Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 19:38
Behavioral task
behavioral1
Sample
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe
-
Size
1.3MB
-
MD5
e3752ee088cc42b47b21d172c8ae5526
-
SHA1
9447e240b9c850e362b0047c3f4c3db58589a43c
-
SHA256
ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8
-
SHA512
a179a3671c79c1fed0efe2c4efcb702aadd20a610b6d819f4139a84427e916d3a9af4528b7aa2d9186a644620c725393a19cedd79f64bbdd35fde7dda8ce42c1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2672 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2672 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000019609-9.dat dcrat behavioral1/memory/860-13-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/2928-147-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/2144-324-0x0000000001320000-0x0000000001430000-memory.dmp dcrat behavioral1/memory/2304-503-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/1264-563-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/1644-623-0x0000000000240000-0x0000000000350000-memory.dmp dcrat behavioral1/memory/2616-683-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2904 powershell.exe 2552 powershell.exe 2656 powershell.exe 2012 powershell.exe 3024 powershell.exe 1936 powershell.exe 1680 powershell.exe 2104 powershell.exe 1320 powershell.exe 2156 powershell.exe 2640 powershell.exe 2952 powershell.exe 3060 powershell.exe 2092 powershell.exe 2152 powershell.exe 2808 powershell.exe 576 powershell.exe 2556 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 860 DllCommonsvc.exe 2928 taskhost.exe 2920 taskhost.exe 2132 taskhost.exe 2144 taskhost.exe 2508 taskhost.exe 1532 taskhost.exe 2304 taskhost.exe 1264 taskhost.exe 1644 taskhost.exe 2616 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2876 cmd.exe 2876 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 13 raw.githubusercontent.com 20 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 24 raw.githubusercontent.com 27 raw.githubusercontent.com 31 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\WCN\fr-FR\winlogon.exe DllCommonsvc.exe File created C:\Windows\System32\WCN\fr-FR\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\dwm.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\fr-FR\lsm.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\lsm.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Mail\fr-FR\101b941d020240 DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\cmd.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\Windows Photo Viewer\dwm.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 2616 schtasks.exe 912 schtasks.exe 1708 schtasks.exe 2520 schtasks.exe 2380 schtasks.exe 2852 schtasks.exe 2720 schtasks.exe 892 schtasks.exe 1640 schtasks.exe 1784 schtasks.exe 1304 schtasks.exe 2340 schtasks.exe 276 schtasks.exe 2684 schtasks.exe 2040 schtasks.exe 1700 schtasks.exe 1300 schtasks.exe 2036 schtasks.exe 444 schtasks.exe 940 schtasks.exe 2268 schtasks.exe 1064 schtasks.exe 2364 schtasks.exe 2884 schtasks.exe 2108 schtasks.exe 2164 schtasks.exe 2292 schtasks.exe 1512 schtasks.exe 2320 schtasks.exe 2880 schtasks.exe 1492 schtasks.exe 536 schtasks.exe 3040 schtasks.exe 2760 schtasks.exe 2068 schtasks.exe 