362d1ce09f
SHA512ffd56d71ca1fe04874952fd3a050e9077cb7587e9448b2308cafa49eb82574d0a600e23f9181e9c6aa00364ffbc79aa79cd5c8b8ed2c315ab3d09a9312100ceb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
199B
MD5a8d5b4568123a045205fd1b9098daca9
SHA170d539ab90e4faec35c8169b8bca2d32696e444a
SHA256a770c35a9b68d8c49016f3bc5eb2b132bb434acb7a8f55f2405a950ec256ec58
SHA5127106b776e84fe23289bec1f83ebb95ea7759e4fb8e13d75243e503abe2125b7a978a3f9cbe43a25a777824daba2010edd1c9b295eaaea0aa244bac2cd53d6734
-
Filesize
199B
MD56dd4c42f2a84007b17883875b2775da3
SHA15c53c562ec90bc613e8b111fd10e278f28062b1c
SHA256f9bb7c60b91736b239bcdb874dbb1bd97aeb03ccfb832725d36a22764e40b8c1
SHA512d42508ab85a463cb8659100f452d059a6aa296defd5a63e5143926f9db6f106244d7288ee2ec4d8460c164b66edd1a6ad7f86f8ecbafd73ab0649d2e3a00948c
-
Filesize
199B
MD5858724eec3975ec86de717cb6d59e6f0
SHA118778365ba4d15462ee4a75876c27f4b43c257c5
SHA256bc46cdd8f34d8b352d290679a5ed062bf3960b05148672a94def2cf5b0f6f5ea
SHA51243b075b0d7dacd56c0c3e331c8cd14519cc237ffdb3e6941ba064b441e5f477743dfc371a0048256af4f1df88b6d63ce762668d8f57215cab7ed8bfa2603dfff
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
199B
MD5d871db91903e94d75e4f3812e94f7f36
SHA14df5f41c3eccc506ba7aa865eaef4e79c97a750e
SHA2560c3d0768820727f16b71c0396b5e5f977285a91788d1b99d9878f83d02132a6d
SHA5122cf2a4b81c610fc72985dbcc399c5df1b536262145283574a24a0988fefc0609cd2fc5af67e0ad48ce960f603005b1490f1b1a72b38672b08c0a98c2ed817da8
-
Filesize
199B
MD54f5b423443cf368cfe00838c0ecf6318
SHA1aa8747a373eef02a58acc63d3e10a552c91ecf02
SHA2563c8c7fe24efb6300ee3e1a722de691454c3a2aadd28a156d3bc026adddb5535c
SHA51253eae0ad78fb7f0221ad0edf78554ac1d1412004183879a25a5e99bf384848aa9ada012c0b7ad9e24b2954c542a857ea40cafa9f3eafdf32543f7edc38c6a525
-
Filesize
199B
MD53c1911de840cd206132176dfa15ee076
SHA194e725a96e31353ccdd6af1249abbc8fdcd086b7
SHA2568ac25937c4838074eb3ee7e39921c467a3cb38b5155984a91170418da7b82313
SHA5122b3034e5b9e0191d67c6297f5798a68ec3aaf6434c1253962912e77e85f9171a7d221fa58cc7740a84d49eb22dd985e85ac5e9d4705ddddd2995df72c05f3d19
-
Filesize
199B
MD580c707d40b914e16043ec64d3b84c491
SHA1efc9d62f0d0dc1c01aca5b27d7ac5a0774f6d400
SHA2568c6ca5cbdabbbb1dcd204ce26f6f0a8ac0a390e3aa4b1f53929223a023ff8069
SHA5121b2e7195ed9a3abd21d6e5a75dbcef1c9961bd2ab15fe267fd4539adc1d89e8c61416921b23e4b08ac71a545c3de990f1e7843f5ccecd5a2013dde9a802c5e8c
-
Filesize
199B
MD577c1662c6a9ee32f6b7da8f606189451
SHA1e26e7e5f18dce073e7124a6afb1c6d103de4155b
SHA25666e900093d2a2d1ada3adba7cc4e05c6ea6a7f9f77b0a45f8b3f1acda0eafd9d
SHA51201b1c2d3343de6743ebf4729a01784a139dee7e33f86e6e181c5d36e00fe9c64da2086391cfcf7b0ac1e9a468a86d1afcc3e9511cf8bd146dc6d4625b45465d1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4ESRGNVEVP52SDI6VKQU.temp
Filesize7KB
MD54a3d860e31a85d2fa44a6ab4a6d6ad5d
SHA16d0030d4658c3bd1e69c27dc5089a606bf7a4cab
SHA2565666789e00613478a6b6b6c8cb01c44b28ce05bcbba96e8e24f84e9ff2831df1
SHA512e7b5716979248c0d153bfe4a99c0a72457f662f8233bc6ee17e74edc95c495e6bd806ea041d196e901aece9b393cce4f53c4ad6da53287a8bf7e74e13d9effa2
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394