Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:07
Behavioral task
behavioral1
Sample
JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe
-
Size
1.3MB
-
MD5
7daa68e5ebb47a65b82ab9fdf7b5e6c0
-
SHA1
6b3c7f065574b8f05d774ca9cfde4306e232d29a
-
SHA256
c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4
-
SHA512
ff1c2f83fd972e399a02b7dbf92a2fcf8c4de4550e842a6966eabe0be5645da94368ba16e616d116e3449656db3010889f8479b3813f8c382ddea14f2a653020
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 476 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 356 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2308 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2308 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016c58-9.dat dcrat behavioral1/memory/2748-13-0x0000000000FF0000-0x0000000001100000-memory.dmp dcrat behavioral1/memory/1588-136-0x00000000010F0000-0x0000000001200000-memory.dmp dcrat behavioral1/memory/2292-195-0x0000000001140000-0x0000000001250000-memory.dmp dcrat behavioral1/memory/2044-256-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2816-316-0x0000000000020000-0x0000000000130000-memory.dmp dcrat behavioral1/memory/1180-435-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat behavioral1/memory/1948-495-0x0000000000210000-0x0000000000320000-memory.dmp dcrat behavioral1/memory/2808-555-0x0000000000920000-0x0000000000A30000-memory.dmp dcrat behavioral1/memory/3004-615-0x0000000000A90000-0x0000000000BA0000-memory.dmp dcrat behavioral1/memory/1664-675-0x0000000000BD0000-0x0000000000CE0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 540 powershell.exe 2524 powershell.exe 1684 powershell.exe 2180 powershell.exe 980 powershell.exe 1608 powershell.exe 2300 powershell.exe 2384 powershell.exe 2516 powershell.exe 1516 powershell.exe 2112 powershell.exe 2064 powershell.exe 2080 powershell.exe 2540 powershell.exe 756 powershell.exe 2148 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2748 DllCommonsvc.exe 1588 WmiPrvSE.exe 2292 WmiPrvSE.exe 2044 WmiPrvSE.exe 2816 WmiPrvSE.exe 892 WmiPrvSE.exe 1180 WmiPrvSE.exe 1948 WmiPrvSE.exe 2808 WmiPrvSE.exe 3004 WmiPrvSE.exe 1664 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2696 cmd.exe 2696 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 30 raw.githubusercontent.com 33 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WMIADAP.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2960 schtasks.exe 2276 schtasks.exe 692 schtasks.exe 2280 schtasks.exe 2476 schtasks.exe 2872 schtasks.exe 1928 schtasks.exe 1200 schtasks.exe 1872 schtasks.exe 940 schtasks.exe 936 schtasks.exe 2256 schtasks.exe 3004 schtasks.exe 2608 schtasks.exe 476 schtasks.exe 2164 schtasks.exe 2784 schtasks.exe 1008 schtasks.exe 1116 schtasks.exe 2824 schtasks.exe 1652 schtasks.exe 2676 schtasks.exe 1900 schtasks.exe 2976 schtasks.exe 444 schtasks.exe 2796 schtasks.exe 2472 schtasks.exe 680 schtasks.exe 984 schtasks.exe 1704 schtasks.exe 2984 schtasks.exe 1840 schtasks.exe 2216 schtasks.exe 1592 schtasks.exe 2340 schtasks.exe 2772 schtasks.exe 1208 schtasks.exe 2704 schtasks.exe 2208 schtasks.exe 1244 schtasks.exe 2848 schtasks.exe 356 schtasks.exe 1348 schtasks.exe 2128 schtasks.exe 2852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2748 DllCommonsvc.exe 2748 DllCommonsvc.exe 2748 DllCommonsvc.exe 2300 powershell.exe 756 powershell.exe 1516 powershell.exe 2180 powershell.exe 2148 powershell.exe 2112 powershell.exe 1684 powershell.exe 2064 powershell.exe 2384 powershell.exe 540 powershell.exe 2524 powershell.exe 2516 powershell.exe 2080 powershell.exe 980 powershell.exe 1608 powershell.exe 2540 powershell.exe 1588 WmiPrvSE.exe 2292 WmiPrvSE.exe 2044 WmiPrvSE.exe 2816 WmiPrvSE.exe 892 WmiPrvSE.exe 1180 WmiPrvSE.exe 1948 WmiPrvSE.exe 2808 WmiPrvSE.exe 3004 WmiPrvSE.exe 1664 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2748 DllCommonsvc.