Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 00:33
Behavioral task
behavioral1
Sample
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe
-
Size
1.3MB
-
MD5
6d43f526c616a7c4062bb12f13ae1dd8
-
SHA1
080775f3f2adb478bef3ac5bf9d04a3235044965
-
SHA256
bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e
-
SHA512
f2735baee1c7cae75a7172229ff5909fe7748a2d9d23543281e8b332423a2331601f4c3db343f3f6eff0c3308794db12ad08a64983bebbbd8884698f64d9db1f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2820 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2820 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016d36-9.dat dcrat behavioral1/memory/2660-13-0x0000000001300000-0x0000000001410000-memory.dmp dcrat behavioral1/memory/2220-122-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/920-181-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2960-241-0x00000000009E0000-0x0000000000AF0000-memory.dmp dcrat behavioral1/memory/612-301-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/2736-361-0x0000000001010000-0x0000000001120000-memory.dmp dcrat behavioral1/memory/2680-481-0x0000000000190000-0x00000000002A0000-memory.dmp dcrat behavioral1/memory/1848-541-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/3060-602-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/2764-721-0x0000000001340000-0x0000000001450000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3028 powershell.exe 1904 powershell.exe 2428 powershell.exe 2352 powershell.exe 2956 powershell.exe 2032 powershell.exe 1132 powershell.exe 2412 powershell.exe 1576 powershell.exe 1500 powershell.exe 2080 powershell.exe 3036 powershell.exe 544 powershell.exe 3068 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2660 DllCommonsvc.exe 2220 smss.exe 920 smss.exe 2960 smss.exe 612 smss.exe 2736 smss.exe 2124 smss.exe 2680 smss.exe 1848 smss.exe 3060 smss.exe 1928 smss.exe 2764 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 cmd.exe 1808 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 13 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 17 raw.githubusercontent.com 20 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\features\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\features\lsass.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\cmd.exe DllCommonsvc.exe File created C:\Windows\Tasks\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe 1652 schtasks.exe 1764 schtasks.exe 852 schtasks.exe 2768 schtasks.exe 1680 schtasks.exe 1328 schtasks.exe 1628 schtasks.exe 2104 schtasks.exe 2408 schtasks.exe 1236 schtasks.exe 1028 schtasks.exe 2984 schtasks.exe 1840 schtasks.exe 2880 schtasks.exe 1484 schtasks.exe 2192 schtasks.exe 1992 schtasks.exe 2844 schtasks.exe 1812 schtasks.exe 996 schtasks.exe 1496 schtasks.exe 2492 schtasks.exe 2576 schtasks.exe 1780 schtasks.exe 2376 schtasks.exe 1684 schtasks.exe 1860 schtasks.exe 2056 schtasks.exe 1852 schtasks.exe 1848 schtasks.exe 2828 schtasks.exe 2856 schtasks.exe 764 schtasks.exe 2852 schtasks.exe 2584 schtasks.exe 2348 schtasks.exe 2220 schtasks.exe 1032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2660 DllCommonsvc.exe 1132 powershell.exe 2080 powershell.exe 1576 powershell.exe 2412 powershell.exe 544 powershell.exe 2352 powershell.exe 2956 powershell.exe 1500 powershell.exe 1904 powershell.exe 3036 powershell.exe 2032 powershell.exe 3028 powershell.exe 2428 powershell.exe 3068 powershell.exe 2220 smss.exe 920 smss.exe 2960 smss.exe 612 smss.exe 2736 smss.exe 2124 smss.exe 2680 smss.exe 1848 smss.exe 3060 smss.exe 1928 smss.exe 2764 smss.