Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:53
Behavioral task
behavioral1
Sample
JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe
-
Size
1.3MB
-
MD5
41bdb1167beae3e2861a63f9076d1392
-
SHA1
823db521639c8f26668efea399dc3b41a2cfe4d8
-
SHA256
cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa
-
SHA512
34b56582eb62308e5716ee877da4c8bb29326297e5c951c25775932794b329d6a16e0123e515373ff0bdca26c2544dffc68824049aa2e8eb439e580a8306c445
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 532 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 532 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016ce1-12.dat dcrat behavioral1/memory/2820-13-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/2188-150-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2080-209-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat behavioral1/memory/2208-269-0x0000000000010000-0x0000000000120000-memory.dmp dcrat behavioral1/memory/964-329-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/1784-389-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/2912-508-0x0000000000250000-0x0000000000360000-memory.dmp dcrat behavioral1/memory/1832-569-0x0000000001280000-0x0000000001390000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2760 powershell.exe 2780 powershell.exe 2700 powershell.exe 2672 powershell.exe 2728 powershell.exe 2716 powershell.exe 3028 powershell.exe 2704 powershell.exe 1548 powershell.exe 2168 powershell.exe 2864 powershell.exe 2788 powershell.exe 3020 powershell.exe 1704 powershell.exe 2800 powershell.exe 2724 powershell.exe 1364 powershell.exe 2584 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2820 DllCommonsvc.exe 2188 dllhost.exe 2080 dllhost.exe 2208 dllhost.exe 964 dllhost.exe 1784 dllhost.exe 2748 dllhost.exe 2912 dllhost.exe 1832 dllhost.exe 1636 dllhost.exe 1040 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2680 cmd.exe 2680 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 30 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com 22 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\fr-FR\wininit.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\fr-FR\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Media\Savanna\Idle.exe DllCommonsvc.exe File created C:\Windows\Media\Savanna\6ccacd8608530f DllCommonsvc.exe File created C:\Windows\system\audiodg.exe DllCommonsvc.exe File created C:\Windows\system\42af1c969fbb7b DllCommonsvc.exe File created C:\Windows\Cursors\taskhost.exe DllCommonsvc.exe File created C:\Windows\Cursors\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\Help\OEM\csrss.exe DllCommonsvc.exe File created C:\Windows\Help\OEM\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 796 schtasks.exe 2120 schtasks.exe 444 schtasks.exe 1536 schtasks.exe 2036 schtasks.exe 972 schtasks.exe 1936 schtasks.exe 576 schtasks.exe 2268 schtasks.exe 2624 schtasks.exe 264 schtasks.exe 828 schtasks.exe 752 schtasks.exe 1476 schtasks.exe 2312 schtasks.exe 2952 schtasks.exe 2920 schtasks.exe 2756 schtasks.exe 2960 schtasks.exe 1072 schtasks.exe 1520 schtasks.exe 1716 schtasks.exe 556 schtasks.exe 2288 schtasks.exe 1320 schtasks.exe 3024 schtasks.exe 2968 schtasks.exe 272 schtasks.exe 1776 schtasks.exe 2308 schtasks.exe 1152 schtasks.exe 2832 schtasks.exe 