Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:20
Behavioral task
behavioral1
Sample
JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe
-
Size
1.3MB
-
MD5
31403fb0bfc872db3d0fb82465ac7b37
-
SHA1
835f58203c87fa254ce47bc88c81d5058ced9884
-
SHA256
0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562
-
SHA512
276807758cf0c8f3c8a2bf8fd31979b630c6aca6813580332bb5dd01cc31b3392ae7086f60ced3a2f67e347b4cf8cc7cd2a3d1854ede86ae79c34262230d6833
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2704 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2704 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000015f96-9.dat dcrat behavioral1/memory/2692-13-0x0000000000E80000-0x0000000000F90000-memory.dmp dcrat behavioral1/memory/2288-141-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/2400-200-0x00000000010B0000-0x00000000011C0000-memory.dmp dcrat behavioral1/memory/2168-499-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/2396-559-0x0000000001110000-0x0000000001220000-memory.dmp dcrat behavioral1/memory/2184-619-0x00000000003F0000-0x0000000000500000-memory.dmp dcrat behavioral1/memory/2560-679-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2568 powershell.exe 608 powershell.exe 1760 powershell.exe 1484 powershell.exe 792 powershell.exe 2848 powershell.exe 2564 powershell.exe 2796 powershell.exe 956 powershell.exe 2744 powershell.exe 2284 powershell.exe 1652 powershell.exe 1656 powershell.exe 676 powershell.exe 1500 powershell.exe 1528 powershell.exe 2732 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2692 DllCommonsvc.exe 2144 DllCommonsvc.exe 2288 spoolsv.exe 2400 spoolsv.exe 2740 spoolsv.exe 2368 spoolsv.exe 2280 spoolsv.exe 1372 spoolsv.exe 2168 spoolsv.exe 2396 spoolsv.exe 2184 spoolsv.exe 2560 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 1872 cmd.exe 1872 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 31 raw.githubusercontent.com 9 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\Setup\de-DE\b75386f1303e64 DllCommonsvc.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Mozilla Firefox\browser\VisualElements\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows NT\Idle.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Uninstall Information\audiodg.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Idle.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\1610b97d3ab4a7 DllCommonsvc.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\ModemLogs\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\servicing\it-IT\DllCommonsvc.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\LocalService\Links\24dbde2999530e DllCommonsvc.exe File created C:\Windows\ModemLogs\System.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2640 schtasks.exe 1892 schtasks.exe 1056 schtasks.exe 1732 schtasks.exe 1440 schtasks.exe 1868 schtasks.exe 2168 schtasks.exe 2864 schtasks.exe 2608 schtasks.exe 2108 schtasks.exe 1832 schtasks.exe 2320 schtasks.exe 2940 schtasks.exe 1720 schtasks.exe 896 schtasks.exe 2408 schtasks.exe 3036 schtasks.exe 2156 schtasks.exe 2600 schtasks.exe 2660 schtasks.exe 1408 schtasks.exe 1708 schtasks.exe 1284 schtasks.exe 2880 schtasks.exe 776 schtasks.exe 1920 schtasks.exe 1044 schtasks.exe 1308 schtasks.exe 2724 schtasks.exe 1564 schtasks.exe 2812 schtasks.exe 2208 schtasks.exe 1892 schtasks.exe 468 schtasks.exe 2780 schtasks.exe 3064 schtasks.exe 1368 