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 1588 WmiPrvSE.exe Token: SeDebugPrivilege 2292 WmiPrvSE.exe Token: SeDebugPrivilege 2044 WmiPrvSE.exe Token: SeDebugPrivilege 2816 WmiPrvSE.exe Token: SeDebugPrivilege 892 WmiPrvSE.exe Token: SeDebugPrivilege 1180 WmiPrvSE.exe Token: SeDebugPrivilege 1948 WmiPrvSE.exe Token: SeDebugPrivilege 2808 WmiPrvSE.exe Token: SeDebugPrivilege 3004 WmiPrvSE.exe Token: SeDebugPrivilege 1664 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2376 2132 JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe 31 PID 2132 wrote to memory of 2376 2132 JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe 31 PID 2132 wrote to memory of 2376 2132 JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe 31 PID 2132 wrote to memory of 2376 2132 JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe 31 PID 2376 wrote to memory of 2696 2376 WScript.exe 32 PID 2376 wrote to memory of 2696 2376 WScript.exe 32 PID 2376 wrote to memory of 2696 2376 WScript.exe 32 PID 2376 wrote to memory of 2696 2376 WScript.exe 32 PID 2696 wrote to memory of 2748 2696 cmd.exe 34 PID 2696 wrote to memory of 2748 2696 cmd.exe 34 PID 2696 wrote to memory of 2748 2696 cmd.exe 34 PID 2696 wrote to memory of 2748 2696 cmd.exe 34 PID 2748 wrote to memory of 2300 2748 DllCommonsvc.exe 81 PID 2748 wrote to memory of 2300 2748 DllCommonsvc.exe 81 PID 2748 wrote to memory of 2300 2748 DllCommonsvc.exe 81 PID 2748 wrote to memory of 2064 2748 DllCommonsvc.exe 82 PID 2748 wrote to memory of 2064 2748 DllCommonsvc.exe 82 PID 2748 wrote to memory of 2064 2748 DllCommonsvc.exe 82 PID 2748 wrote to memory of 756 2748 DllCommonsvc.exe 83 PID 2748 wrote to memory of 756 2748 DllCommonsvc.exe 83 PID 2748 wrote to memory of 756 2748 DllCommonsvc.exe 83 PID 2748 wrote to memory of 1684 2748 DllCommonsvc.exe 85 PID 2748 wrote to memory of 1684 2748 DllCommonsvc.exe 85 PID 2748 wrote to memory of 1684 2748 DllCommonsvc.exe 85 PID 2748 wrote to memory of 980 2748 DllCommonsvc.exe 86 PID 2748 wrote to memory of 980 2748 DllCommonsvc.exe 86 PID 2748 wrote to memory of 980 2748 DllCommonsvc.exe 86 PID 2748 wrote to memory of 2384 2748 DllCommonsvc.exe 87 PID 2748 wrote to memory of 2384 2748 DllCommonsvc.exe 87 PID 2748 wrote to memory of 2384 2748 DllCommonsvc.exe 87 PID 2748 wrote to memory of 2180 2748 DllCommonsvc.exe 88 PID 2748 wrote to memory of 2180 2748 DllCommonsvc.exe 88 PID 2748 wrote to memory of 2180 2748 DllCommonsvc.exe 88 PID 2748 wrote to memory of 2080 2748 DllCommonsvc.exe 90 PID 2748 wrote to memory of 2080 2748 DllCommonsvc.exe 90 PID 2748 wrote to memory of 2080 2748 DllCommonsvc.exe 90 PID 2748 wrote to memory of 2112 2748 DllCommonsvc.exe 91 PID 2748 wrote to memory of 2112 2748 DllCommonsvc.exe 91 PID 2748 wrote to memory of 2112 2748 DllCommonsvc.exe 91 PID 2748 wrote to memory of 1516 2748 DllCommonsvc.exe 92 PID 2748 wrote to memory of 1516 2748 DllCommonsvc.exe 92 PID 2748 wrote to memory of 1516 2748 DllCommonsvc.exe 92 PID 2748 wrote to memory of 1608 2748 DllCommonsvc.exe 94 PID 2748 wrote to memory of 1608 2748 DllCommonsvc.exe 94 PID 2748 wrote to memory of 1608 2748 DllCommonsvc.exe 94 PID 2748 wrote to memory of 540 2748 DllCommonsvc.exe 95 PID 2748 wrote to memory of 540 2748 DllCommonsvc.exe 95 PID 2748 wrote to memory of 540 2748 DllCommonsvc.exe 95 PID 2748 wrote to memory of 2524 2748 DllCommonsvc.exe 97 PID 2748 wrote to memory of 2524 2748 DllCommonsvc.exe 97 PID 2748 wrote to memory of 2524 2748 DllCommonsvc.exe 97 PID 2748 wrote to memory of 2540 2748 DllCommonsvc.exe 98 PID 2748 wrote to memory of 2540 2748 DllCommonsvc.exe 98 PID 2748 wrote to memory of 2540 2748 DllCommonsvc.exe 98 PID 2748 wrote to memory of 2148 2748 DllCommonsvc.exe 99 PID 2748 wrote to memory of 2148 2748 DllCommonsvc.exe 99 PID 2748 wrote to memory of 2148 2748 DllCommonsvc.exe 99 PID 2748 wrote to memory of 2516 2748 DllCommonsvc.exe 100 PID 2748 wrote to memory of 2516 2748 DllCommonsvc.exe 100 PID 2748 wrote to memory of 2516 2748 DllCommonsvc.exe 100 PID 2748 wrote to memory of 2996 2748 DllCommonsvc.exe 113 PID 2748 wrote to memory of 2996 2748 DllCommonsvc.exe 113 PID 2748 wrote to memory of 2996 2748 DllCommonsvc.exe 113 PID 2996 wrote to memory of 2156 2996 cmd.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2cfbe116e86d51d079cb57f3d43762688a2767c97c499132ffb3b2036e543c4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\frOpoUBOSx.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2156
