Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:08
Behavioral task
behavioral1
Sample
JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe
-
Size
1.3MB
-
MD5
3fecddd5c19328e157c0a719696ca8fe
-
SHA1
5b4110cbc18df8c211cab9ecf019e2f1124baff5
-
SHA256
06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf
-
SHA512
533e74636de3b6fd4cf953208cfcbe751f1299eb4c1eb97cb6a4fd22007eb58903f095ab97741cfe65c7852f1e4b86b7216d7dcb532d59d424d1ed614b9a940d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2148 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2148 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016aa9-9.dat dcrat behavioral1/memory/2684-13-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat behavioral1/memory/1580-144-0x0000000000DE0000-0x0000000000EF0000-memory.dmp dcrat behavioral1/memory/584-262-0x0000000000FA0000-0x00000000010B0000-memory.dmp dcrat behavioral1/memory/2712-322-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/2844-382-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/2980-442-0x0000000001200000-0x0000000001310000-memory.dmp dcrat behavioral1/memory/2060-502-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/2336-563-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat behavioral1/memory/840-623-0x00000000003B0000-0x00000000004C0000-memory.dmp dcrat behavioral1/memory/1624-683-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2516 powershell.exe 536 powershell.exe 2552 powershell.exe 2004 powershell.exe 1200 powershell.exe 2672 powershell.exe 1328 powershell.exe 1604 powershell.exe 1160 powershell.exe 2012 powershell.exe 2660 powershell.exe 320 powershell.exe 2796 powershell.exe 2692 powershell.exe 2636 powershell.exe 2300 powershell.exe 2980 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2684 DllCommonsvc.exe 1580 System.exe 2816 System.exe 584 System.exe 2712 System.exe 2844 System.exe 2980 System.exe 2060 System.exe 2336 System.exe 840 System.exe 1624 System.exe -
Loads dropped DLL 2 IoCs
pid Process 828 cmd.exe 828 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\es-ES\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\lsm.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\101b941d020240 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\PLA\System\System.exe DllCommonsvc.exe File created C:\Windows\PLA\System\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\IME\IMESC5\HELP\taskhost.exe DllCommonsvc.exe File created C:\Windows\IME\IMESC5\HELP\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\L2Schemas\spoolsv.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Speech\lsm.exe DllCommonsvc.exe File created C:\Windows\Speech\101b941d020240 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2616 schtasks.exe 2752 schtasks.exe 2020 schtasks.exe 1552 schtasks.exe 2108 schtasks.exe 1788 schtasks.exe 2944 schtasks.exe 2604 schtasks.exe 2760 schtasks.exe 2740 schtasks.exe 468 schtasks.exe 1272 schtasks.exe 2056 schtasks.exe 1612 schtasks.exe 2584 schtasks.exe 1184 schtasks.exe 2404 schtasks.exe 2504 schtasks.exe 2492 schtasks.exe 2204 schtasks.exe 2512 schtasks.exe 1388 schtasks.exe 1096 schtasks.exe 1900 schtasks.exe 872 schtasks.exe 3060 schtasks.exe 2208 schtasks.exe 2436 schtasks.exe 1944 schtasks.exe 2920 schtasks.exe 2244 schtasks.exe 528 schtasks.exe 2888 schtasks.exe 1884 schtasks.exe 316 schtasks.exe 1816 schtasks.exe 832 schtasks.exe 