Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 08:23
Behavioral task
behavioral1
Sample
JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe
-
Size
1.3MB
-
MD5
43242439dc95e17a63c708547b31b90f
-
SHA1
3449c3cf0bd1f535ddad2f8fbed733d57750ac7c
-
SHA256
2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581
-
SHA512
aaa85a6da5f9e0abe19ff3fdf18c38f783315079b7ccd56bcc4228fd23dc46ac94e5d4bd0f39bcce06503aec1c8a5c61243d017bf8331d56de466c1a6bd29de4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3428 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 100 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3600 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 1984 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 1984 schtasks.exe 87 -
resource yara_rule behavioral2/files/0x0007000000023c92-10.dat dcrat behavioral2/memory/1344-13-0x0000000000DE0000-0x0000000000EF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3112 powershell.exe 1636 powershell.exe 4508 powershell.exe 4008 powershell.exe 1596 powershell.exe 1680 powershell.exe 968 powershell.exe 220 powershell.exe 2088 powershell.exe 2432 powershell.exe 32 powershell.exe 2164 powershell.exe 4980 powershell.exe 2908 powershell.exe 1640 powershell.exe 4840 powershell.exe 4588 powershell.exe 432 powershell.exe 4592 powershell.exe 3052 powershell.exe 2296 powershell.exe 3384 powershell.exe 2760 powershell.exe 2704 powershell.exe 4588 powershell.exe 3748 powershell.exe 1708 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 15 IoCs
pid Process 1344 DllCommonsvc.exe 2224 DllCommonsvc.exe 5372 csrss.exe 3448 csrss.exe 3512 csrss.exe 4124 csrss.exe 4156 csrss.exe 5976 csrss.exe 5308 csrss.exe 3044 csrss.exe 4812 csrss.exe 5844 csrss.exe 1832 csrss.exe 1600 csrss.exe 5948 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 17 raw.githubusercontent.com 18 raw.githubusercontent.com 38 raw.githubusercontent.com 39 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 44 raw.githubusercontent.com 45 raw.githubusercontent.com 50 raw.githubusercontent.com 36 raw.githubusercontent.com 49 raw.githubusercontent.com 51 raw.githubusercontent.com 52 raw.githubusercontent.com -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Visualizations\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\fr-FR\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\ea1d8f6d871115 DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\upfc.exe DllCommonsvc.exe File created C:\Program Files\Crashpad\attachments\ea1d8f6d871115 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\38384e6a620884 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\fr-FR\dwm.exe DllCommonsvc.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Performance\WinSAT\DataStore\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\SKB\LanguageModels\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\sppsvc.exe DllCommonsvc.exe File created C:\Windows\fr-FR\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\TTS\29c1c3cc0f7685 DllCommonsvc.exe File created C:\Windows\Performance\WinSAT\DataStore\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\Resources\Themes\aero\es-ES\SppExtComObj.exe DllCommonsvc.exe File created C:\Windows\Resources\Themes\aero\es-ES\e1ef82546f0b02 DllCommonsvc.exe File created C:\Windows\Speech_OneCore\Engines\TTS\unsecapp.exe DllCommonsvc.exe File created C:\Windows\SKB\LanguageModels\5b884080fd4f94 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5004 schtasks.exe 640 schtasks.exe 4452 schtasks.exe 4912 schtasks.exe 2324 schtasks.exe 4812 schtasks.exe 4796 schtasks.exe 3468 schtasks.exe 3508 schtasks.exe 1704 schtasks.exe 2824 schtasks.exe 4972 schtasks.exe 3148 schtasks.exe 656 schtasks.exe 3600 schtasks.exe 752 schtasks.exe 388 schtasks.exe 428 schtasks.exe 3428 schtasks.exe 4288 schtasks.exe 4716 schtasks.exe 4388 schtasks.exe 676 schtasks.exe 3996 schtasks.exe 112 