schtasks.exe 2944 schtasks.exe 2632 schtasks.exe 788 schtasks.exe 1688 schtasks.exe 1800 schtasks.exe 2168 schtasks.exe 1676 schtasks.exe 1680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2692 DllCommonsvc.exe 2796 powershell.exe 1656 powershell.exe 2568 powershell.exe 1760 powershell.exe 792 powershell.exe 2564 powershell.exe 608 powershell.exe 956 powershell.exe 676 powershell.exe 1500 powershell.exe 2144 DllCommonsvc.exe 2144 DllCommonsvc.exe 2144 DllCommonsvc.exe 2144 DllCommonsvc.exe 2144 DllCommonsvc.exe 2848 powershell.exe 1484 powershell.exe 2732 powershell.exe 1652 powershell.exe 1528 powershell.exe 2744 powershell.exe 2284 powershell.exe 2288 spoolsv.exe 2400 spoolsv.exe 2740 spoolsv.exe 2368 spoolsv.exe 2280 spoolsv.exe 1372 spoolsv.exe 2168 spoolsv.exe 2396 spoolsv.exe 2184 spoolsv.exe 2560 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2692 DllCommonsvc.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 2144 DllCommonsvc.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeDebugPrivilege 2288 spoolsv.exe Token: SeDebugPrivilege 2400 spoolsv.exe Token: SeDebugPrivilege 2740 spoolsv.exe Token: SeDebugPrivilege 2368 spoolsv.exe Token: SeDebugPrivilege 2280 spoolsv.exe Token: SeDebugPrivilege 1372 spoolsv.exe Token: SeDebugPrivilege 2168 spoolsv.exe Token: SeDebugPrivilege 2396 spoolsv.exe Token: SeDebugPrivilege 2184 spoolsv.exe Token: SeDebugPrivilege 2560 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 1404 828 JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe 31 PID 828 wrote to memory of 1404 828 JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe 31 PID 828 wrote to memory of 1404 828 JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe 31 PID 828 wrote to memory of 1404 828 JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe 31 PID 1404 wrote to memory of 1872 1404 WScript.exe 32 PID 1404 wrote to memory of 1872 1404 WScript.exe 32 PID 1404 wrote to memory of 1872 1404 WScript.exe 32 PID 1404 wrote to memory of 1872 1404 WScript.exe 32 PID 1872 wrote to memory of 2692 1872 cmd.exe 34 PID 1872 wrote to memory of 2692 1872 cmd.exe 34 PID 1872 wrote to memory of 2692 1872 cmd.exe 34 PID 1872 wrote to memory of 2692 1872 cmd.exe 34 PID 2692 wrote to memory of 1656 2692 DllCommonsvc.exe 63 PID 2692 wrote to memory of 1656 2692 DllCommonsvc.exe 63 PID 2692 wrote to memory of 1656 2692 DllCommonsvc.exe 63 PID 2692 wrote to memory of 2564 2692 DllCommonsvc.exe 64 PID 2692 wrote to memory of 2564 2692 DllCommonsvc.exe 64 PID 2692 wrote to memory of 2564 2692 DllCommonsvc.exe 64 PID 2692 wrote to memory of 2568 2692 DllCommonsvc.exe 66 PID 2692 wrote to memory of 2568 2692 DllCommonsvc.exe 66 PID 2692 wrote to memory of 2568 2692 DllCommonsvc.exe 66 PID 2692 wrote to memory of 2796 2692 DllCommonsvc.exe 67 PID 2692 wrote to memory of 2796 2692 DllCommonsvc.exe 67 PID 2692 wrote to memory of 2796 2692 DllCommonsvc.exe 67 PID 2692 wrote to memory of 608 2692 DllCommonsvc.exe 68 PID 2692 wrote to memory of 608 2692 DllCommonsvc.exe 68 PID 2692 wrote to memory of 608 2692 DllCommonsvc.exe 68 PID 2692 wrote to memory of 792 2692 DllCommonsvc.exe 69 PID 2692 wrote to memory of 792 2692 DllCommonsvc.exe 69 PID 2692 wrote to memory of 792 2692 DllCommonsvc.exe 69 PID 2692 wrote to memory of 1500 2692 DllCommonsvc.exe 70 PID 2692 wrote to memory of 1500 2692 DllCommonsvc.exe 70 PID 