2972 schtasks.exe 1380 schtasks.exe 2560 schtasks.exe 2172 schtasks.exe 2900 schtasks.exe 2928 schtasks.exe 2164 schtasks.exe 836 schtasks.exe 2264 schtasks.exe 1608 schtasks.exe 2848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2684 DllCommonsvc.exe 2692 powershell.exe 2004 powershell.exe 2660 powershell.exe 320 powershell.exe 1160 powershell.exe 1328 powershell.exe 2636 powershell.exe 2552 powershell.exe 2796 powershell.exe 536 powershell.exe 2516 powershell.exe 2300 powershell.exe 1200 powershell.exe 2980 powershell.exe 2672 powershell.exe 1604 powershell.exe 2012 powershell.exe 1580 System.exe 2816 System.exe 584 System.exe 2712 System.exe 2844 System.exe 2980 System.exe 2060 System.exe 2336 System.exe 840 System.exe 1624 System.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2684 DllCommonsvc.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1580 System.exe Token: SeDebugPrivilege 2816 System.exe Token: SeDebugPrivilege 584 System.exe Token: SeDebugPrivilege 2712 System.exe Token: SeDebugPrivilege 2844 System.exe Token: SeDebugPrivilege 2980 System.exe Token: SeDebugPrivilege 2060 System.exe Token: SeDebugPrivilege 2336 System.exe Token: SeDebugPrivilege 840 System.exe Token: SeDebugPrivilege 1624 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 644 2312 JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe 31 PID 2312 wrote to memory of 644 2312 JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe 31 PID 644 wrote to memory of 828 644 WScript.exe 32 PID 644 wrote to memory of 828 644 WScript.exe 32 PID 644 wrote to memory of 828 644 WScript.exe 32 PID 644 wrote to memory of 828 644 WScript.exe 32 PID 828 wrote to memory of 2684 828 cmd.exe 34 PID 828 wrote to memory of 2684 828 cmd.exe 34 PID 828 wrote to memory of 2684 828 cmd.exe 34 PID 828 wrote to memory of 2684 828 cmd.exe 34 PID 2684 wrote to memory of 1604 2684 DllCommonsvc.exe 84 PID 2684 wrote to memory of 1604 2684 DllCommonsvc.exe 84 PID 2684 wrote to memory of 1604 2684 DllCommonsvc.exe 84 PID 2684 wrote to memory of 536 2684 DllCommonsvc.exe 85 PID 2684 wrote to memory of 536 2684 DllCommonsvc.exe 85 PID 2684 wrote to memory of 536 2684 DllCommonsvc.exe 85 PID 2684 wrote to memory of 2516 2684 DllCommonsvc.exe 86 PID 2684 wrote to memory of 2516 2684 DllCommonsvc.exe 86 PID 2684 wrote to memory of 2516 2684 DllCommonsvc.exe 86 PID 2684 wrote to memory of 2980 2684 DllCommonsvc.exe 87 PID 2684 wrote to memory of 2980 2684 DllCommonsvc.exe 87 PID 2684 wrote to memory of 2980 2684 DllCommonsvc.exe 87 PID 2684 wrote to memory of 2300 2684 DllCommonsvc.exe 89 PID 2684 wrote to memory of 2300 2684 DllCommonsvc.exe 89 PID 2684 wrote to memory of 2300 2684 DllCommonsvc.exe 89 PID 2684 wrote to memory of 1200 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 1200 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 1200 2684 DllCommonsvc.exe 90 PID 2684 wrote to memory of 1160 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 1160 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 1160 2684 DllCommonsvc.exe 92 PID 2684 wrote to memory of 2004 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 2004 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 2004 2684 DllCommonsvc.exe 93 PID 2684 wrote to memory of 1328 2684 DllCommonsvc.exe 95 PID 2684 wrote to memory of 1328 2684 DllCommonsvc.exe 95 PID 2684 wrote to memory of 1328 