schtasks.exe 3884 schtasks.exe 2392 schtasks.exe 1764 schtasks.exe 4388 schtasks.exe 2660 schtasks.exe 4600 schtasks.exe 2764 schtasks.exe 2072 schtasks.exe 4612 schtasks.exe 540 schtasks.exe 440 schtasks.exe 1420 schtasks.exe 4092 schtasks.exe 100 schtasks.exe 4060 schtasks.exe 2920 schtasks.exe 2968 schtasks.exe 212 schtasks.exe 232 schtasks.exe 4056 schtasks.exe 2152 schtasks.exe 1156 schtasks.exe 884 schtasks.exe 3044 schtasks.exe 3564 schtasks.exe 3424 schtasks.exe 2772 schtasks.exe 4960 schtasks.exe 3668 schtasks.exe 432 schtasks.exe 4544 schtasks.exe 4480 schtasks.exe 4244 schtasks.exe 2784 schtasks.exe 1544 schtasks.exe 1192 schtasks.exe 2132 schtasks.exe 4400 schtasks.exe 2940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1344 DllCommonsvc.exe 1344 DllCommonsvc.exe 1344 DllCommonsvc.exe 2296 powershell.exe 432 powershell.exe 968 powershell.exe 4980 powershell.exe 4980 powershell.exe 2164 powershell.exe 2164 powershell.exe 4588 powershell.exe 4588 powershell.exe 3112 powershell.exe 3112 powershell.exe 4980 powershell.exe 968 powershell.exe 968 powershell.exe 2296 powershell.exe 2296 powershell.exe 432 powershell.exe 3112 powershell.exe 432 powershell.exe 4588 powershell.exe 2164 powershell.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 1708 powershell.exe 1708 powershell.exe 4008 powershell.exe 4008 powershell.exe 32 powershell.exe 32 powershell.exe 4588 powershell.exe 4588 powershell.exe 3384 powershell.exe 3384 powershell.exe 2704 powershell.exe 2908 powershell.exe 2704 powershell.exe 2908 powershell.exe 2088 powershell.exe 2088 powershell.exe 4508 powershell.exe 4508 powershell.exe 4592 powershell.exe 4592 powershell.exe 2432 powershell.exe 2432 powershell.exe 220 powershell.exe 220 powershell.exe 2760 powershell.exe 2760 powershell.exe 2760 powershell.exe 3748 powershell.exe 3748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 1344 DllCommonsvc.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 3112 powershell.exe Token: SeDebugPrivilege 2224 DllCommonsvc.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 4840 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 5372 csrss.exe Token: SeDebugPrivilege 3448 csrss.exe Token: SeDebugPrivilege 3512 csrss.exe Token: SeDebugPrivilege 4124 csrss.exe Token: SeDebugPrivilege 4156 csrss.exe Token: SeDebugPrivilege 5976 csrss.exe Token: SeDebugPrivilege 5308 csrss.exe Token: SeDebugPrivilege 3044 csrss.exe Token: SeDebugPrivilege 4812 csrss.exe Token: SeDebugPrivilege 5844 csrss.exe Token: SeDebugPrivilege 1832 csrss.exe Token: SeDebugPrivilege 1600 csrss.exe Token: SeDebugPrivilege 5948 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 528 2644 JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe 83 PID 2644 wrote to memory of 528 2644 JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe 83 PID 2644 wrote to memory of 528 2644 JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe 83 PID 528 wrote to memory of 4124 528 WScript.exe 84 PID 528 wrote to memory of 4124 528 WScript.exe 84 PID 528 wrote to memory of 4124 528 WScript.exe 84 PID 4124 wrote to memory of 1344 4124 cmd.exe 86 PID 4124 wrote to memory of 1344 4124 cmd.exe 86 PID 1344 wrote to memory of 2296 1344 DllCommonsvc.exe 107 PID 1344 wrote to memory of 2296 1344 DllCommonsvc.exe 107 PID 1344 wrote to memory of 2164 1344 DllCommonsvc.exe 108 PID 1344 wrote to memory of 2164 1344 DllCommonsvc.exe 108 PID 1344 wrote to memory of 4980 1344 DllCommonsvc.exe 109 PID 1344 wrote to memory of 4980 1344 DllCommonsvc.exe 109 PID 1344 wrote to memory of 3112 1344 DllCommonsvc.exe 110 PID 1344 wrote to memory of 3112 1344 DllCommonsvc.exe 110 PID 1344 wrote to memory of 4588 1344 DllCommonsvc.exe 111 PID 1344 wrote to memory of 4588 1344 DllCommonsvc.exe 111 PID 1344 wrote to memory of 432 1344 DllCommonsvc.exe 112 PID 1344 wrote to memory of 432 1344 DllCommonsvc.exe 112 PID 1344 wrote to