Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 23:00
Behavioral task
behavioral1
Sample
JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe
-
Size
1.3MB
-
MD5
b4c1b196d89a3b4f5505c8d2a2a591a8
-
SHA1
e71eaf145dc0c637dcc9c283d1404327d72b3f00
-
SHA256
0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee
-
SHA512
8bdaba8b60f08416b76a8a31fb4dd910be406086a6c2096f48776237c34aa7d051a44ab0c91c929452508ad036183517cd0aec8836c6010d47fc0cbe6d11e4c4
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 236 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 3056 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3056 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x00060000000186f4-9.dat dcrat behavioral1/memory/2488-13-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat behavioral1/memory/2944-89-0x0000000001240000-0x0000000001350000-memory.dmp dcrat behavioral1/memory/700-317-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2616-377-0x0000000000BA0000-0x0000000000CB0000-memory.dmp dcrat behavioral1/memory/280-437-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2192-497-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/2832-557-0x0000000000E40000-0x0000000000F50000-memory.dmp dcrat behavioral1/memory/1956-617-0x0000000001370000-0x0000000001480000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1504 powershell.exe 1936 powershell.exe 2524 powershell.exe 1368 powershell.exe 1652 powershell.exe 2952 powershell.exe 2852 powershell.exe 2580 powershell.exe 1632 powershell.exe 1540 powershell.exe 2844 powershell.exe 2800 powershell.exe 2368 powershell.exe 1952 powershell.exe 2064 powershell.exe 2576 powershell.exe 2420 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2488 DllCommonsvc.exe 2944 lsm.exe 1632 lsm.exe 2840 lsm.exe 700 lsm.exe 2616 lsm.exe 280 lsm.exe 2192 lsm.exe 2832 lsm.exe 1956 lsm.exe 2252 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 800 cmd.exe 800 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 5 raw.githubusercontent.com 12 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Windows\ja-JP\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 480 schtasks.exe 1132 schtasks.exe 2656 schtasks.exe 2116 schtasks.exe 2724 schtasks.exe 2140 schtasks.exe 1268 schtasks.exe 1584 schtasks.exe 1464 schtasks.exe 2080 schtasks.exe 1596 schtasks.exe 3024 schtasks.exe 1636 schtasks.exe 2124 schtasks.exe 764 schtasks.exe 236 schtasks.exe 2464 schtasks.exe 2108 schtasks.exe 2344 schtasks.exe 2816 schtasks.exe 1968 schtasks.exe 1564 schtasks.exe 2900 schtasks.exe 1244 schtasks.exe 3036 schtasks.exe 1784 schtasks.exe 2716 schtasks.exe 1212 schtasks.exe 616 schtasks.exe 1044 schtasks.exe 352 schtasks.exe 2544 schtasks.exe 2028 schtasks.exe 2192 schtasks.exe 2500 schtasks.exe 904 schtasks.exe 3048 schtasks.exe 2904 schtasks.exe 2300 schtasks.exe 2572 schtasks.exe 1108 schtasks.exe 1868 schtasks.exe 2996 schtasks.exe 868 schtasks.exe 1796 schtasks.exe 660 schtasks.exe 1040 schtasks.exe 1228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2488 DllCommonsvc.exe 2420 powershell.exe 1504 powershell.exe 1368 powershell.exe 1540 powershell.exe 1652 powershell.exe 1632 powershell.exe 2800 powershell.exe 2064 powershell.exe 2524 powershell.exe 1936 powershell.exe 2580 powershell.exe 1952 powershell.exe 2368 powershell.exe 2852 powershell.exe 2952 powershell.exe 2844 powershell.exe 2576 powershell.exe 2944 lsm.exe 1632 lsm.exe 2840 lsm.exe 700 lsm.exe 2616 lsm.exe 280 lsm.exe 2192 lsm.exe 2832 lsm.exe 1956 lsm.exe 2252 lsm.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2488 DllCommonsvc.