2684 DllCommonsvc.exe 95 PID 2684 wrote to memory of 2636 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 2636 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 2636 2684 DllCommonsvc.exe 96 PID 2684 wrote to memory of 320 2684 DllCommonsvc.exe 98 PID 2684 wrote to memory of 320 2684 DllCommonsvc.exe 98 PID 2684 wrote to memory of 320 2684 DllCommonsvc.exe 98 PID 2684 wrote to memory of 2692 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2692 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2692 2684 DllCommonsvc.exe 99 PID 2684 wrote to memory of 2796 2684 DllCommonsvc.exe 100 PID 2684 wrote to memory of 2796 2684 DllCommonsvc.exe 100 PID 2684 wrote to memory of 2796 2684 DllCommonsvc.exe 100 PID 2684 wrote to memory of 2672 2684 DllCommonsvc.exe 101 PID 2684 wrote to memory of 2672 2684 DllCommonsvc.exe 101 PID 2684 wrote to memory of 2672 2684 DllCommonsvc.exe 101 PID 2684 wrote to memory of 2552 2684 DllCommonsvc.exe 102 PID 2684 wrote to memory of 2552 2684 DllCommonsvc.exe 102 PID 2684 wrote to memory of 2552 2684 DllCommonsvc.exe 102 PID 2684 wrote to memory of 2012 2684 DllCommonsvc.exe 103 PID 2684 wrote to memory of 2012 2684 DllCommonsvc.exe 103 PID 2684 wrote to memory of 2012 2684 DllCommonsvc.exe 103 PID 2684 wrote to memory of 2660 2684 DllCommonsvc.exe 104 PID 2684 wrote to memory of 2660 2684 DllCommonsvc.exe 104 PID 2684 wrote to memory of 2660 2684 DllCommonsvc.exe 104 PID 2684 wrote to memory of 2560 2684 DllCommonsvc.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06427b0ce6f5afdf5dda6583f5d625bde078f54d3cd4515caaf5a3c624c01cdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMESC5\HELP\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\fr-FR\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\upUBl0JO6k.bat"5⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2668
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"7⤵PID:2820
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:940
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"9⤵PID:2920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1820
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"11⤵PID:1604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1868
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"13⤵PID:760
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2788
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"15⤵PID:1644
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2796
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"17⤵PID:1868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1428
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"19⤵PID:2792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:908
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"21⤵PID:1748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2780
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"23⤵PID:2196
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1592
-
-
C:\Windows\PLA\System\System.exe"C:\Windows\PLA\System\System.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"25⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Speech\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMESC5\HELP\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\HELP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMESC5\HELP\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5748b9bf3bcc9cd2af55768fb9a72f379