2284 schtasks.exe 2584 schtasks.exe 2476 schtasks.exe 1788 schtasks.exe 1092 schtasks.exe 1712 schtasks.exe 2576 schtasks.exe 2392 schtasks.exe 1288 schtasks.exe 3052 schtasks.exe 1928 schtasks.exe 1752 schtasks.exe 2604 schtasks.exe 2648 schtasks.exe 1832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 860 DllCommonsvc.exe 860 DllCommonsvc.exe 860 DllCommonsvc.exe 860 DllCommonsvc.exe 860 DllCommonsvc.exe 2152 powershell.exe 3024 powershell.exe 1936 powershell.exe 2012 powershell.exe 1320 powershell.exe 2904 powershell.exe 3060 powershell.exe 2808 powershell.exe 1680 powershell.exe 2104 powershell.exe 2640 powershell.exe 2952 powershell.exe 2656 powershell.exe 2156 powershell.exe 576 powershell.exe 2092 powershell.exe 2556 powershell.exe 2552 powershell.exe 2928 taskhost.exe 2920 taskhost.exe 2132 taskhost.exe 2144 taskhost.exe 2508 taskhost.exe 1532 taskhost.exe 2304 taskhost.exe 1264 taskhost.exe 1644 taskhost.exe 2616 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 860 DllCommonsvc.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2928 taskhost.exe Token: SeDebugPrivilege 2920 taskhost.exe Token: SeDebugPrivilege 2132 taskhost.exe Token: SeDebugPrivilege 2144 taskhost.exe Token: SeDebugPrivilege 2508 taskhost.exe Token: SeDebugPrivilege 1532 taskhost.exe Token: SeDebugPrivilege 2304 taskhost.exe Token: SeDebugPrivilege 1264 taskhost.exe Token: SeDebugPrivilege 1644 taskhost.exe Token: SeDebugPrivilege 2616 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2516 1320 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 31 PID 1320 wrote to memory of 2516 1320 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 31 PID 1320 wrote to memory of 2516 1320 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 31 PID 1320 wrote to memory of 2516 1320 JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe 31 PID 2516 wrote to memory of 2876 2516 WScript.exe 32 PID 2516 wrote to memory of 2876 2516 WScript.exe 32 PID 2516 wrote to memory of 2876 2516 WScript.exe 32 PID 2516 wrote to memory of 2876 2516 WScript.exe 32 PID 2876 wrote to memory of 860 2876 cmd.exe 34 PID 2876 wrote to memory of 860 2876 cmd.exe 34 PID 2876 wrote to memory of 860 2876 cmd.exe 34 PID 2876 wrote to memory of 860 2876 cmd.exe 34 PID 860 wrote to memory of 1680 860 DllCommonsvc.exe 87 PID 860 wrote to memory of 1680 860 DllCommonsvc.exe 87 PID 860 wrote to memory of 1680 860 DllCommonsvc.exe 87 PID 860 wrote to memory of 1320 860 DllCommonsvc.exe 88 PID 860 wrote to memory of 1320 860 DllCommonsvc.exe 88 PID 860 wrote to memory of 1320 860 DllCommonsvc.exe 88 PID 860 wrote to memory of 576 860 DllCommonsvc.exe 89 PID 860 wrote to memory of 576 860 DllCommonsvc.exe 89 PID 860 wrote to memory of 576 860 DllCommonsvc.exe 89 PID 860 wrote to memory of 2152 860 DllCommonsvc.exe 90 PID 860 wrote to memory of 2152 860 DllCommonsvc.exe 90 PID 860 wrote to memory of 2152 860 DllCommonsvc.exe 90 PID 860 wrote to memory of 1936 860 DllCommonsvc.exe 91 PID 860 wrote to memory of 1936 860 DllCommonsvc.exe 91 PID 860 wrote to memory of 1936 860 DllCommonsvc.exe 91 PID 860 wrote to memory of 2952 860 DllCommonsvc.exe 92 PID 860 wrote to memory of 2952 860 DllCommonsvc.exe 92 