Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:32
Behavioral task
behavioral1
Sample
JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe
-
Size
1.3MB
-
MD5
9df90b76b51132f647ee9f86db546997
-
SHA1
cece87242699a541ed95931ddc1aced629b74255
-
SHA256
c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3
-
SHA512
b63c6468a7859f979154e513a7fee81e7c8c25cb2dd10c7b573d9d92d2a5794880223e17392dfbca27ad3d2cd0e46c729b28b51a51f053b8b5c9f6d6cc005f3c
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2640 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2640 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000017492-9.dat dcrat behavioral1/memory/1920-13-0x0000000000070000-0x0000000000180000-memory.dmp dcrat behavioral1/memory/2164-58-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/2328-312-0x0000000000360000-0x0000000000470000-memory.dmp dcrat behavioral1/memory/1144-372-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/memory/2108-493-0x0000000000F90000-0x00000000010A0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1524 powershell.exe 2464 powershell.exe 2388 powershell.exe 264 powershell.exe 880 powershell.exe 2292 powershell.exe 1688 powershell.exe 2356 powershell.exe 1956 powershell.exe 2088 powershell.exe 1592 powershell.exe 1536 powershell.exe 2132 powershell.exe 2156 powershell.exe 2288 powershell.exe 1624 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1920 DllCommonsvc.exe 2164 taskhost.exe 1640 taskhost.exe 2084 taskhost.exe 2328 taskhost.exe 1144 taskhost.exe 1964 taskhost.exe 2108 taskhost.exe 2056 taskhost.exe 3008 taskhost.exe 3040 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1796 cmd.exe 1796 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 20 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\lsm.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\101b941d020240 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\audiodg.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1552 schtasks.exe 2552 schtasks.exe 2628 schtasks.exe 2728 schtasks.exe 1424 schtasks.exe 2128 schtasks.exe 2936 schtasks.exe 3036 schtasks.exe 2828 schtasks.exe 2864 schtasks.exe 2212 schtasks.exe 2916 schtasks.exe 376 schtasks.exe 2548 schtasks.exe 2420 schtasks.exe 2880 schtasks.exe 1308 schtasks.exe 3052 schtasks.exe 2512 schtasks.exe 1084 schtasks.exe 2888 schtasks.exe 876 schtasks.exe 696 schtasks.exe 2500 schtasks.exe 2820 schtasks.exe 2700 schtasks.exe 1800 schtasks.exe 1636 schtasks.exe 2176 schtasks.exe 2084 schtasks.exe 1984 schtasks.exe 3012 schtasks.exe 2200 schtasks.exe 2404 schtasks.exe 2400 schtasks.exe 2136 schtasks.exe 772 schtasks.exe 2788 schtasks.exe 1328 schtasks.exe 484 schtasks.exe 2584 schtasks.exe 448 schtasks.exe 1480 schtasks.exe 2780 schtasks.exe 2580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1920 DllCommonsvc.exe 1920 DllCommonsvc.exe 1920 DllCommonsvc.exe 2356 powershell.exe 1624 powershell.exe 2132 powershell.exe 2088 powershell.exe 2292 powershell.exe 1592 powershell.exe 2464 powershell.exe 264 powershell.exe 2156 powershell.exe 1688 powershell.exe 880 powershell.exe 2388 powershell.exe 2288 powershell.exe 1524 powershell.exe 1956 powershell.exe 1536 powershell.exe 2164 taskhost.exe 1640 taskhost.exe 2084 taskhost.exe 2328 taskhost.exe 1144 taskhost.exe 1964 taskhost.exe 2108 taskhost.exe 2056 taskhost.exe 3008 taskhost.exe 3040 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1920 DllCommonsvc.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2164 taskhost.