2692 wrote to memory of 1500 2692 DllCommonsvc.exe 70 PID 2692 wrote to memory of 956 2692 DllCommonsvc.exe 72 PID 2692 wrote to memory of 956 2692 DllCommonsvc.exe 72 PID 2692 wrote to memory of 956 2692 DllCommonsvc.exe 72 PID 2692 wrote to memory of 676 2692 DllCommonsvc.exe 74 PID 2692 wrote to memory of 676 2692 DllCommonsvc.exe 74 PID 2692 wrote to memory of 676 2692 DllCommonsvc.exe 74 PID 2692 wrote to memory of 1760 2692 DllCommonsvc.exe 75 PID 2692 wrote to memory of 1760 2692 DllCommonsvc.exe 75 PID 2692 wrote to memory of 1760 2692 DllCommonsvc.exe 75 PID 2692 wrote to memory of 2144 2692 DllCommonsvc.exe 83 PID 2692 wrote to memory of 2144 2692 DllCommonsvc.exe 83 PID 2692 wrote to memory of 2144 2692 DllCommonsvc.exe 83 PID 2144 wrote to memory of 2744 2144 DllCommonsvc.exe 102 PID 2144 wrote to memory of 2744 2144 DllCommonsvc.exe 102 PID 2144 wrote to memory of 2744 2144 DllCommonsvc.exe 102 PID 2144 wrote to memory of 2848 2144 DllCommonsvc.exe 103 PID 2144 wrote to memory of 2848 2144 DllCommonsvc.exe 103 PID 2144 wrote to memory of 2848 2144 DllCommonsvc.exe 103 PID 2144 wrote to memory of 1528 2144 DllCommonsvc.exe 104 PID 2144 wrote to memory of 1528 2144 DllCommonsvc.exe 104 PID 2144 wrote to memory of 1528 2144 DllCommonsvc.exe 104 PID 2144 wrote to memory of 1484 2144 DllCommonsvc.exe 105 PID 2144 wrote to memory of 1484 2144 DllCommonsvc.exe 105 PID 2144 wrote to memory of 1484 2144 DllCommonsvc.exe 105 PID 2144 wrote to memory of 2284 2144 DllCommonsvc.exe 106 PID 2144 wrote to memory of 2284 2144 DllCommonsvc.exe 106 PID 2144 wrote to memory of 2284 2144 DllCommonsvc.exe 106 PID 2144 wrote to memory of 2732 2144 DllCommonsvc.exe 107 PID 2144 wrote to memory of 2732 2144 DllCommonsvc.exe 107 PID 2144 wrote to memory of 2732 2144 DllCommonsvc.exe 107 PID 2144 wrote to memory of 1652 2144 DllCommonsvc.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0454f653d31ef0cec9286b9a3baf56e8040091beb82bc0a6ff448ebecdd4d562.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tPRueI6iqX.bat"6⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2080
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"8⤵PID:3064
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1108
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"10⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2084
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"12⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2144
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"14⤵PID:2960
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1056
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"16⤵PID:1680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2628
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"18⤵PID:2004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1700
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"20⤵PID:1160
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1408
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"22⤵PID:908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1708
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"24⤵PID:1596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1564
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"26⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\Setup\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d6fd41eebfa4174203d7bd19ca6600b