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2944 lsm.exe Token: SeDebugPrivilege 1632 lsm.exe Token: SeDebugPrivilege 2840 lsm.exe Token: SeDebugPrivilege 700 lsm.exe Token: SeDebugPrivilege 2616 lsm.exe Token: SeDebugPrivilege 280 lsm.exe Token: SeDebugPrivilege 2192 lsm.exe Token: SeDebugPrivilege 2832 lsm.exe Token: SeDebugPrivilege 1956 lsm.exe Token: SeDebugPrivilege 2252 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2580 2556 JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe 30 PID 2556 wrote to memory of 2580 2556 JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe 30 PID 2556 wrote to memory of 2580 2556 JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe 30 PID 2556 wrote to memory of 2580 2556 JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe 30 PID 2580 wrote to memory of 800 2580 WScript.exe 32 PID 2580 wrote to memory of 800 2580 WScript.exe 32 PID 2580 wrote to memory of 800 2580 WScript.exe 32 PID 2580 wrote to memory of 800 2580 WScript.exe 32 PID 800 wrote to memory of 2488 800 cmd.exe 34 PID 800 wrote to memory of 2488 800 cmd.exe 34 PID 800 wrote to memory of 2488 800 cmd.exe 34 PID 800 wrote to memory of 2488 800 cmd.exe 34 PID 2488 wrote to memory of 1504 2488 DllCommonsvc.exe 84 PID 2488 wrote to memory of 1504 2488 DllCommonsvc.exe 84 PID 2488 wrote to memory of 1504 2488 DllCommonsvc.exe 84 PID 2488 wrote to memory of 1652 2488 DllCommonsvc.exe 85 PID 2488 wrote to memory of 1652 2488 DllCommonsvc.exe 85 PID 2488 wrote to memory of 1652 2488 DllCommonsvc.exe 85 PID 2488 wrote to memory of 1540 2488 DllCommonsvc.exe 87 PID 2488 wrote to memory of 1540 2488 DllCommonsvc.exe 87 PID 2488 wrote to memory of 1540 2488 DllCommonsvc.exe 87 PID 2488 wrote to memory of 1632 2488 DllCommonsvc.exe 88 PID 2488 wrote to memory of 1632 2488 DllCommonsvc.exe 88 PID 2488 wrote to memory of 1632 2488 DllCommonsvc.exe 88 PID 2488 wrote to memory of 1368 2488 DllCommonsvc.exe 91 PID 2488 wrote to memory of 1368 2488 DllCommonsvc.exe 91 PID 2488 wrote to memory of 1368 2488 DllCommonsvc.exe 91 PID 2488 wrote to memory of 2576 2488 DllCommonsvc.exe 92 PID 2488 wrote to memory of 2576 2488 DllCommonsvc.exe 92 PID 2488 wrote to memory of 2576 2488 DllCommonsvc.exe 92 PID 2488 wrote to memory of 2064 2488 DllCommonsvc.exe 93 PID 2488 wrote to memory of 2064 2488 DllCommonsvc.exe 93 PID 2488 wrote to memory of 2064 2488 DllCommonsvc.exe 93 PID 2488 wrote to memory of 2524 2488 DllCommonsvc.exe 94 PID 2488 wrote to memory of 2524 2488 DllCommonsvc.exe 94 PID 2488 wrote to memory of 2524 2488 DllCommonsvc.exe 94 PID 2488 wrote to memory of 1952 2488 DllCommonsvc.exe 95 PID 2488 wrote to memory of 1952 2488 DllCommonsvc.exe 95 PID 2488 wrote to memory of 1952 2488 DllCommonsvc.exe 95 PID 2488 wrote to memory of 2368 2488 DllCommonsvc.exe 96 PID 2488 wrote to memory of 2368 2488 DllCommonsvc.exe 96 PID 2488 wrote to memory of 2368 2488 DllCommonsvc.exe 96 PID 2488 wrote to memory of 1936 2488 DllCommonsvc.exe 98 PID 2488 wrote to memory of 1936 2488 DllCommonsvc.exe 98 PID 2488 wrote to memory of 1936 2488 DllCommonsvc.exe 98 PID 2488 wrote to memory of 2420 2488 DllCommonsvc.exe 100 PID 2488 wrote to memory of 2420 2488 DllCommonsvc.exe 100 PID 2488 wrote to memory of 2420 2488 DllCommonsvc.exe 100 PID 2488 wrote to memory of 2580 2488 DllCommonsvc.exe 101 PID 2488 wrote to memory of 2580 2488 DllCommonsvc.exe 101 PID 2488 wrote to memory of 2580 2488 DllCommonsvc.exe 101 PID 2488 wrote to memory of 2800 2488 DllCommonsvc.exe 103 PID 2488 wrote to memory of 2800 2488 DllCommonsvc.exe 103 PID 2488 wrote to memory of 2800 2488 DllCommonsvc.exe 103 PID 2488 wrote to memory of 2844 2488 DllCommonsvc.exe 104 PID 2488 wrote to memory of 2844 2488 DllCommonsvc.exe 104 PID 2488 wrote to memory of 2844 2488 DllCommonsvc.exe 104 PID 2488 wrote to memory of 2952 2488 DllCommonsvc.exe 105 PID 2488 wrote to memory of 2952 2488 DllCommonsvc.exe 105 PID 2488 wrote to memory of 2952 2488 DllCommonsvc.exe 105 PID 2488 wrote to memory of 2852 2488 DllCommonsvc.exe 106 PID 2488 wrote to memory of 2852 2488 DllCommonsvc.exe 106 PID 2488 wrote to memory of 2852 2488 DllCommonsvc.exe 106 PID 2488 wrote to memory of 2944 2488 DllCommonsvc.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c214385d1c4429a79a89983aa7f3b574d9367b10ac43456f40f84a286b55cee.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"6⤵PID:920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2916