PID 860 wrote to memory of 2952 860 DllCommonsvc.exe 92 PID 860 wrote to memory of 2640 860 DllCommonsvc.exe 93 PID 860 wrote to memory of 2640 860 DllCommonsvc.exe 93 PID 860 wrote to memory of 2640 860 DllCommonsvc.exe 93 PID 860 wrote to memory of 3024 860 DllCommonsvc.exe 94 PID 860 wrote to memory of 3024 860 DllCommonsvc.exe 94 PID 860 wrote to memory of 3024 860 DllCommonsvc.exe 94 PID 860 wrote to memory of 2012 860 DllCommonsvc.exe 95 PID 860 wrote to memory of 2012 860 DllCommonsvc.exe 95 PID 860 wrote to memory of 2012 860 DllCommonsvc.exe 95 PID 860 wrote to memory of 2656 860 DllCommonsvc.exe 97 PID 860 wrote to memory of 2656 860 DllCommonsvc.exe 97 PID 860 wrote to memory of 2656 860 DllCommonsvc.exe 97 PID 860 wrote to memory of 2808 860 DllCommonsvc.exe 99 PID 860 wrote to memory of 2808 860 DllCommonsvc.exe 99 PID 860 wrote to memory of 2808 860 DllCommonsvc.exe 99 PID 860 wrote to memory of 2552 860 DllCommonsvc.exe 101 PID 860 wrote to memory of 2552 860 DllCommonsvc.exe 101 PID 860 wrote to memory of 2552 860 DllCommonsvc.exe 101 PID 860 wrote to memory of 2904 860 DllCommonsvc.exe 103 PID 860 wrote to memory of 2904 860 DllCommonsvc.exe 103 PID 860 wrote to memory of 2904 860 DllCommonsvc.exe 103 PID 860 wrote to memory of 2156 860 DllCommonsvc.exe 104 PID 860 wrote to memory of 2156 860 DllCommonsvc.exe 104 PID 860 wrote to memory of 2156 860 DllCommonsvc.exe 104 PID 860 wrote to memory of 2092 860 DllCommonsvc.exe 106 PID 860 wrote to memory of 2092 860 DllCommonsvc.exe 106 PID 860 wrote to memory of 2092 860 DllCommonsvc.exe 106 PID 860 wrote to memory of 2556 860 DllCommonsvc.exe 108 PID 860 wrote to memory of 2556 860 DllCommonsvc.exe 108 PID 860 wrote to memory of 2556 860 DllCommonsvc.exe 108 PID 860 wrote to memory of 3060 860 DllCommonsvc.exe 109 PID 860 wrote to memory of 3060 860 DllCommonsvc.exe 109 PID 860 wrote to memory of 3060 860 DllCommonsvc.exe 109 PID 860 wrote to memory of 2104 860 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddb093f473d362f33fd0b4f6299dc3057fd6224d59584aa0d03f1c602a0d24b8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\fr-FR\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nmp3kJtbKc.bat"5⤵PID:2924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2340
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"7⤵PID:536
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1604
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"9⤵PID:568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2784
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"11⤵PID:1664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2128
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"13⤵PID:1100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2716
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"15⤵PID:2784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2676
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"17⤵PID:2192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:636
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"19⤵PID:1480
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:940
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"21⤵PID:2804