1632 schtasks.exe 2216 schtasks.exe 2604 schtasks.exe 672 schtasks.exe 2020 schtasks.exe 1688 schtasks.exe 2224 schtasks.exe 1708 schtasks.exe 2972 schtasks.exe 2324 schtasks.exe 1740 schtasks.exe 1212 schtasks.exe 1108 schtasks.exe 2412 schtasks.exe 2404 schtasks.exe 632 schtasks.exe 964 schtasks.exe 684 schtasks.exe 1880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2820 DllCommonsvc.exe 2820 DllCommonsvc.exe 2820 DllCommonsvc.exe 2168 powershell.exe 2864 powershell.exe 2728 powershell.exe 2584 powershell.exe 1548 powershell.exe 1364 powershell.exe 1704 powershell.exe 2788 powershell.exe 2760 powershell.exe 2780 powershell.exe 3028 powershell.exe 3020 powershell.exe 2800 powershell.exe 2716 powershell.exe 2724 powershell.exe 2672 powershell.exe 2704 powershell.exe 2700 powershell.exe 2188 dllhost.exe 2080 dllhost.exe 2208 dllhost.exe 964 dllhost.exe 1784 dllhost.exe 2748 dllhost.exe 2912 dllhost.exe 1832 dllhost.exe 1636 dllhost.exe 1040 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2820 DllCommonsvc.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2188 dllhost.exe Token: SeDebugPrivilege 2080 dllhost.exe Token: SeDebugPrivilege 2208 dllhost.exe Token: SeDebugPrivilege 964 dllhost.exe Token: SeDebugPrivilege 1784 dllhost.exe Token: SeDebugPrivilege 2748 dllhost.exe Token: SeDebugPrivilege 2912 dllhost.exe Token: SeDebugPrivilege 1832 dllhost.exe Token: SeDebugPrivilege 1636 dllhost.exe Token: SeDebugPrivilege 1040 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2860 2672 JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe 30 PID 2672 wrote to memory of 2860 2672 JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe 30 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2860 wrote to memory of 2680 2860 WScript.exe 31 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2680 wrote to memory of 2820 2680 cmd.exe 33 PID 2820 wrote to memory of 2724 2820 DllCommonsvc.exe 86 PID 2820 wrote to memory of 2724 2820 DllCommonsvc.exe 86 PID 2820 wrote to memory of 2724 2820 DllCommonsvc.exe 86 PID 2820 wrote to memory of 2704 2820 DllCommonsvc.exe 87 PID 2820 wrote to memory of 2704 2820 DllCommonsvc.exe 87 PID 2820 wrote to memory of 2704 2820 DllCommonsvc.exe 87 PID 2820 wrote to memory of 1548 2820 DllCommonsvc.exe 88 PID 2820 wrote to memory of 1548 2820 DllCommonsvc.exe 88 PID 2820 wrote to memory of 1548 2820 DllCommonsvc.exe 88 PID 2820 wrote to memory of 2168 2820 DllCommonsvc.exe 89 PID 2820 wrote to memory of 2168 2820 DllCommonsvc.exe 89 PID 2820 wrote to memory of 2168 2820 DllCommonsvc.exe 89 PID 2820 wrote to memory of 1704 2820 DllCommonsvc.exe 90 PID 2820 wrote to memory of 1704 2820 DllCommonsvc.exe 90 PID 2820 wrote to memory of 1704 2820 DllCommonsvc.exe 90 PID 2820 wrote to memory of 2780 2820 DllCommonsvc.exe 91 PID 2820 wrote to memory of 2780 2820 DllCommonsvc.exe 91 PID 2820 wrote to memory of 2780 2820 DllCommonsvc.exe 91 PID 2820 wrote to memory of 2700 2820 DllCommonsvc.exe 92 PID 2820 wrote to memory of 2700 2820 DllCommonsvc.exe 92 PID 2820 wrote to memory of 2700 2820 DllCommonsvc.exe 92 PID 2820 wrote to memory of 2864 2820 DllCommonsvc.exe 93 PID 2820 wrote to memory of 2864 2820 DllCommonsvc.exe 93 PID 2820 wrote to memory of 2864 2820 DllCommonsvc.exe 93 PID 