SHA15fda3abc32318f3f177bd2febbc54d81973aaa36
SHA2567556f41f92dec55d55c459c29a05647de11ed31ad1886d0e1bc02b707c453478
SHA5125397844046c212a6484a81a8373db9e7673adfdad033c9b2cfbeb84325f6acf1367b55c4474a04ee9226750e7dcbdb7a019c822ddf115f57fd4e7ecf27bdab17
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c7d698d739eb9c3daa6c120b23cf7b7
SHA1fe954f14c48be6f149c45e184da4bed1abea1b28
SHA256e66cb2ec56fb4d9a2cc2580baca713189533d9cb78485d95b1b98a289a27b51e
SHA512c80425b44a2a6d761f039d1d8ad628f4e8cab4a8ccad19623093e91c36a4c387b664b22f62a8541ed2e0b907d0fa2c862f946fcf855422135f847a562ba929e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbb2b49fe929210a7d7bff85a415c3ec
SHA1a3d573e99d0cead465f726ec3d5fb8c2150d9d27
SHA256cb34a6ac0cd2e9d24e21244773dec715ddacc74c1d37fafda02966150fee05d7
SHA5124a023ec58ab5aea6f388b263328d6cf1ba1e1bc2d2363433f126a6fe91c81fc8327032b0859aec0a52b839447b2ad3eb507b7f9c72c9804a0819685d69e1f1dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd8175a2e1a454b6b194c0448ae79710
SHA10c556853dddbba823e361e115bd3aafe3fdb9a7c
SHA25660d6f9ff30a25c017f0b7cbdb9a9358f3f4580841d68903d91ccea67d39fccfc
SHA512173e0e0a4ec379d21d3f2721474625d148b33712b261c321a88610943297556debe3b92a6b39d140fefc173db7e34cffbf67fc79271ec549ba7727614c381741
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b12287e7c61fd8598405c590a8ca085a
SHA143dbcdbd01bfead9c54b70b55fcc891adad8dee2
SHA256053aaa8de4a36fff452cffd41e8f448e9cec4fa1f325d2fcac0f6c1b8ca216c9
SHA512fe4e496dc314b74a4f57216a773352ea59ba5b27d49335f580c5ed52f936449a9aec4f1fd7de13d54f81f8aa0baf2f40d460063edb09c546ef2a4d6dc2414e3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e2a2804da47c11bd269d13175981909
SHA1ababe0909bed9c8c92e3f51e0b49a441dd26d65a
SHA2563afe128a0a82e4cbc44fde0990cf978679ccdd6c9cb3fe522fc30b07bac0c3fa
SHA5129b4e6a2a7815e6c3608607b5a912da04b48fa0e5916163486154101cb2943d8f6a73e40746c1f13cf241ca3b6c8aad8f501e2319a156163f77c4b1485d9fa6de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b64601609ebe3df580e2396d85009b5
SHA17b3d2819c767816f70d31c2fa8f67b4a844c6f30
SHA25626206cbd19efd7df72715b4d86ad9c179536c472e470c898f1b9dc18b18047e0
SHA512b7f1fbad6c951d0b78d476a5cc7d0ecb23f26d40f8b0f71f1d39107b42d10269d46c16d5ba714ed6d2d4ff4f39a2227a1238745f52f74424440bb8899f607cea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7a2c082f25ccb975db744dfdbfcaab5
SHA17412e96256f60776797b33ec4d09888ca3697aca
SHA2565190df07f21808f49046f82c62425711c1ddd196f11d7e4dd50d3aa87e9a9153
SHA51209b1eb5e285389664867e59c5dcdecea6c15c2f59879d0969f94022b3ac939a390bca247b5f3f81e7684bf06b9fbd2a79de604f93008e84de107b9bade5061d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a55b7eb0e26054065038e535bd7faafb
SHA11e7b1b864f204a36284928ef435d04661a02ac2f
SHA2560962aa49d39a8185cfa62858cd73a5b84e286bdd2c2c74cba085a989ab02f462
SHA512aaa58d3dc56039aee24f57eefb9740677aa179d9b77b2c71c9787927bab04c63ba8161a3f83ec778f1de12db2988ae779fbdd39901b09d37272775a89d8a783d
-
Filesize
197B
MD54cfdc907706ca2b8d78e7a7adc8e90eb
SHA1bc97c8d934fdce0453342b365f4c54c7b108a0d4
SHA25651732309564fb9dbfaaaebf9e797a14441eaee51ea8b1724129e11dfcf623ec1
SHA512776c55ddcb4d5aed935a4af966ed0fc1ee741f941ca117b1d88846567cf7a2059bb780211bbe40e0185fcb0cc4a202fbb9ce1c2547c795b9bab6ad415a2f5c5a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
197B
MD578c5cd759814ad50130e9d7ba5c19cb3
SHA1b85b72498a4a21d546be44108a45e2ac1ff630f1