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2660 DllCommonsvc.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2220 smss.exe Token: SeDebugPrivilege 920 smss.exe Token: SeDebugPrivilege 2960 smss.exe Token: SeDebugPrivilege 612 smss.exe Token: SeDebugPrivilege 2736 smss.exe Token: SeDebugPrivilege 2124 smss.exe Token: SeDebugPrivilege 2680 smss.exe Token: SeDebugPrivilege 1848 smss.exe Token: SeDebugPrivilege 3060 smss.exe Token: SeDebugPrivilege 1928 smss.exe Token: SeDebugPrivilege 2764 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2320 2024 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 31 PID 2024 wrote to memory of 2320 2024 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 31 PID 2024 wrote to memory of 2320 2024 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 31 PID 2024 wrote to memory of 2320 2024 JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe 31 PID 2320 wrote to memory of 1808 2320 WScript.exe 32 PID 2320 wrote to memory of 1808 2320 WScript.exe 32 PID 2320 wrote to memory of 1808 2320 WScript.exe 32 PID 2320 wrote to memory of 1808 2320 WScript.exe 32 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 1808 wrote to memory of 2660 1808 cmd.exe 34 PID 2660 wrote to memory of 1132 2660 DllCommonsvc.exe 75 PID 2660 wrote to memory of 1132 2660 DllCommonsvc.exe 75 PID 2660 wrote to memory of 1132 2660 DllCommonsvc.exe 75 PID 2660 wrote to memory of 2032 2660 DllCommonsvc.exe 76 PID 2660 wrote to memory of 2032 2660 DllCommonsvc.exe 76 PID 2660 wrote to memory of 2032 2660 DllCommonsvc.exe 76 PID 2660 wrote to memory of 3028 2660 DllCommonsvc.exe 77 PID 2660 wrote to memory of 3028 2660 DllCommonsvc.exe 77 PID 2660 wrote to memory of 3028 2660 DllCommonsvc.exe 77 PID 2660 wrote to memory of 2956 2660 DllCommonsvc.exe 79 PID 2660 wrote to memory of 2956 2660 DllCommonsvc.exe 79 PID 2660 wrote to memory of 2956 2660 DllCommonsvc.exe 79 PID 2660 wrote to memory of 1500 2660 DllCommonsvc.exe 80 PID 2660 wrote to memory of 1500 2660 DllCommonsvc.exe 80 PID 2660 wrote to memory of 1500 2660 DllCommonsvc.exe 80 PID 2660 wrote to memory of 1576 2660 DllCommonsvc.exe 81 PID 2660 wrote to memory of 1576 2660 DllCommonsvc.exe 81 PID 2660 wrote to memory of 1576 2660 DllCommonsvc.exe 81 PID 2660 wrote to memory of 3068 2660 DllCommonsvc.exe 82 PID 2660 wrote to memory of 3068 2660 DllCommonsvc.exe 82 PID 2660 wrote to memory of 3068 2660 DllCommonsvc.exe 82 PID 2660 wrote to memory of 2080 2660 DllCommonsvc.exe 84 PID 2660 wrote to memory of 2080 2660 DllCommonsvc.exe 84 PID 2660 wrote to memory of 2080 2660 DllCommonsvc.exe 84 PID 2660 wrote to memory of 544 2660 DllCommonsvc.exe 85 PID 2660 wrote to memory of 544 2660 DllCommonsvc.exe 85 PID 2660 wrote to memory of 544 2660 DllCommonsvc.exe 85 PID 2660 wrote to memory of 3036 2660 DllCommonsvc.exe 86 