memory of 968 1344 DllCommonsvc.exe 113 PID 1344 wrote to memory of 968 1344 DllCommonsvc.exe 113 PID 1344 wrote to memory of 2664 1344 DllCommonsvc.exe 121 PID 1344 wrote to memory of 2664 1344 DllCommonsvc.exe 121 PID 2664 wrote to memory of 4352 2664 cmd.exe 123 PID 2664 wrote to memory of 4352 2664 cmd.exe 123 PID 2664 wrote to memory of 2224 2664 cmd.exe 125 PID 2664 wrote to memory of 2224 2664 cmd.exe 125 PID 2224 wrote to memory of 1636 2224 DllCommonsvc.exe 183 PID 2224 wrote to memory of 1636 2224 DllCommonsvc.exe 183 PID 2224 wrote to memory of 2704 2224 DllCommonsvc.exe 184 PID 2224 wrote to memory of 2704 2224 DllCommonsvc.exe 184 PID 2224 wrote to memory of 2908 2224 DllCommonsvc.exe 185 PID 2224 wrote to memory of 2908 2224 DllCommonsvc.exe 185 PID 2224 wrote to memory of 4588 2224 DllCommonsvc.exe 186 PID 2224 wrote to memory of 4588 2224 DllCommonsvc.exe 186 PID 2224 wrote to memory of 32 2224 DllCommonsvc.exe 187 PID 2224 wrote to memory of 32 2224 DllCommonsvc.exe 187 PID 2224 wrote to memory of 4508 2224 DllCommonsvc.exe 188 PID 2224 wrote to memory of 4508 2224 DllCommonsvc.exe 188 PID 2224 wrote to memory of 3748 2224 DllCommonsvc.exe 189 PID 2224 wrote to memory of 3748 2224 DllCommonsvc.exe 189 PID 2224 wrote to memory of 4008 2224 DllCommonsvc.exe 190 PID 2224 wrote to memory of 4008 2224 DllCommonsvc.exe 190 PID 2224 wrote to memory of 1708 2224 DllCommonsvc.exe 191 PID 2224 wrote to memory of 1708 2224 DllCommonsvc.exe 191 PID 2224 wrote to memory of 2760 2224 DllCommonsvc.exe 192 PID 2224 wrote to memory of 2760 2224 DllCommonsvc.exe 192 PID 2224 wrote to memory of 1596 2224 DllCommonsvc.exe 193 PID 2224 wrote to memory of 1596 2224 DllCommonsvc.exe 193 PID 2224 wrote to memory of 1640 2224 DllCommonsvc.exe 194 PID 2224 wrote to memory of 1640 2224 DllCommonsvc.exe 194 PID 2224 wrote to memory of 220 2224 DllCommonsvc.exe 195 PID 2224 wrote to memory of 220 2224 DllCommonsvc.exe 195 PID 2224 wrote to memory of 1680 2224 DllCommonsvc.exe 196 PID 2224 wrote to memory of 1680 2224 DllCommonsvc.exe 196 PID 2224 wrote to memory of 3384 2224 DllCommonsvc.exe 197 PID 2224 wrote to memory of 3384 2224 DllCommonsvc.exe 197 PID 2224 wrote to memory of 2088 2224 DllCommonsvc.exe 198 PID 2224 wrote to memory of 2088 2224 DllCommonsvc.exe 198 PID 2224 wrote to memory of 4840 2224 DllCommonsvc.exe 199 PID 2224 wrote to memory of 4840 2224 DllCommonsvc.exe 199 PID 2224 wrote to memory of 4592 2224 DllCommonsvc.exe 200 PID 2224 wrote to memory of 4592 2224 DllCommonsvc.exe 200 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d20e7963926e75d91d7bbc2afd09104c0e26ed839d1fa7ceb90ab2cd2c27581.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\sihost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\aero\es-ES\SppExtComObj.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\upfc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y4qYma5TJF.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4352
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\TTS\unsecapp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dwo2DIvfia.bat"7⤵PID:656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:5668
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"9⤵PID:1700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:5044
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"11⤵PID:1192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:3424
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"13⤵PID:4224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2336
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"15⤵PID:4732
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:5772
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"17⤵PID:4588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3564
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"19⤵PID:3852
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:5008