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2600
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"23⤵PID:1716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1984
-
-
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\WCN\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5456b8ef188133520ae0848f9bb63d3c8
SHA1236de0364d6e99e6f2c579754b9cc959f200928c
SHA2564d6ecf640f6690e530ca28c937b9807a23e67b86b1d765b8de9a44112630eccf
SHA512b2a97d567362ecc0b39a019750dab67e1bc53332de1866f9f73ece617c39af49f14735f709318c03e07321c482401518d644e922f74028a62a767e560771e3b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516e6730f65ed8936039a65e6b42d1cdf
SHA14b2c4e7edafb8c62d6b1d696f45644d86ae7a48f
SHA2567a75bde31eb0293e598817235210f1c1997161004839115ae8c2a48e99d6756f
SHA51261153255c9b2435ecb355599a90e1b8959087eb60c3dff694b279c4121315d8a5a675888d0235cbac3feabfa7128ae8f300a299fdc2d18a5b7156b6ac76c9dc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb264d8bf97b2a415c3bda1145138b6b
SHA19557583208b2f6711f8e1fd074efae29763baeee
SHA25631c4f9e327d964548c13580cb2bd7333ff559fb8e66616e750e8c6c7172541ad
SHA512ff68b0036015af8bbce8dca8a54fed84162c2c3e48929aa52adaa5e0d441bb9b644c8a3d806d3c9c0581bfc704a8a50457f7ebc20e4a2e31bc2f82f3650f5544
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50807d34a9eab702c04b8abd8f8063750
SHA1c7ca1ae6604a4ffda07d966dbb9d3fecfc4b06a7
SHA25698530b23e701e1983853c1cd5c0d81748808c5164ad90abe346e8f19180a3fa9
SHA512aaaf77a693c109fe366453ab29eec255148759ea8eda85c5d4745e0acdefd61857789c1bee2270fb79062f2f271c757fa6ef42dc00857c96eac3e007ed3cdfc6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5959010cd9a3e4e89316cf8e40beaea85
SHA1f080deb643e62243ac02ece09639acb60b5875a2
SHA2568645870aaeac5fb43e41033572bbbb6ef0e866a4c64cb6337256e8c6a573e8e1
SHA5124b5e8118c72d4cf6c46c6b03c52c8d102bf9084a3748199665ce31cbe3f20088af34e2a2cc10982fb690091d29b4a16a4c89aa4f9ec240b4cd1c0314e94a794e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ccf05fc4fca8a5494f77a78bbba08e7
SHA1dc9441bdd0bc1f4360d23c6ac4fba574e32f3569
SHA25653ea12ef6e846bd0c5100d063c566ff71730c0afaa40ca2194762e1b427ed9cc
SHA512385dc2ae7ef414390e47ac02ad4fce3827387b215f4a09ee7d9a7f8d180003b9f36290b6e89f3ce452ce1a083a3c7437481679ead88f64b18ee3ad41af3daf6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ccc6ad1e01fafa58ebf017d666444bb
SHA14a68bdb06b4906ea322d0070ee67fcf4472318fc
SHA25652d4a162f038ec16e9d2c59426d6e1d072f4f6efe11da4fe8e58d9528968b915
SHA51257c44d699bb53d00c7a0c286925ba6f28176ce73297db141eb9654173c3dd08b27528026d5e63c4e6910df62f9052c83ff8b0bc9879ed949d820c514f9b5b69c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD524ac099f14a4f104859a918bdf304173
SHA1ad547c527338f3779de690ee32366cf256467b94
SHA256ec01912941c4da47868a0d5e4e79eeb1034500b627163a057446930182bbe6a0
SHA512bedccdef01fe5771863e0bf9fbef3c2e2ffe2a787b92fd6865e93a887e79d394e76924eb8a27b7c6058bf3ecab98f037a3cdacbbc0cf26dccf4f11bee2e7f4a7
-
Filesize
226B
MD5e243a90c72f4a3373441d214b1c5fbe1
SHA12fdf55a1effc09ad2600b07c50391b638162bf08
SHA2566605ad6935c3e3cc5900b7e56a14da4bebdb352d93648ed290ebd6ec3285d9df
SHA512c4186a0b2663290e0d1d44cd8cad5c98740c7cd83aac75ac012980cc9d1d256ec0c9ce0dbf795da5c90d3303e59fab383df426db9ae740668850efbc53a75824