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"8⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2864
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"10⤵PID:1072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1552
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"12⤵PID:1556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:352
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"14⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1412
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"16⤵PID:1636
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1848
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"18⤵PID:556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2488
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"20⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2044
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"22⤵PID:2512
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1688
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec64fc7421323ebbeb89d660f5b1649a
SHA109efc2217cc6484ee27237c5a37011533296b650
SHA256c427962e60e2323bccf6d06b47280e3821368ba213823ff2bd98cb0a101dae33
SHA512f7cd96c3ae34d11e217f11655249f831f5bd3e542e6c27779c156883e08afd11b4009cfe430123064abedf7ae005c46836e378d24eb8dae8ecc965780b9df65b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD540a926310dd2903c3cb3a8a19f4d9382
SHA1d02cecc540f7afb8ec40774571d60505b2670806
SHA2566a0cec05ffbef80fd3174e2a3bf5ad6485d4c8126076715913b64fc69c4db1ee
SHA512c2ec6952dccfe63b7922daf9740f0cd467c1daa5743e4a286e6f3257fe56508cfe97b2168ed15e7d066042021598823d78ef6c1b4f302a70fa73854e18274d41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c357285fc294b1b080c6fc77d4738022
SHA1c9501b57515aedfd82e050a3a47adb4844f652a7
SHA256b3c6baf2c66fd0827c5bea96cea57c999f28022f2c33ad94fec3a1df1b1a6a76
SHA51242d9c75cd7ac0f3e6fb96318c1fe8be09dfb09e2a46e82a01a2bd4878b566803f471ecfb3d7899e1d319507fa59d8c7d6f153145e13d4c13f261c5c13d855d5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c40815f2926bf5b5cc5012d7f9456d3
SHA1633f5dad7bc0e7a50da12ea442b656393a8b4196
SHA256f6605796288eba2fb47847f046c702680c20ec9ebaedd90a7bc57edc2ad37a76
SHA5123ae80d7498843390e3ff2ccf94530c28f629f712a8efc955c3481e470008f7c51e607c0b8e36d2241bc5f2be73e6485e7360cb938ddb9dd956515b55ca3e9b52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f59ceec6926aa3864b93e5464c38e066
SHA1ae7ea26d96a8f5b14d707bcfa41a311d59321197
SHA2560516aaaa6561ef87c5d4963e1d8657868df1669d32fb47a947308c254b5d03a7
SHA512e49e14a625a4366fed6cca067e7e71681e302d97e1559f1a0f16ef6875992558e14c7910ac5c8996fd1421fed9627d96f4af90fe77c45749c728b2d027a119f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55923fb4516e86603fa49a98ca086571b
SHA1a94bf0c2ac2e0974ce1652000e672d0d54cc1291
SHA256d8471a89339f4d494ce563001869f05a3e04e74407da9ffbd79cfc34928bc644
SHA5123f1528f0b8460631ebb553fb5408fb07d649be0a2d36aab98bc3ad06aa75ffa9217d0b8bacd0e78dd4d986afb624db2bd1d0c408ec028f8f9734072170e051f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fe5a13673c80fa77b0776061ced4b910
SHA157a977446acf105952a0f2f6bbdb0746231c9a13
SHA2564cc39ba305cad1343c235c0e19c45240035f45f07aed634f06ca22a6c9a5b95d
SHA512e858c80773db0ac34ac3387a1058ae3026d8a6fcdc82f8cf18218924f0195cb5f171da85562d267da678fdbec5469af70e3292454008e52ea559a34484994696
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f195a204dbd0a248d2dccd1ad29da2e8