PID 2660 wrote to memory of 3036 2660 DllCommonsvc.exe 86 PID 2660 wrote to memory of 3036 2660 DllCommonsvc.exe 86 PID 2660 wrote to memory of 2428 2660 DllCommonsvc.exe 87 PID 2660 wrote to memory of 2428 2660 DllCommonsvc.exe 87 PID 2660 wrote to memory of 2428 2660 DllCommonsvc.exe 87 PID 2660 wrote to memory of 1904 2660 DllCommonsvc.exe 88 PID 2660 wrote to memory of 1904 2660 DllCommonsvc.exe 88 PID 2660 wrote to memory of 1904 2660 DllCommonsvc.exe 88 PID 2660 wrote to memory of 2412 2660 DllCommonsvc.exe 89 PID 2660 wrote to memory of 2412 2660 DllCommonsvc.exe 89 PID 2660 wrote to memory of 2412 2660 DllCommonsvc.exe 89 PID 2660 wrote to memory of 2352 2660 DllCommonsvc.exe 90 PID 2660 wrote to memory of 2352 2660 DllCommonsvc.exe 90 PID 2660 wrote to memory of 2352 2660 DllCommonsvc.exe 90 PID 2660 wrote to memory of 2012 2660 DllCommonsvc.exe 103 PID 2660 wrote to memory of 2012 2660 DllCommonsvc.exe 103 PID 2660 wrote to memory of 2012 2660 DllCommonsvc.exe 103 PID 2012 wrote to memory of 2852 2012 cmd.exe 105 PID 2012 wrote to memory of 2852 2012 cmd.exe 105 PID 2012 wrote to memory of 2852 2012 cmd.exe 105 PID 2012 wrote to memory of 2220 2012 cmd.exe 106 PID 2012 wrote to memory of 2220 2012 cmd.exe 106 PID 2012 wrote to memory of 2220 2012 cmd.exe 106 PID 2220 wrote to memory of 2788 2220 smss.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfaef7cb4811a7c0b577807e161326cdbd92562c0c00129cc3b69a8cc670c06e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DOzbeKYoRT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2852
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"7⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1692
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"9⤵PID:2748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:964
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"11⤵PID:2904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1700
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"13⤵PID:1268
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1036
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"15⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2192
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"17⤵PID:1672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1284
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"19⤵PID:1060
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:304
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"21⤵PID:1008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:568
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"23⤵PID:1380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1664
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"25⤵PID:2584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1392
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d859da787c77aa16de74570ea9b580a3
SHA1e07f1de19586a9e78f873d5a887c5db93e7b7d5d
SHA256a5586792219fd1bb9c2f23eea0def50081472945c081a198346fc333d94aaf19
SHA512d0f41b3490ec2bb3a5a184525df355fc4219b0d157f96c832836f712b8942359f89baf31ffc7b8c3e5059d534beff023f6e6e4475d9a1c324fd69bb43c93cb2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4d7bef1db17600d348817d44b810fa6