2820 wrote to memory of 2788 2820 DllCommonsvc.exe 94 PID 2820 wrote to memory of 2788 2820 DllCommonsvc.exe 94 PID 2820 wrote to memory of 2788 2820 DllCommonsvc.exe 94 PID 2820 wrote to memory of 2672 2820 DllCommonsvc.exe 95 PID 2820 wrote to memory of 2672 2820 DllCommonsvc.exe 95 PID 2820 wrote to memory of 2672 2820 DllCommonsvc.exe 95 PID 2820 wrote to memory of 3020 2820 DllCommonsvc.exe 96 PID 2820 wrote to memory of 3020 2820 DllCommonsvc.exe 96 PID 2820 wrote to memory of 3020 2820 DllCommonsvc.exe 96 PID 2820 wrote to memory of 2728 2820 DllCommonsvc.exe 97 PID 2820 wrote to memory of 2728 2820 DllCommonsvc.exe 97 PID 2820 wrote to memory of 2728 2820 DllCommonsvc.exe 97 PID 2820 wrote to memory of 2716 2820 DllCommonsvc.exe 99 PID 2820 wrote to memory of 2716 2820 DllCommonsvc.exe 99 PID 2820 wrote to memory of 2716 2820 DllCommonsvc.exe 99 PID 2820 wrote to memory of 1364 2820 DllCommonsvc.exe 100 PID 2820 wrote to memory of 1364 2820 DllCommonsvc.exe 100 PID 2820 wrote to memory of 1364 2820 DllCommonsvc.exe 100 PID 2820 wrote to memory of 3028 2820 DllCommonsvc.exe 101 PID 2820 wrote to memory of 3028 2820 DllCommonsvc.exe 101 PID 2820 wrote to memory of 3028 2820 DllCommonsvc.exe 101 PID 2820 wrote to memory of 2800 2820 DllCommonsvc.exe 102 PID 2820 wrote to memory of 2800 2820 DllCommonsvc.exe 102 PID 2820 wrote to memory of 2800 2820 DllCommonsvc.exe 102 PID 2820 wrote to memory of 2584 2820 DllCommonsvc.exe 103 PID 2820 wrote to memory of 2584 2820 DllCommonsvc.exe 103 PID 2820 wrote to memory of 2584 2820 DllCommonsvc.exe 103 PID 2820 wrote to memory of 2760 2820 DllCommonsvc.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd41fa14645c6ec64478a03d75417aeed98433545ec678f3906af782873634aa.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Savanna\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E2HFatZBUe.bat"5⤵PID:2308
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2396
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"7⤵PID:2108
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3000
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"9⤵PID:580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:748
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"11⤵PID:1900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2348
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"13⤵PID:2788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:576
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"15⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:748
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"17⤵PID:2356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2928
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"19⤵PID:1564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2308
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"21⤵PID:1380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1376
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"23⤵PID:2940
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1732
-
-