SHA1eb16f3c4031f52917ee96244573f014537d5b064
SHA2568a87eb439da96955cf059d34033fa05c72ca521708dce5de4bf7b9cf1a1a9ff1
SHA5124e12e74e6166f001ba89b5c1ec6a1e91af5f56cc1e2e983ea353b732a7a50d7a5372ba0669f9c9824997e622d7b63436a3fbe78c0f5e7439f758c4944bf215a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd0898f541f8dd0c1e35eb4eda795bad
SHA191c7f3e5ec144ccafbf45e2578871b012c862dfc
SHA25633be273bd80589f9a7e45808a1c59026d9140aad034e06008702f9613e23e710
SHA5122d440cde63d91d338603dc61160f0bf763a3827c4aafc6e07805cc06945efc3dc9a1e4a601a82fdcec0786b08f39e19680f3da095c2788984ddbc999318e06b3
-
Filesize
190B
MD50bb9c61b6fb20b94442399484eb7e73e
SHA1c43ff73c08cd542bcd83eff9d35721bb1ea4309c
SHA2560c615cca341fe0af32501514838f8252cf30e6dc99486d612f5b370218bbceaa
SHA5129b4fe3efb6dbd32389945627d7aad779cb3aeda428819639bdf46d4936f4b235c354a2ce7f5a45f927f06607819190c56fe362b65713100da844c22c64d933e9
-
Filesize
190B
MD54500ccab493cdcf3a04895f872c2af55
SHA1150582fac4c7716c5fabab1bc0ac3d397c792884
SHA256b6dc7d6600f41b45c5015428c0a653c9d8cf21c15d7f545ac2b0e29c196d68f5
SHA512dfecc3335f1130aebdad1b7f3ccdab5be2815efd76a598664aa96dca4bda4471531455289db98ef727a97b9e145833ea13afe5786c99d28ea37dfb5d4b31d305
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD51dca511ed87925d514fa0fa46ba22c92
SHA1ca0c84d51aef0b03dd8745c9567232a850484428
SHA256ef932ad2865ccf2dc921466f493fd920b275bc9ee3156bfcf7e0cb20bb3fd902
SHA512c92b1f64a2f8d9134fcb24b44eec738c69df508e83b8c3d0606239417f1521e6941b11c5cc696fa784a2142190de82f0f540b07062cb7fbe1ba28e3022cff01f
-
Filesize
190B
MD5538485267288151f373375175025500d
SHA1cd4e258b59b27dffd241a248683e6dffc959c7bf
SHA256a4bc3e0335408bc651d66e4a6f9e0216dcde2a2fdba71df8590b536ca8b63c94
SHA51277d9c4d7ea39f87a3e442f7828f2ba8ae04f726c6b191f860892c49b6cfef75aa579b91c490c3118a65226e2339bda011f2a675d46175b6d0349a1e75c307edc
-
Filesize
190B
MD545347d2bbc6ed10c007eda0d1f08b4ca
SHA1568ee56c27917477bd4ec96a488eaf62e7e5d1ca
SHA2569cb1e92a3f06e52355cd7da5567f2bc34758d9a625bf4c40db7536b8c65234b0
SHA51229be70645a18147ed3701eb4033be711dccb6cbf7303d8ddd0d0cca0317c356e3ddf84625f1c2418e81d9d99c4aa036b2a99ae84047a607cb67016546ee7d4b1
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD52becef24f455f8e546054176e0dba26f
SHA1488aeaf57b6e36d25dadfde360d0d1099f9defc7
SHA256deeba18444bed3b4dacfe3b34a277700eda191c391c793c65e93bd86a54e1f37
SHA512512afa93c9917aaf1b9879f9228558264a75de4eed452a8cb238c7b2b787500efb6e6b51a053a17bfd1c94cad99db1d041c6825709422e569d5c061e0a4e432e
-
Filesize
190B
MD5736c7106ff897f56faf392d011d7bfad
SHA10c116ec48f184ee89c4ec70a69c261d3745a70a7
SHA256e5dd553ce38e04c1682730dc5fa3fe84efc327c387a945d8de0a4dec68965b6a
SHA512415457b9a860347cc282ef570bf4479d9b547eacdafa1ee4235143f00c9310796a38dbf6557b8187b01a73cbf0914b0c02553540ec5fb710a62b61d571e83f29
-
Filesize
190B
MD5a1d81df644a9d5322136be6242137a2f
SHA14f16029a21ce715425e618fed1b9ee30c95725f7
SHA256216c90a993f66c518f001aab0e5da2989af41ed19c2dab93cdc69ea296232a56
SHA5129dbe8590eac27557ecbbef126479d9b6f0f04ccc24251e54d4801879c7473aa8dc8e3d5f3fbd7b9287899b795650bc7766516d05e6520131317f2f13ad5b74bb
-
Filesize
190B
MD52792bf108f6f6013a3c4de0d28c1bd9d
SHA1f81ce39b56f52a3a75f6e822106495584febcaab
SHA2563d644cc98de563045854913f091b6b4afce86af42f07cacaf6f8f2c4672051cc
SHA512f0930d326db290df06d981660d179eea1b9c789df8686c4c93a9dd8da32103dd5932fb9f9bc689afec3e3758f11812a2a9f3c0ad10ff3cfb830fd093afcf500c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z6OXSDXOITSQKCWH9TPQ.temp
Filesize7KB
MD5b4306bb5c1090afa67399130b765e9e9
SHA11b2788f9a4096b9b509e9703a51634a394312a2f
SHA256655f267e47cb7334ffddbb782e6baa91afe26e8d4a3b5de04acfe0bb87e46057
SHA5124305e244458bffd7b2e9b7d188922df500ff4abfc15b3ec590c63c488b57b0404daad41c5b4a365e5c26e1164adf2c11616a4fddd5615efaf61b85f933a18a2d
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394