SHA10e4e8d7586ebeac65447e6a18c10364cd4e048f7
SHA2567e4196ebb0eb8d2a2566cefb7768b93b12b9628cf99516b9858f4d69650b48ed
SHA512f58ce37d6832fc3ab19410e6b84cd1c753ae2501533c24aca0befb575f50f863074664b0071dd71eb139b6008874524560d19673d7ce2533416cc08f477fe164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f63f1a364646ed1165ee648fb6de9bed
SHA1e9ac56e7fb1e00e42ebfc512b53756aa22e4d3fb
SHA2568203f2fec295a9596effce9bc0f4ab4aea9e00e97b9daa67f71a04f6bc87c791
SHA5121b03fd3d7c3dadb85d54578b815bfd4ef7f07f07879d175f04e1ef356f0e586430d8359835d928d8e858973df228651955fd9a1cea080acca958365b3497b597
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ceada233e011bfa5d538644e7c24040f
SHA12494498967fbfaadd98a4b9cb813860f4449040f
SHA256e3a53e653771f2f92f10e35047f1ae7bd6b27601573c64e6fbd3a4fa39b74236
SHA5124f669e3a42b2c656b1a0438b25160bc4be46322a7c7ed75a2afc57990c563f673c7448f4fde7d5b17fb389edf9e84ef3c93dddc84be91961a82c969219cca145
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc7f55db6331ba2f3cbbae8c47d06bd4
SHA18ca7854f8c63ebe5253cca026e022b4c1ddd1345
SHA256e94723e58c6b1e94d6b6a2892eb2005a835768de3868cab83b95439ae648fb4d
SHA512cc2fb517f29381a77d8981bbf5e3050b93f8620d5a5c02b3289ee75f506812fac15327a3c815cf3a460e27645f45f23760a47586ea6e1d7b722154e09a85c3f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c94a1bfe2cc188ebc6f43f23b4bd8246
SHA186254bfc2f7279cd94369338b995431e976a4811
SHA2569b69afd3d566a37106ca1bb6f824392ea8f02f53f82405275aad8eff2af64ea7
SHA512063c2d97af83cabc60b92024caabe14dee8edf4c950cf7ffd9928de121d5b38d13e3ee940d9363a1eba7a558838603f5a090caf47249835a8b1679b39f298516
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57782dea202b951c39865251f16fef5d0
SHA1dcbcce0144e496f6104b07f315edf38b4f24e266
SHA256a73ee125d4bdc6730bec615d7ee05917c9cf2c17fa2400599241c327e7f41724
SHA51253c046677799268acd204ddf174e3d448631fc34feffc4e063d32bd3009e468b6ea664088d90ad98e55acf5a31a1ba60f18ebcd663ad40d199dbf4a493c1ffed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57018799e2a93c1a8b46d234820dbd86b
SHA108accae99291863dffb3e837816871fb08d7a500
SHA2560620ddafaa6a735ae7cb6b24429ccfbbb45e77819467517630020fab4600e38a
SHA51248640278d70e4a0b49e3a1df8cc8c6482f479018ad514bd514894b99509d7b9ecfbc92315b13975334ba986950eb9ea349886d7a2656fe216ce2ae6849b315c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56dc9da50e5800548dce489f2a80fcc07
SHA137370ba2eb3c0ec33b58ebaa810276fcd3a276aa
SHA2562e98eb31a70c33b93da99df1562d7304872f5b66992680b278c83d3d9bf894e1
SHA5126a9d235a9f009661dcf468f2d1485e54bcbd5953321608b9bac70021e233e3d4124cb5ae1cf8b9db680059c3be31b106f254b9430d6c5ab6f0d56b8327faa97a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD5e5c951ffe1644006db089e0d25447434
SHA1c507677aada556ae3bde8b907d3355cde797b00d
SHA256a4c89d7c86320ef9b27ffe1be02b569042a74bcd19ff30d48580fb1ede969748
SHA5125457adeda6f79e3393ec454285e59bdbc8d861aee560de019a8644c3ee2e3af4c0b5e82de283206990a2eea674c89a1d74b78f43d55376fe90491b59531cf191
-
Filesize
236B
MD5a0d77ee80f67338b792a3d7d2ee9ebea
SHA17c9eb4ec0d5ad36b9f9dbce13069e57e9e162bd7
SHA256002c0be306697f6ce8b4dad14cdf4586ed8a5f04c27f6418ed4204bab3ed74ad
SHA512c650527e3529c487f737da9cf007ca7b7da29e65a94be1369a2b5b8134cda91cdc48196ce66054ab47b65b96345961ce94434396e07d07b48a19d7a4c4d01aac