SHA12f67af35c7e39198b46afb31d3c21c51f4ca014e
SHA25613abd8d89ae7c8a105559ae698d46771257bd89c5bf01bd72d60ec400ccb044d
SHA5123deea747cae4e8a02e29bcf110e4a59d046ab7b9083fd3fa4c16b036bb33f870c2356639fc56a2ad3ebcae4b1dddcfc838c90b4cfec725b56d34114fce2d8f3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cae8fd11ae4e4274ca1aab23a683538c
SHA1204dba8e4b94243eb8aa5d41ef5f0819ae8e8cfe
SHA25626e20412b7d904aed106456d3e6acfffc5ea7b8347f39168624125e2ad031a3a
SHA5123beda58f928dff6ed3ec058391cb4576c43ba491e0c7a9e7e145aaf2c21b08208add683d0629f0b532f81b59ff56a458b52bae5c30c267a9e4add4c1501d92fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d52f6eab838c271d8193e18146f2c980
SHA148e136c3323a1e2932de16e59501eae66fb4b435
SHA256ee08a9c1b135db6ecb7aedc6cbd2bf5fb59ca01d6a88930f90ddf20c675f7fd8
SHA5123ca443d4897a1fdb933da5beaa43fe95bd26c119ced89d229404bffde6dabf48084390a3f2f6cef1ecfa547847ba9d7722ab237ebb9e9d57b676caf1cb46f73b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564532333906dafb01aaf69bfcdb9ae81
SHA1e915c97d713606b8b27a841b1886a38334122be0
SHA2562cb2eb28b11856f78599e6d32ee1cd20559ec4ecf2807dff7c251b012893f8fe
SHA5120381e625b6e4c6cb30c37bfe5d880e7f94bcc3807cad32cef3a5b45b68883364882144b96cfec8271c21e4af7ebfbb1a2712eccf07188e0eca8974833ad76653
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de8fed42977b4fb706b7c5ebc5df1a49
SHA1c54b14d625b060b6f5b7097d31ca2453e0a06173
SHA25673ca5f7c6f8308c1d9df6b61301c1f5e2783da0b247b17aac9820cef8d66bb56
SHA512d849b5c8d0804705cabe731a7b0bee5bb50a0c03b2f2b67d3f0357955ab4ed4f00c4a88d318c7059eb2331181910c7703772d9e43198b0618d0b269f4fad50a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec61c2ea17fcff8372fcc3bf4517d8a1
SHA185ca9bfb60f08a68b186c06c3cea37389035cff4
SHA256fc7d5e972af7b31e5900a70a5b9f48046f7c324cd5efa5406d81e09ec2871273
SHA512d05c930e3d68e15b7d7e4e62623f11d332a2d7eb45a93a98a022ef8c3d2a05b5b49ea95637fe674c4fad81050922fec3f8b1fccba60d88a7fd311ec93d0472e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a475bcb43038c8b4e5e66ca3325547ce
SHA1373ada6d9642435174026a7989bb48c46163670d
SHA2568da22cb8e4c2f8f3d777d3ce8234f10381648ad8da8aaae38735096a3b6b01a9
SHA5124f9975328f5de7d0aff45170dbe1b8982962857d875771018ea6119704e17d80a12748ea0c134b9de23ae610b5a8c802af8e3abe2e0aa5756d04a28e1934f706
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5865d5038aab439ea3964829088fb5f58
SHA13af7c6839a15b41a07bfd99a8646493119b5471f
SHA2565ad549176af5374e79aefd03a8bb04db75317fc420dd01269cc7c275b1dc4d42
SHA512aa41f710e8bdac3b739d8d266c8ce81ea846d71e2ff5e550ff7d30693f8cfe5a51d84c4c91c0e7c27dac4c57790da01a5cb42bf74b5236a9a6e1cddf457fe193
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5447661bb6f1c71f75591b7a0d9360ffe
SHA10ed169ef8c62f62302590de75eb00aaa20601a14
SHA256af1086cfc5a7d483a31081d4098421635062b29dab26b9c75f1be5ae82dd7a7f
SHA5121d948ae77fd7961810ae67ec4659a5654e3543c1db87ef95302a270e753dd8a21d2d7619cc6d3435743d216bfe2e7c2a21d602568dc00ff240fd2643c7c773f4
-
Filesize
239B
MD5c2ecbde4fd26e9318b9fddcc6039c863
SHA1f68054b95950cbff22952b481839aeba93e8300e
SHA2569950e266f58e8b59c1843891f1a861b5dfe74f7102f0d03c54335357d1fa3359
SHA512016b02c3622ea1fcc88f1d91788270a2bce31b2c3cec3932e2fd832e4ef3af56c1de000303772b3cd52d5424a6feffd096c302d758b6f1679d30f22ac5a8028f
-
Filesize
239B
MD5fe01f819a58680f2d42e22e36a876911
SHA1cec6691165835228328353c307606c15972977b3