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"21⤵PID:5440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:5180
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"23⤵PID:5516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:528
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"25⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:5000
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gozseo6rLH.bat"27⤵PID:840
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4936
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"29⤵PID:5824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:448
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"31⤵PID:3076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:3880
-
-
C:\providercommon\csrss.exe"C:\providercommon\csrss.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\providercommon\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\USOShared\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\aero\es-ES\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\aero\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\Idle.exe'" /f1⤵
- Process spawned unexpected child process
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\LanguageModels\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\fr-FR\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\fontdrvhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5be95052f298019b83e11336567f385fc
SHA1556e6abda268afaeeec5e1ee65adc01660b70534
SHA256ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027
SHA512233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5
-
Filesize
944B
MD56019bc03fe1dc3367a67c76d08b55399
SHA13d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA2567f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA5126b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD5cfecb4e0f846589c2742fd84d6bbd1db
SHA1730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec
SHA25612190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa
SHA512669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475
-
Filesize
944B
MD56bf2927575032d77fab2956579e56348
SHA155bfbdacbf4a787b232793f19eca4df667722621
SHA256a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0
SHA5127649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc
-
Filesize
944B
MD58fbdf20dd30b6ccf91308090184986d8
SHA1fde6e3a60582552e322af16289c63d6943a18a78
SHA2563b67692f7e6b5569626ecbf266289b9ae7cb4dc40ee5165eb6c6ea70c5f1f78b
SHA5123ceefad823f555c522d46b266a6c77ea51002f1fb7426992f8a4ea70f0b9cf1ab6979db319c480cfcd51dc393407d3de5e111368b951a6d15766aa296045ffee
-
Filesize
944B
MD53cf2800f99e09f816f2fd8a5c07bc1ed
SHA1a9d0d470886e6a5407b94908e468dbf74f9f075a
SHA256ae52557ee14fe108bd2f0b5e43b25f22ee4bc114e4b0b8714273f0bec657509c
SHA512bd4d0c2cda37c0a8be85d0f4950f0dc8080bd54df7ca78024aa002759a57ba361f4c212397778fb9a0ede7d52e75fbef6d3ee5fa77ad872b4632d1163baea020
-
Filesize
944B
MD589b9b22e2cb6f0b903e7f8755f49d7be
SHA1e13b62b19dccdbacb5fec9227e34f21e34fe5cad
SHA25617b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537
SHA512f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064
-
Filesize
944B
MD5e8609c12c59293ee67562f5096525f6f
SHA17b89311e1e00dec0658daa7749b6560af217435c
SHA2569e7a84df1f437f21ceba6e519fbbd333f0bd7721e8e4b0bb963652fb9a1163fa
SHA512ce6838f441c0954739ec5e03af0726d20b892c4415df3c3ee2010bc6c8f6191ac6717d0e3499ce04a03441b1ad43fc7a2df0de34a1ebd67fbd62cfdf48007b62
-
Filesize
944B
MD564bd6b9cd961ecbab7b4879ef63b285e
SHA1990d65d9f4509a3ef03e55355eda87e8a30325d0
SHA2563b93e0887bec4c9becb9d0a235b6fbab86812fed1a365f1edfe9670255eeea86
SHA5127c395824d1c4de1fef1fed15987f5654eb021f9c3335294811a0ea2f83cb751e518e494dd8a89ce8fefc6f7e6aaf77430090b45c46465b6b95343bfe347e0901
-
Filesize
192B
MD5599d65cc94aff3968986d8451a3e6f59
SHA173eac506d3b48132a33a2e56a2929b53f1a9ee74
SHA2562a2e4e236424710601270d4c89e46521468b44ce46dc0d9c26a6daa4e1365d2e