-
Filesize
236B
MD5f4d3ead1891fbd780952a515066113a9
SHA159ba8aa62a2d64d49467c3bb98cf5fe0166f0752
SHA25660236529cdef05136c266ee5b2995699a0681d51a5335c32c13878b845df66e0
SHA5125c1ea61f2ae3f8517b6f3b4763debd713eac350167214ff32a4cbf089948d9c550c1b06382c23e7436fd31169cd798962662523def41693b27fa0d734c1e58dc
-
Filesize
236B
MD5cdf661a9ea7e4e725f37d70fe1f88c2f
SHA15be072dc111a57f60b6af3ead181e23c130e88c7
SHA256d2f45fe3a702858bbfbb91ad8eb54faeac04b2523166bb528d1d00cf9c5d249a
SHA5124edcf82289c73c48ca88dcbf0701475da0aafeaf5d5f18774dc2b91c741cabd1d325b6f658ffbc6b6f1d29fba73238861757ecf61bea7e7b4e7389bf19908f22
-
Filesize
236B
MD57949f6794b35731a4e214a6afa2805ac
SHA125c1c229cd6590bc89da390df570fea9a5e40337
SHA25644d92131c1202652aa0b974ff6169249f4863e82c4f8a61b74422a7cb026fdf4
SHA51280edd2359b3b157227af868cd451235fbe9b383579c44ce9429dd123728a3aed017e08a0f1648acba7ebc2ca4088b643c4250c775aee5d8c0a72898c96be26dc
-
Filesize
236B
MD5d674b4d77fc57396850d65a526683925
SHA10baca11fb427eb88d989dbab5cc2bce631de545e
SHA256cebcf929a2374cacd8a54c490e82f6f47e296de470848efedd4aaa711c63870a
SHA512b726b0bc3a8529526a44d92bb2c8fd8968c5f702822d0b7e16494f498bae959f14464b3cca85863800db57837db75f15fbced2f269d121cfbaa140744f215e1c
-
Filesize
236B
MD5bcd9def2ca2219e2cf7f1224d631643d
SHA169219faeded07521325e140f177f8b79045dee13
SHA2567f99b6bf538988121b1c1738e59ab4db1fc77adf19b130f85afdf43786b58e99
SHA5123dc8f88ff6d6a784b8bdfe24cd950113a0cbc19f2d01c00a53b15ce033b6343331a0c48fc63a8c77fd41e9d0858ef08263f192cc9a2476558a7962e8eaa0a22b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD5801397323bc3d8ec7cbde7ec02c99596
SHA19ee77f4d26c6bc6438367c88f659e5f3f01c3256
SHA25622a38ebc372394c9b23e6dba41ba04881e93604a8a0938fdbb5dc0cd11a3f1ef
SHA51261fae89be8c5447bdb18188b29acfb2e459e917559230363b38ce6a4c95615549e3e4acfc2238fa63ad73b070d3c19eb88ffe7fc827b7ae82cd8f264f7ec06eb
-
Filesize
236B
MD5f354fe0e1ab721c9bf54213da3e9499c
SHA13947c2df21e0b3f7756b6e7795da6f83320d18d1
SHA25600a8aa519ce994fab819586a5548d1770f195527a9b99e5a894b2d4f761ec491
SHA51278adc8644cdc69a22b9df68dc01002cec1b11dd0a00f178c4a3fca2926cb7026fa68297ef91b89d21c01b7339c0710b854d5b5378284988167474e5d8666d9d4
-
Filesize
236B
MD520502d88199e064eaee3a84e95e7fb1e
SHA114f14272bdcdada72e38e8868fc793cfd5a58de5
SHA25691568ccb17869952188ec25c106b8818e4b8916180520e04bfd827f86643be5b
SHA512391ae21c6bf40b71b48a8519657f5cecbb1fa4f13d2ab89c3eaad22ef2a38e1715aec34efe693a0558c332434a80e454ba76b4712d63ac8d44e8da92f215ec4a
-
Filesize
236B
MD57e8ab49c1b626903dfd73a458caba24d
SHA150435949e07a96c5851b152ba362e6eee8a50f3c
SHA2562869d13590dc13ded345eb11aab942ba98e48e1fccb2adcd17e1b110138b9b90
SHA51281f1210d82774902b864208a3514e055ed5d3462efac9592649a6aafa29f763397044c4557d9506013b775b26e41dea4f681a8a77c795f7f30613e0e7aeae082
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d373f21bc47e1f56083787532ad4f37c
SHA1eb6bb527e706a5a7c49a628c56e0c55bb10e5b12
SHA25609b67314be58e485d2d81f7e5a8ec46c4eeb0c74ff8792654d429d024bae6f59
SHA512ebdd0b7157750e25b9dc718a88b9f9b9a5d47335ea9a363051e86bc000d2abd4def7ad6118312035ac69411f7c4b922076ef9cd5aab8296f9556127c3265d823
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394