C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"C:\Users\Public\Pictures\Sample Pictures\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\system\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\system\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Public\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Public\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\OEM\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Savanna\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Media\Savanna\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Savanna\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549c4c93276c85fbef279c5b8f47ea610
SHA11e726f0981cee0bf0d6f6105798d9387601073ff
SHA256ad5a033075103e16f7846c584e9f474b019de82c6f3330845845bedc305e6a08
SHA512db06290be12cd0ddb72a03b532e73004082e17be90809b724762fcadd894f05e84bd9b3b28efc657ed2b80a9b201059d8ee2a75b30a2ede36bef7f878f944acc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1512cdbc246c33261adb0cd31e039c1
SHA19ac213a8a09f8164d22e2cc0022d279fe2ce9316
SHA256cb4e106541991722613017b490e49fe14d074a34ba1be883c301c4e88b5c984b
SHA512cc5978573e6917fa9b20665fb4e0337340559d7f7e71feb6c5ec0cc90d204f5e71b15f50745eb7ec5561bdaf545e1d51ff79ed07f2f279ae3a8cf3829e01e780
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546a7f23f549015cca20dd5e2ee2a0eb6
SHA14b39b36c9dc1b3d5f6e28a8ea9ac4503c6d3d9d6
SHA25638a847674795094d7a8bd3eccb392eef13a26e38997f82bb8e6f571f232de041
SHA512b6c6a802a6d25653726f9add063b894e735fa1e91f018d7565f29d3dd11e7a043163b11e17c153c8d995b17d021700523aeeebcbf32d6810ee8cb1d265dc1a2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3168373d3a9340c5b5e7ce9ea1ddae0
SHA1e736c0c99d9c37ab10a814334fdfabdbae453f4c
SHA2568316264aefa5f15366e7f853cb50319abc91cb1612006c97df8323e6ef2fa328
SHA512e49e31f1c05ae289d3feeda5ecf35a50f6fd4952c68ebb2ae6c611cd5e64bf281997ff007c37bfdef9ab2f2d54735d62943b64f6f3c822a52faf656d26d7a693
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a11f2c61bb70c50f7b04adf84707c63
SHA116850536ecb2a379e0e7cde544d04576c795c0b8
SHA2569044ce94a35c97c551c4af2f25349b6e99a29edff684b7d4b44ffe9d96bdf3e1
SHA5128e31cf40516feb2d6df72270b3f7cf6ad55cc1a83778c8acac483740846c5a3fb927a27e71e071a2a1f2548e4342a011880c1167eac1866d2a2976646330b8c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521f2e2c22420022177cffa7417fab4a6
SHA1989af177d55653393f453e2fc8828d3956e2cb43
SHA256231ec736089d8b4c3cbadad8cb21244e473e945de77291f1e6cd2e7c4bfd4197
SHA512fc99963cdabd301a7cc92441d2861cf55831df02c02ce46778fd460041212cf6db12504fd5945bf5e3fc54f365a5376c532602f26a7256a09d9764e919b2ad39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b5faf0252b05172804e0b81dd577cb3
SHA1a1278ea3509cecf6634ff30085dc107439f80f14
SHA256132989c93d6be96c12d7916750bf0cc08da12247c4207507126d2a8cf7b84933
SHA51238237f25f0a6605b88f05f023ba27cc8588394d32501fa728277eb93373ba4b7d0c282f363ec8e4ae48635562bb18f218da13c958f695c2cfffdcc6a177a60b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e8c368565d576e9c5b5bb6157f8951b
SHA15d9303d11a2826186fa654f5ee18ceccab3b7593
SHA25625358e5517302d603a0de035b898ee6a09ae2f9258e19099a0d1c275213fea0a
SHA512b83a965227987a2ce60e00ae01f7bb87ec00904eff588414b056c15066eebb04d84254425284ee3ffe646e65766e246943e597953da34494171add78cc5a0e06
-
Filesize
217B
MD567257a93e15bd5ade3b26b992c1e9b2d
SHA1b8c9bf30171097f7ac5ebd9e2cf2feb9585176de
SHA2560f43e49f9eb49cc56b0038a9d00a5700a4d04ff68310acf5aec4d17a59426291