SHA256dd08c59f8af76dee2c68d9049fead886c8a0a7fed0b2a01e0fbb8486aaff4d55
SHA51281d3febc83898ab074d99f62af0a5c845959f2868350ae12883a6f50023c32cc5b70dacf2941c25073ae0013f57735cfba8a1459d9c8dc7d6c1e95c4a6777765
-
Filesize
197B
MD5dc22b48e71091a40f97f656a52ea2002
SHA176491554f26f90478e45b2a76d85a07effdcc8dd
SHA25661c253d26ec48ff8ce10d88ebe3d9507e2b9c9744f9bb9f83f895651d1b395f3
SHA512e70034820bd34e175a41b182e58c9603c1db587ddd54e29bd97bc75a1a41af8ff8eda04ff0eb519f8999da68e89bb50cdb51ea5f936c45f01d8ae0a3ba0a850f
-
Filesize
197B
MD5bdbf5d55f4dd11496810031c98b9b6ef
SHA15515c64d00c3f025ad448f01e433ca5d8a497527
SHA256b0618f3e38ab8f9f8bf815393c2769212733f54270b2a6c9efbd5440b7a9ac5b
SHA512e9257434b76f0f4eae112a3632962273b696b3d7d20aea8ee5a9da982a272a0509d6fd4a45309a1041cdc1c56a5fc452996897b2c965f48bbd4a383a5edb19b9
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
197B
MD54a10fbec46f746cfdbac08ccf30244c1
SHA1788fdcbdfa7d14cf48d18d0dde2279a4877a0b06
SHA25625e63ea07fcfb614474a4a53e6d3e4a5bf9a775ad088dc8d2f9251a870a2dd17
SHA512c9be84218ad1d7e756b956bd8f42ab07c4bd49a0a5c8d4b9316e1e51fb2af3f16bd9210c54d5489a36c7d7650c6c6b7906d12ecb515aacb85e114b3dbacec019
-
Filesize
197B
MD5daa99c7cea478adce710e6d7dacb3260
SHA1b7bc54bee5fd70bd49e233b3e0bcd488bb7de7bf
SHA256aadf66f100a24a71e12f2b505e05b67398480d439b942fa767f9febdef0b8e99
SHA51278455eb1bdea0508a28fc1dded52d5d030a55d0116e26ba29ad08232b867e697fe202b9615dff2372aef90fbdd2046af169d2645d7e84381eeec669e19b16169
-
Filesize
197B
MD52ad3c9c9284d92eeb101cc23c12204c0
SHA1ca8d2831469b8483220dc5de48ba47ba9db5d99e
SHA256a7b5c68ea8942ed9935bb74b165ab26517e9c323e2dcb10dbd8fb18276c66195
SHA512068491ce759fc5950ba5e9a9b99a66e96a21f1b420d30392fe053334063e9825a5008a1c9c589ade1d86125a0617154c9f7a100c14eb4c1731f591380e42c927
-
Filesize
197B
MD59917060728c54cbe4d923c078f9baedb
SHA16de6e0a5a6b964ef99307b541223f25ee052fa3f
SHA25655607a5ce2f546d71db21f2b056a7075842d4a57b0aa7bb56b8d2e780b5ec2d9
SHA512869b43cc19d654a63875a9ea9877df98e5ee0fac32985f822615b3a140ba170c80994a8f461294965d8e102da5090555970994bd6c47d3fadc7e9f380699f73e
-
Filesize
197B
MD50a1f6e44a83af72387064b70a1aa642f
SHA148dd2b102bf6eb0773fce45ab01faaa1af2a69bc
SHA2565a68d61708fbaf7b7023b05327e8c6c4e9769709c7637b6c15bbb25d35cd3a21
SHA5124ff59c431f77b794b02e89faf16b0d14657364b55d87903680b440531435cc8145ffa0f06d229e10987149bda8a014f02b5db9be730a80d3c20894b8a7c4091d
-
Filesize
197B
MD55dcdf69541a76dd1b34ad04fbdd97fcb
SHA1e3baf9d118ceb37e81dcc761045ceeb415057ea9
SHA25643d8a8c5db15d10074f49d0b01d9c73c17dd663bed8b617a31c54d960b704272
SHA5127bd5818d3f773da7f93b79471b63f0e17d84a00a7820f82b021e2cd12dddc93336b8471462448e7549a9012ea6797c64e74047d2660e40e5b5ab8ee673936d6b
-
Filesize
197B
MD54339543751617b5d279e8bca1979d4c7
SHA13c4d6e69602542247dc8f114f6a41f7e90c6cac6
SHA256603c632c6475046c8d00ddfdceace892be97f0feebec743c02870c88d2a2b83c
SHA51270ae694dc35e7496d721b3ff1787bf66faeb0017c2c1b31bb559ed98d8e98f4a896ccee84a4f133b9dcad3a1fd2aebf6e845eb49795552a092de178ca8916a57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD545492eb8de9be212fd5f0df87a7316dc
SHA1a6714184f956901935257bc122faff8dbf7eff1d
SHA2567b3d1cb59e3a4892dc7e4eed3fa30f0150566e622ff914261d05efc4fee3ade9
SHA51299299600d4824891927305ca65aaae642f0b60de208f2e013393fac691e7c8fb88e751746efa7d4ca6840247aa706cf3aec18d6e433398669dc69733b9afd123
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394