SHA256d9bee0f49f234a2bbc7c3f7c42dc3e73c17e31cde8ebc48ea6ab26baf4eac4ba
SHA51242462ef14cfb6c8984b5258d548223b556587909060ee1bbec0621eeb3fe765ecaea52bdd1207932c7ab6bd59e27d218937b2467dbecd1b7709e5dccb91636ec
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
239B
MD5da724775e2fa98fc99bbf9f03006d9f3
SHA191160a017e25ac8988b0dfba49898f758bb859ed
SHA2563c2f7c14104fe91468682de8bd55cbb5c49613a164577c88d02aeb68fc064164
SHA512f438edba270631720d91d1c1faf01f66924261722d6d88af4fb4b8474e5dda61943078e9daacfcdd230d5415c51d4d82071bff53c04f61c0ae92a94e3d2972e2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
239B
MD5e45c983dedab124e4f0e61929aa5ae61
SHA1e788f8a5ae1d7fa0966b6b816b6a3d067af9d9d1
SHA25632b7d2344bbedf19174a98dd0ddb787d48afe489c9bef2d45f36ecd62cc62059
SHA5120437c97a04505aa28069cd81d0842b8322302b0d8f097acaf764e954ff0c5e641fa4c9681558a9d27c915ba2e594c36ec0357931037b1300697a68945ca8cf24
-
Filesize
239B
MD54b20a99169dd8954c0b3bdaa12cbcca1
SHA1a3757f3e91ea566bbbf1356e676133bfaf785d1d
SHA256612fe5321ce0495271ce1de943dfa91a447b59fc6587e42d581a29ccf6a13b97
SHA51260c6b4a899a58827471a11e88b68ecfa3b038ddafefd703e4917c69d42684c1655f4e541140492da6c1874562b4b86101831c398878fa248b1ddcee4161469a5
-
Filesize
239B
MD574150b33e3ce3af925f126cd61cc0128
SHA1d4e73d9cc58125f21c50af56cba1ac09e6fe03a1
SHA256038ffa50dadd3d8f5feb6741ec5da39b04755737a0fabe6b386a808952756c3e
SHA512b565a86762932424304f95c476c867ffa2c17ed1110183eb8bb8e3c18345e3288f403501710bb250a0bab71e4d0f5ec913f1cd02cb5c8e4154379ea700f8c3a0
-
Filesize
239B
MD58d3b13fa7f4930f41eef71f17aa33f13
SHA1614334469f68e8418c6fcb3df22e1017fa86a082
SHA2563ab7b5196727fe6618bb8d3c43ec9a5d4a31e69a40065e5644d2b18900937ff4
SHA512cc48f06f4c2d8b4d2c4787ef7697405373f1524f77e806c43e7fdf27ac76cd759a475d3b5e3b3c6077db92193dfb0245957a64a8e838ae995e3983356064b41c
-
Filesize
239B
MD525b7e8887e332ae3c3898929022babf5
SHA1d9982ec19ed7be3c7780bd80d77bac6712f4fd85
SHA256d4adbcd339c668bb48a08bc1cc89a262cd9b811b1317869129fc43102406a3c4
SHA512a68f87cb8742d0641cf4625aad8ea6eb0d41e6305841fe75d1198e22736afed49dd816276c2c31fa984007f4b919ad1688dd9865ecd3babce96857ddafba99e7
-
Filesize
239B
MD5604bd767db3873c224001c1d914afd7c
SHA1b7293fa825710624599f996fa98825ccb199d1f9
SHA256eca0613ba10a981fb8601000aa23363b398aef9e0ecc1ee2f609a8c35855b3d0
SHA5121cefb85ba12d6d76dc88872b9cc9a25c148e9ae34cebdc43bdf2e13af2e718e8184456418872c06d796a67eda1c072b57665649201e5f3aa6ff6cc986b0e371c
-
Filesize
239B
MD5b77d94a40c50fb5faac88f807f5aa012
SHA1c416a7145218401be342d9f42d2dc3fb15efefba
SHA2563afdf182529b0e511cdd5b501d94ca437c8eddf85cd07eeff6a7c252ad383250
SHA512f70330d5dd9065ab348b7878e700b4f255deeba1eaaa14cfa4315fe0df2cccce34b7d47aed16263566f38208b926c4e3b6992991eab411c797574eaff7855c82
-
Filesize
239B
MD5a63a7a5d76c0e19beccfd768e98ed2b3
SHA1eca12444131be8e48ab56fd72107edaaf21cc2bc
SHA256706f0684d75f4b69139136512422654bf0142d82d0452bb34f478b8539bb42f7
SHA512c03a926bf2461b1427685d3ac78d153126ba3d18c8f206ac954daf85314c9fa79089d12f664198e81fd2e466feeefec8234255abbf215f4f9816678fcc597712
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2e132cc138d4f92f7f694c9ce93f8d0
SHA1577c6d6ee15a5553d3cace51f2af6dc5047f70aa
SHA2561398bf1c5878de0fa73a8ba86ab1b87002b9bec2eb6d011f6320c6cd375b3978
SHA5125ee7b16bb554a7afb3108fd193b0dd0c94857b73b556cf2059ad1cfdfa2969e88ba47b24cccc94ef081fc85bb4a2a69364ccef753cc289abb0afbe543abb0dee
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394