SHA5125bee49d396b850dd5be10a487dbaeb274241c1e0296c041c4011314a75ec46498dced963a1da5bc498c28d24d4f66d0a66db77a24879c13af073089d54570a16
-
Filesize
217B
MD5a061bb2bda7fa4e01c06dfbb993920ef
SHA10d9bc765bb25c3a3593ded4937db3f49f5ab2de6
SHA256e142341b8cda876bb946b1170079ef4c43cc8cc8bfea2be7299ebfb7be45c88c
SHA5122bf92fbe18e4640e6066804b053af55a0966304f49bc01462381c7f8cb6d92fce5086cb6899ed087fe0a378d27c502cba1fd3c7aaa1e9283cd53bdf8a6ef172e
-
Filesize
217B
MD520c7706714306ee0dd48159ed1e5159a
SHA1b7e44e940918162eae8e519c4a44e67e1f809479
SHA2564a41f7cb942b0dce034bf29cc31a664fa90d540ef4c5be2b766ad0a4dd4ad1ca
SHA51200a429d202ef336399818487328909e62d92f73aff26e4a32ddaf3ed85d08505f61ced3082a9525ccb64dec3787969fe5d819d5c6ba35fac0ba7f973aa496ee7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
217B
MD5f3280b35b31bef5162a986695a3f4cc8
SHA161bcd604c25ff8e293403d1f18f034199d435c3d
SHA256066b02799e69e27bdf93207c890a3704284f19c8c76baa97ba83258415a1545c
SHA512d07dd887effa2023ab738c68a30f0c08de4438e2dfd6760985faf0213237696c24d6a21400ab323e50184dee49270c1eb4b0d9ec6ba1868f892582bf1450f1e9
-
Filesize
217B
MD5e3716e0e6d23da7f66e5ebecd5faf904
SHA138f0a830069d8ddbc9f9feceaa09ff6017321dbc
SHA25649d0679e482776b05b00b8b16bf434276b6134c21ec51c6366634a0897a6d854
SHA5124b32718ce7d65a84a654945d3135a32fa8473c32a3bd4418311c1c77f662b3af1f89b34b060bef0b0837870cc9057f80bd15f7d00300e0fd451f9a38a9aa8309
-
Filesize
217B
MD53901d0c52252a11755179ae95111f6cb
SHA19334c4d6b08b2fbd3621f78ae6361c4e5f1a2dd6
SHA256fad2144b1b8b7404457b76da74852b19386bb733fc50e628a96f01e08bbc19de
SHA5121268b7015a04be2efdcf4c8a0e53b863676377fe5e2214d047265556d6b5835296e3e1f8a5f1b135942298ee28f6b7e111ad84ae9db57698cf01215423849724
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
217B
MD558685bc6ba6367dddc60198162d288b5
SHA1a89d612bec3a4925793ed1241524ee8440a3265a
SHA2568d5491c441e7f795676322b23ad896986812fdcdb8e9ae6887f1800579bd29b5
SHA5125978573d1b01579bbc30bed5fd06b06d259733b58283f08143bd40f66c2a22889abe5a7770a723beb6e495801bcdb5ea9066e746756971141bc3e2e84733e5a7
-
Filesize
217B
MD5430c4e7e6e763fc45832836823976f9e
SHA1e39ba4706ed542977c9203ec15c3ee22d51c971a
SHA2567580089483eb1c0c2614efdcddebe191fdb05316c3feb6aa7133cfae233a1272
SHA5127fdfe46ae0f64d5a2e9e76a304d4110406755d6bdeb5a992450efb206e81039a2d7d44687af293e32f99ff5cddb5cd454e6b997de670aaad74d92c3a4e125ff4
-
Filesize
217B
MD5ebeec16dd59ee1d6fbfba7c20e9cc0e1
SHA1cf1e8c30266442b59693b5ce4e59bec96eeb7f10
SHA25696cc223ef7fc80f3c0ae96198b64e90362d0a9caf90bdfbb5fcc0096a7c07ee3
SHA5123fc6313278dee8af19e3ee940156cb127ebedd41664a7d200233086941c9c2a58969026c773d3257b0270a05f0bf1d3f55fb7e1af8f6e72937d6187dd66ea4c5
-
Filesize
217B
MD56cf233c13f11eee4e21c890b7cac6d7f
SHA117e11a19b32452a93b5e145ca80db81050723ef0
SHA256e1f5c1b96596b1f1da6b17f4de4bce903087ac34d3cf6b9c68560c125e8551df
SHA512502855ba852650787775f617c7321bb06dd90737966ab24a1ce2105948702cb72288ab3474f7dfa6e9220a90c8652e8dbc3fc3f24ad2ad180a3c215f845d1d00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55ea96862b4c8a722bc9d707c7b010ee6
SHA1773930cfc43339845a05072bdbdabdfa1eda95b1
SHA25664efb53d4dd5fbe9901af567aef4947f68374a5e26126211cf9222255601f7f1
SHA5126b393f2159466a790372183e483ed6197cc927d4a813224e4ccbc5c277614244b0bb2d83a3956edbd995b73da197bfc81b7d93eebea6691b09682b019f8782b8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478