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 1640 taskhost.exe Token: SeDebugPrivilege 2084 taskhost.exe Token: SeDebugPrivilege 2328 taskhost.exe Token: SeDebugPrivilege 1144 taskhost.exe Token: SeDebugPrivilege 1964 taskhost.exe Token: SeDebugPrivilege 2108 taskhost.exe Token: SeDebugPrivilege 2056 taskhost.exe Token: SeDebugPrivilege 3008 taskhost.exe Token: SeDebugPrivilege 3040 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2272 1864 JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe 30 PID 1864 wrote to memory of 2272 1864 JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe 30 PID 1864 wrote to memory of 2272 1864 JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe 30 PID 1864 wrote to memory of 2272 1864 JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe 30 PID 2272 wrote to memory of 1796 2272 WScript.exe 31 PID 2272 wrote to memory of 1796 2272 WScript.exe 31 PID 2272 wrote to memory of 1796 2272 WScript.exe 31 PID 2272 wrote to memory of 1796 2272 WScript.exe 31 PID 1796 wrote to memory of 1920 1796 cmd.exe 33 PID 1796 wrote to memory of 1920 1796 cmd.exe 33 PID 1796 wrote to memory of 1920 1796 cmd.exe 33 PID 1796 wrote to memory of 1920 1796 cmd.exe 33 PID 1920 wrote to memory of 1624 1920 DllCommonsvc.exe 80 PID 1920 wrote to memory of 1624 1920 DllCommonsvc.exe 80 PID 1920 wrote to memory of 1624 1920 DllCommonsvc.exe 80 PID 1920 wrote to memory of 2356 1920 DllCommonsvc.exe 81 PID 1920 wrote to memory of 2356 1920 DllCommonsvc.exe 81 PID 1920 wrote to memory of 2356 1920 DllCommonsvc.exe 81 PID 1920 wrote to memory of 264 1920 DllCommonsvc.exe 82 PID 1920 wrote to memory of 264 1920 DllCommonsvc.exe 82 PID 1920 wrote to memory of 264 1920 DllCommonsvc.exe 82 PID 1920 wrote to memory of 2388 1920 DllCommonsvc.exe 85 PID 1920 wrote to memory of 2388 1920 DllCommonsvc.exe 85 PID 1920 wrote to memory of 2388 1920 DllCommonsvc.exe 85 PID 1920 wrote to memory of 1688 1920 DllCommonsvc.exe 87 PID 1920 wrote to memory of 1688 1920 DllCommonsvc.exe 87 PID 1920 wrote to memory of 1688 1920 DllCommonsvc.exe 87 PID 1920 wrote to memory of 2292 1920 DllCommonsvc.exe 88 PID 1920 wrote to memory of 2292 1920 DllCommonsvc.exe 88 PID 1920 wrote to memory of 2292 1920 DllCommonsvc.exe 88 PID 1920 wrote to memory of 880 1920 DllCommonsvc.exe 89 PID 1920 wrote to memory of 880 1920 DllCommonsvc.exe 89 PID 1920 wrote to memory of 880 1920 DllCommonsvc.exe 89 PID 1920 wrote to memory of 2288 1920 DllCommonsvc.exe 90 PID 1920 wrote to memory of 2288 1920 DllCommonsvc.exe 90 PID 1920 wrote to memory of 2288 1920 DllCommonsvc.exe 90 PID 1920 wrote to memory of 2156 1920 DllCommonsvc.exe 91 PID 1920 wrote to memory of 2156 1920 DllCommonsvc.exe 91 PID 1920 wrote to memory of 2156 1920 DllCommonsvc.exe 91 PID 1920 wrote to memory of 2132 1920 DllCommonsvc.exe 92 PID 1920 wrote to memory of 2132 1920 DllCommonsvc.exe 92 PID 1920 wrote to memory of 2132 1920 DllCommonsvc.exe 92 PID 1920 wrote to memory of 1524 1920 DllCommonsvc.exe 93 PID 1920 wrote to memory of 1524 1920 DllCommonsvc.exe 93 PID 1920 wrote to memory of 1524 1920 DllCommonsvc.exe 93 PID 1920 wrote to memory of 1536 1920 DllCommonsvc.exe 94 PID 1920 wrote to memory of 1536 1920 DllCommonsvc.exe 94 PID 1920 wrote to memory of 1536 1920 DllCommonsvc.exe 94 PID 1920 wrote to memory of 1592 1920 DllCommonsvc.exe 95 PID 1920 wrote to memory of 1592 1920 DllCommonsvc.exe 95 PID 1920 wrote to memory of 1592 1920 DllCommonsvc.exe 95 PID 1920 wrote to memory of 2088 1920 DllCommonsvc.exe 96 PID 1920 wrote to memory of 2088 1920 DllCommonsvc.exe 96 PID 1920 wrote to memory of 2088 1920 DllCommonsvc.exe 96 PID 1920 wrote to memory of 2464 1920 DllCommonsvc.exe 97 PID 1920 wrote to memory of 2464 1920 DllCommonsvc.exe 97 PID 1920 wrote to memory of 2464 1920 DllCommonsvc.exe 97 PID 1920 wrote to memory of 1956 1920 DllCommonsvc.exe 98 PID 1920 wrote to memory of 1956 1920 DllCommonsvc.exe 98 PID 1920 wrote to memory of 1956 1920 DllCommonsvc.exe 98 PID 1920 wrote to memory of 2164 1920 DllCommonsvc.exe 112 PID 1920 wrote to memory of 2164 1920 DllCommonsvc.exe 112 PID 1920 wrote to memory of 2164 1920 DllCommonsvc.exe 112 PID 2164 wrote to memory of 616 2164 taskhost.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"6⤵PID:616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2440