SHA512b81d65c81798763ca7b1ab5014ea46ec108a04c91360ea7e7331529f1ed637b58c97e8e9ddcb0396f7cec8d6c15d7dd2ef01535df8bbce364e099773c4539260
-
Filesize
192B
MD53ddcc514b859110ae2d8a0d0cafce953
SHA1941bcd987aa3d443ce6243ca357c706714ab1736
SHA25630cbab242c5f6156b7b877e09f2cc859b339ae5e7439adba73d7084443c766a4
SHA512bc5ac7ce0941ab290b769517a437867141d1b82152776fa38e882c9878d0f5c98a15d5c470f7797a80cdacbd5c74417f4c5b9a1966e7fd7125f108a24336e1ff
-
Filesize
192B
MD5dec882e9653bb9ea2eb584c819391783
SHA1071e1cb047f7c5176a489bde8af4541fa08b9eaf
SHA256117e944a7cb84cb0ead681f64eebd98f213a7d06ca42dff6bd8243e5451b98e9
SHA5123e28f3a7172d7dfd8e3cc02762e9dc367ddd624d49fe565adcbcf8b239fc93fc2341ebeac8493ea20a6438c83d28ce5fbd11aaa30e06d5a37b149cd5557ef096
-
Filesize
192B
MD5fe241a46466dc76599696e17032189b9
SHA10acb1567ab6f04b259f42b1eff6fa06ea18636b2
SHA25682f50d9ada03a8074dea43be3ebfcf539225b237a45da3d7900ac92c72e3d4df
SHA51286375c097713c55ca21dfc915281ad2d078eeedae2a05f43b810eaf7726e7c65dd4e173209b4d1ccca7988c4a3925293bedaa6593ba9444ab8f9295377982fe2
-
Filesize
192B
MD5823d4fb010055810be9803cc7105883d
SHA10fb376b6a39f5325e5f327cc62685d1dabe3b5cc
SHA2569328d136004464b6e106a1e417a20e03c9ff44daf3f89759f63f438716175c30
SHA5121d17054ec6f1edd365e574dc555d3982b057a474fa6a4968ce76227da399fa4b2f6bae31f58525d854b858a6add1b17fab63fc26b83d9dc48ba73ba1cbc705e6
-
Filesize
192B
MD568e89c5a99d5caf956b7c0e2d70f84f8
SHA10a1fb4def4849ba33206bbabe5d906ef132a4b37
SHA256dd9dee7b20f48f644d9ad0f3829b1e32aa00af75ec5e6851fd6d8c6e51ad9866
SHA51259a931884a3d289c5443a5677e8ec3272758e86a3032e0bdfb6e4b117c423d6ba304347b4104c9d7ced87c908c344d714e40100a2b509490c8a3c3d61c2bd6f8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
192B
MD5695c157cc5dd032eee5412891e0c347e
SHA132c9bd9aee5f16d2d1722eb27434ce54631bab87
SHA256c8d4a874b6e3972b7ae70636022916e51b4d20e26c5edeabc08b29b459c939b9
SHA51259882c2d3e2bbf20dcab5be4b7ce32f08b1f32ae3aa4f33aae56f7d4786acbde2f396cd95ec43846feb913da9644662c38f9faa8d41ab0006d75c796d04a8930
-
Filesize
192B
MD5055e3f4d566c9b11f017582d54300688
SHA1cc87c26ff21d9214ffdd1caa290cdbfc69a4ce63
SHA256a17096a72e8e1e5d131c338b3c176bf241521870c109ced5f2e4275f637f11ac
SHA512c53ab82eeb7d6f492581498a5c678bb813ab7718cb70ea1810627e7cb8f82693b5907cb39c653bc5c3e5e26301f1b281ea89e76584a3128a704f66bd45c3787e
-
Filesize
192B
MD50b07a45b4293f739bbaa56e4618601ca
SHA14c5914c6ea5bdc7a0639ff7518efb1ef1ca502fa
SHA25684544c32759816f3724fec67f01b6de5f8c28b00f707cd7ed025ec1c052d4f1f
SHA51211b8735f5fab4d32ac0dc2554d70af0b2b7ce80c016de4df6f94785407454c1338d62c51bbef3e7611567dff413686bd19d3d49cb1d4b0bd8ca6683411512595
-
Filesize
192B
MD5f4ba63ef1e295b98947ea44c710dd9d5
SHA17e53eada8934ce0fcc8cec3f65255d56b1771292
SHA256c2a6f12055e0b41013b40650c4924f3332b5ecf222af30bb985443667f0f90be
SHA5120e242ba3425bb0a477f086042146d126282e0b4c28ee05df4b8b6b6ba39bdefe27274cf38c5683fd303a01b58b947b3e291d2b0e15f79e2f1f30d68e676432ab
-
Filesize
192B
MD525d00414e126ac29efa1e40b0283cb88
SHA14129ccf2772bb1fe5b96c9a6b589177b8be95566
SHA256c5e0f668346700c77f90effce55eea789a7c8066aaadde6f9f57544f9d67efbd
SHA51207e0187610c2dfa6987c29f7808eb10cc4fb8402a3be7e8a73371ba76bc5219bd02059df09119deeb042bbfd05f0c63f4c35dbc5953ea8ab10e58f4a0fa50c95
-
Filesize
199B
MD59384c459a49dbe8d1284d504fa6a57c0
SHA1a3960d7f2ac6c9a4e2f28ec72ad40220ac5b1676
SHA256982f273d1b094c726e3fab604739d08766d18a2b7f41c7cd028b21f5ee164035
SHA512ae331ad9ed5fd436284ba23a07739ca450b96bf4cc2ad3f6378f9e26bbe71d1b86ac7ec84358346637274a4f56db5457cf81e10cc57e25ac66b8dd2fd89f3277
-
Filesize
192B
MD555ea25cdddc2624b047b00db1f971964
SHA193b7a8a37b789b74e3c194f2ed457a3d3d7ec9cb
SHA25622682f7830d4190d2aabd31a934840aeb6a8f263237541c755d501deb056667d
SHA512cc76a733fd791fea260525a1cb94c767c3d20c010df670f180a5366b9d6d752a405d12a6b64a629439f54db8b206fbe345bacd855aa2124c57c0e9519b275f26
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478