-
Filesize
226B
MD531625a0e5bb16e5f06e58f03c9c385c2
SHA18768cfb863f0f800db69f394e666b4b93e8633b2
SHA25665051db0c8e095ba16bbd2ad6ca08401ee36a5d1ea87f438ca6da9dc9cec8eca
SHA512c49dc4a4fedf19de787242beec9a11ffd89843840faa43617f8206b03c336650b4ec3425729045bc9b502ab09743d15ad4526337b05c68fe2454a27c4154f344
-
Filesize
226B
MD597f7e4965159349e690ba9846730dc5e
SHA14bac3ae9fe00409dbf7de35348c9adfe6a0a520b
SHA256aa6f5f1ffc6b7d80183937c244d83d46d29c2a4b4e61896c6dc4f9e3692522f1
SHA51295059a8e36be8d2c6dc0e5a8962a89029ac2db6e78958e7fc850e081d3182e79d6f1e07536ddc6de99aa43a3fc6702de47c96f7a37a05e4575121e6499cf983d
-
Filesize
226B
MD50b4688e256931570dd6d14f4815d7b2d
SHA1f59f36919882f85a1ddaa61bafc9e585bf9af58b
SHA2568a4b11e78e175330f6412cbd72e76b92f732da360687cb483f3871ad449d2a66
SHA512b7516f0587ca1527f6fb6ca3f7dda7a24e57c04f592604477d9d0042f1cd2a103cd1632069b074ae7847ab140f4f9f1ca9597cdaf76cae462a04f536b3b85947
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD511c4e07a5a64d17f181dff9476d2dc96
SHA19ff997e24c622601f7ea36a146f3eb5a8212895c
SHA25603313685cb2065d77852dadb6c6b8250faf9d6ce32735d90660d448d4ffbb5b2
SHA51244fc1c800832cabdd57d1694b18835de1418ec9bdbbc49765800e94af01cd466f30cebccc7e6e66e29644d9a186a26fad1bbea432056f46bf3c817a785b2be0e
-
Filesize
226B
MD5f82ba89edc6ad2d56640e576f2fa4694
SHA19deac0efb2db60fd80adc8d0ef6bb3f368384489
SHA256d0ec0cfa1ed30f85559545f3c6e83cd4403a87472d2f0f81939d816cd88d5d25
SHA512b6e3bab711c3b8422e05c729afd4ff0f5f4798f98b320ee9ddccce335b1ac39f1f0562c1cf8ed93a465e21bd52cd7e5b6372c1976bb127e2e8091ffb1bff9ef5
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD57dc01dae3501e2f80aa973219777c893
SHA1e6c419ba8b92bc942fcf153c50e4e97764585b78
SHA256dae77823b8211b61a1b369bfd00eaaf092a0a0cc60fce7432c45a635c3727c52
SHA512aa5d5eb98aa2cf4529bd8cdef69a61586a4640802c5068fa91c2f720e745cb16a82231a6f387c1b28ade25832ba0d14b917d402aad1fb47036b8c4307a2f5344
-
Filesize
226B
MD5682c3154232774ebabfc6d48035ae321
SHA1fd7b1f362822b17a30b92b176967f4989a5b4c23
SHA2564c972acfce6c271e68ae8ed67d6cc09f87e63f102ab6b3c0047aad2083273c00
SHA5120703cf9c5ef2dcf512ff0751b00c6fa1b98c99dfa387478387b8544c3e3c520dfc6bf9195e7024740d35c5a866fa478f65b6c0e7abd265c01e31802b6a6dba57
-
Filesize
226B
MD5c641a2686fecd0d81a6b43fca3653825
SHA1cc1f4c7b3aa0efa1f7a51d917fddd371b3aa5c38
SHA256653dec7999ab0e83a1bb07d5bfe00085ee8d8f1b8ec0ce8db7182615a54106e1
SHA5125902e00e3e22a8b158465160eaee57b318ddfccb27ed652b78cb9cbc74a7796ee708c7a28eccec96564f7751c37ed11472b3672c676948e4fba648a65203eae6
-
Filesize
226B
MD5ec125ef596af446fbd5883ccb82c3ae0
SHA17384be108caab0888657141fd0c15af7d68023b8
SHA2569a39f2779a97bfa8ffe25245e156497fc9b838333f46504d1b69828e17e053c4
SHA512f894a117a5897fc39f2e2c7028500fdd3002eaa659bfaaf7f863adcca1f4abb6080eee3ff09fa7f383f2e34fa6cb0113a4bbc577d0db479099345c25b6453d4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD587b41dcc0767ad387ddd3492be40d4c9
SHA1ddba120cea1f52d1435d2d18ee9b867adf62b4f6
SHA25605299005df00b1f87f5938c5231fe3045034ef476f1e98091abf8f83e1053e4b
SHA512808f3beea439971853ac3ab0aab04db14e22889cf64f3b4ccfc9f18f775017a0a8aae26a42f56e539590ce5832674ae22967260ba00ad8784c8c79ba6bff11e7
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394