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"8⤵PID:3036
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1192
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"10⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:900
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"12⤵PID:584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:448
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"14⤵PID:2572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2776
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"16⤵PID:2892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1764
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"18⤵PID:2460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2160
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"20⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2716
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"22⤵PID:1424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2852
-
-
C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e084cb8c6f85bda75b4033941fbf23cf
SHA154f655e006234a4b9947208a0234050866a0306a
SHA256d9d126d5efb0261c7e42ed1c8bdff643b641f39e5f9e72aaeecc44ceed1b6812
SHA5125c9e222345b248f17df411ab0854e11c29afb2e4b9ce1c538184043d518528da06d4313a8a764a503effc4770512c46bf3de96eff6cf4c633fd3ce530800e6e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57605089d9604da7ee4ade0dd2759e2ad
SHA14bbfb08b4cb92e488691c79f617cfbaf87abbc66
SHA256dd9511c0dc8666c2e82c50f0ee62ecafe3efb1c9eae1ae43e7dfe53568cac1fc
SHA51261a6ffb133ffe5e98ad80cbd1463b783e68ecd11ed984029afd2590178674a003422c7b08b3ba9adea8e252d7d291c998854bcdb7dd1404feeb7d805c0e70e6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e1db2aebadc2af4f7d108947a73740b7
SHA1e1c0836569566943b981afff25ccea015fb98ab5
SHA256113abaef59295726ab7b51ea60e7051d22816869766929b7c54128719b5c9cb7
SHA5121fdf5ea2da00712f1546c6610291590d0eb5370d217a89384895a5d0ae36e3f3f25916f46f17338b415fc195024ce4b7c12f65b70a297a88fe38635d4344890c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2a9974caa281e19dd930f48dadaee09
SHA1e55a75d321042f6eb2dc4c617b0ade11ba0d9ed1
SHA256be5fc0f899c77e49a976439ead1ffe06afa3f4af07af5df1c05e4cda18098669
SHA512c5ccdcb91a61174faa38d1fd67fbe83b4035ae10943634ced57d3ec7f8e04b68c1c03104a1ed210fe4369055a20418f781c928e50dd7eeaca0ec1dfab37b7a0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5803e403b5c55337ce8c8dd3029706b8a
SHA17b5d45c6a876bab8a1839637c66187ba28480f03
SHA2560f359266ff6b758cc7bb41e2776596a9276d729746bedfbbad73ad755ae7d534
SHA51243e8524b658925bce25909d792bfa2478e2169f35570f2af9c03217233cb85dbf1b2333e8b9eb6bc6d81a56d9cf23803a7a4da89823dddb2b637677a0ec43e1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fcc660d71bedad21fc136e7b064c56be
SHA14dc6a6cb335d1026f2f42a7806a5fab858ce4514
SHA2563266031608e9308d0e256f466f83dc9a563cf500fe8468cce3d1c8dc9b470b2b
SHA512eb5732eacbaa85a3445faf609b94e806d6e9035b11ae35c8b0c91bd4e85f62120a638a3d47a05d6ac51161b451cc75557be680218a5b119add09b24c4bf29a1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d19dffc69f4b5917274923264ce98e0
SHA15da8884bd5f90b9ab9ed04a6d5a3ecae78c6878d
SHA2566787333cc5d614829f72974a2efa18f4cde1e9cd57e8360c36ff133011caf282
SHA51299e8bb3b5446a79f9a24d4e4cd58f6ee2cb8f6f398c75bde272ba489662fbf552e5261a3b0a26e1134d0b0a3b4e9520eaf32fc82181619a1c429336c87781109
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5237cb50ffc7e8bc68648f79f0a978876
SHA1218903ed01a8c459eb2a71faf04866224143abd3
SHA256c96f0dfeba4140cd6f6e293f6cd303f900101445561d205caa8451be9e9dd268
SHA51278a4e99e53f167c3e9c18c4acc5bd358e3a15e79056d2201498d07cc3b912f92e2b51d6a34df8a7ee71d54041e0c5f1e2c5385743c71fc2a2db16a0ed169a40a
-
Filesize
217B
MD5f614676f9fbc45ed2554ccc83b10967d
SHA127052f9b5c6309a4e0be53640fa29cd31e6b559d
SHA256cf5582b42f24b683aa03189652477448445888b3b42d2f8e400217ab22d5ecde
SHA512447b4e7b2bb1b16ab5ed3aefd731afaa4dd3b8c39e2ba79aecb02adc1bc867eb3805467308187b117cf73c9185514a70c52ee8908da6e112fa1dd5b3ce5c776f
-
Filesize
217B
MD5e4910344cefcfd58d5e608452709dc4a
SHA117eab74500f9b47104d1cfc5cde95a29d56f5549
SHA2566c4b2ffd4653c97b391f19d5418f3213344a96650e9b477a73d309acfa9a3edc
SHA512c75671e012ea1f9d5d87903483657bcd1d423981ca504e3822d2ec73d5f0d2f464c3f412052c082946b7186b3163d1c7124ecfd152d6eb6ca3e3eb92fb4bc810
-
Filesize
217B
MD5f5f411d5fee8a6ab0c2d8c94b17385a1
SHA1a968047916986e1eaa27b76e1d457578c5d2c23e
SHA25608879c51a59c1067611d64b51ff55ea73ccd280a7b670513d0bdfa0bde3908c4
SHA5121907ed44bfda8dac435ff93462331f331850a811c814d70022cea6bd94567d6a5d17eee7b9d624a1c6444fcd7e5d5b711c258c0c3a4569fc854f49551305b02e
-
Filesize
217B
MD59730649b22cd0bdf2ebcacae2c23dd85
SHA179820c06f713acd4242150efd7b98908c04a05f2
SHA25694dfe3c8a0705990a25a14cd7ecce2bb22513c710d87cb8ab060a678b9812c2b
SHA5121ac358a807b28608cf35070f708e560f05b44bca8b43b388d5cd8430549c533a653c727d201733b03a942af92e163bda7622c17be2d6faa971d775861c615e4f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
217B
MD52a9678ea24b81c9f50ff051e013af259
SHA1516ecb1772ddbb82a8972d85da917e13d7b8900e
SHA2564b3079db5fc51029de6b160b6f083a626b125ae5ef5a0890dd070bcfc3501021
SHA512842667428e60639103c0c3e03509d67db25c4e93032792a4759d69856b431f5b5eaae670d25626dca998b01b8ac7a7bc7a91d97289bed7372c78f4f63df97589
-
Filesize
217B
MD53302a119ce1be8790a8fbdaf2ffe92e1
SHA129c86b1775db318bfde291f92e5eb03a00676669
SHA256c9d3afcd2d76b41f09a8f26e79fbf7c26451b0c1a719427fc1316e436fad3d26
SHA5126daf2a40c888e6a7a7e9c019ac3b0550df58e6de9775f6ad47b4875998067b194966c04c937161f8ff7066a4bd7c5e5962f60ba2a2a79304dca179e237c61a72
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
217B
MD5c42cd59e7c5e6f445dd793919bce7969
SHA1f5bc84f307b437d4a7960ada17a6411ad89c4769
SHA25615bf87382b74e2ef81eac7e96ce90e2765b76bb2cea5d42aa8c706bf26b437a5
SHA512dfee6d9be2c35ceb8fc1fbda1595b368499902e933c1b307a579b43d83fce2a9441f4c9c2d8ec170d3485b3ca85c811d7deb7d89a68b800704fa3e4c06defba1
-
Filesize
217B
MD5752596a158081dbd7efcb53a28d1389e
SHA17a39549dc065d826734a8919f30f8d46ec269690
SHA256f3534be1b9725e41d19d66058ff4757870e48b8b83004b5ca5183cfa2a0c8a94
SHA5121c7dc5a81b61010a91723ce9b43ef1ccedb85ddb0472e1861c463853774363ab4ab9a21d2bdc3f4faf505e514b4306e1c2f85c9b1486a58712bcdcbeb395162c
-
Filesize
217B
MD536ab40c613a51af2f8522d0459f5be37
SHA191b018a72b318fe85ee8ff16645198daa72da745
SHA256e00e93b3d044de7483ca2c167874848a7307fbe35f4178b8780d94740c08794a
SHA512ae484720e235983aa52006a851eefca627f11020d1eac5945b2b1b66141919acf5ed37a0724aeba471a23c8f770428aaf588e07f88174ee4bcd2cc36ce4fec02
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55dd7be1278d60122bd8d86ec52f77830
SHA18989dcc2f1b712a51d73a4bb4cd052fd4cb8bd01
SHA256a62f792980eb968723c8c47055aee1d987415292b308dced787a8c5ce81898de
SHA51269afd405db79eef5df23fb371a670863caecb9936e4fd66b3a4f5407b47ff4ff9c966c3e5d9fcc5b64a1bb75778782a37062dbbd25412e1dba7879d10112ff15
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394