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"7⤵PID:2504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2668
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"9⤵PID:1944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1180
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"11⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1948
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"13⤵PID:748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2852
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"15⤵PID:1172
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1648
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"17⤵PID:2328
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2044
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"19⤵PID:1672
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2436
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"21⤵PID:380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1120
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"23⤵PID:980
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3000
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5657afd9fab415c9e52d8c720cbc438ff
SHA14214edbe6b8124137e199f616d6450c2209160ea
SHA256da9adec8ff6bc135ebbbfef9a6ceeff1e3c3e3350834dc31d8be41c836a12cbe
SHA512437e3c66ac380a109880bdfa83b25e969700d7021903ca4c09db969f28d04a4c7f91e510238e9475b15bf42be9283c37daedb8832ebcc1d70c166977f6b84820
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53282555fb3d8bcc370c3a3aadff7ea10
SHA1b32fd61bfd95c781c3e8b64b328b0e4e7746cd72
SHA256fd69e3c1bd38366e7a36bd95ce06fdf44cedae80df5bf24d989bd67004cfd26e
SHA5128823d94cf3b330e405ae34145172977c16b2a7fc8aa3e267838ea6f48a7b80bf28a4bdfbe0ae04aafd3c50cbc9a3f69f516920fa6610bdc5632f7661e9c75170
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ea0e3890fe7ab6ad3426ec89f16f82b
SHA1083775286b7675ae5fda55d34e2b924073153d60
SHA25602555ac114ee7863027c9857955cf7a9e9a0bfd13027ca8ddd0f30968782ae44
SHA5121aa35915b8b39a23db005c9ee7c139f822f7321ed5211804636810de2f3c5eb9ab4cf549aded45ed0627da4588e620dce54669e9e80680eb0078107778cc3bd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b5665f69ad9df1ead13d17d5a130dda7
SHA1f162444f676f5ec9138a92f0411734051a863f04
SHA256de7b6091004ebb3c6d680f5616aeded9d732cd37a1fe3cf711f5bf0d486c79fc
SHA51229293fbf2b263bad30d2509fe31b63fe6b0047d03591701a532654b58c1b03feadccda39023848a52a40ca7aac05c03cd43d48048198123e51ebd9c20834eac4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55837389fad850bf2a3785eb4fe36d456
SHA1d75e7e1234bbfa01aa1bda449fffb983d2a6ab0f
SHA25630852145e312eb4aa9c8c1efdbdc9d1306bac1a13a6cd6c2e2b505a59fe192a5
SHA512731762cbceced403af6aa6a3324fcc3b36ec1d2f76c23933e6e25d7b4240a0e5ad0903e113a95439fec434fd62dd93347bb88fdc9b1766d48a18455d95b3c62f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee72c99f39084058f10a4e5bce64155f
SHA17766e7e229a80881d9b655553471909845e44028
SHA256e9b040539190f2eb8e6871deb3e82c34cd094b5cf98d09f19fc8cf46d757dddd
SHA5127a85534c26616102944b7c3dffb54a94d4670262b7e57a70265e3c4a26fc946f1dab9aa4894f08657d95b0c2746a2a1f56b0371fcbb7f1148cb04cec47541c53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571300074d54fbd43d3853fed9412b018
SHA1defba25800997555b23ea0858f1d516d7d7e75dc
SHA256dda8e1b8ba678e56a321b21aec772a1f9a39d3d8f10b31e337659a0262f320c3
SHA5123486b91e27e59ca4f32abd3960909d762b0cbdebc595d7767ed746aebe71d0049789571f920a9be3ba1325144328dcfcb86b412b69c4cac4437acef8f7fa83d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c268c49aae38fb5daf967c18badfc19
SHA17c5e7b1eeb20b8d43a25fff4810e07929acd9409
SHA2566d7b629759283c7984ba829883076daaee49d0944e420633278bf8bca2ec398c
SHA5123d911a1629b7ca2f076f6353ce7086b3cb8b6611ce843e7b22154c3831dc7203436226b82a5cb2095ce135d2223b23c29b82fdf1c2894a12582715ef87227889
-
Filesize
221B
MD546fc3c5576059f00f900d7c54c4b7572
SHA1cfbf56e4df469690bcd817949d2855415aac6495
SHA256bf3d97d6150a12be4faabb37da1bdbeb38a6849326c3b4b788e7a0554e746be4
SHA512d60ca6902392a73d8b3248cb5645e8c9e5c703be80cb6aa87fcfbe327bcc65902a57d3b1a4e128acbdb816b394366e9b32c2409d059b57a96322ac5245fb1c3d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD5e35e12571416724eeed4270c07f5fb6d
SHA1dcdeaeaac321e8a9b6821a01d31b78e26b076298
SHA2561b4bf1ef0df50bb41935adf3800dba8bf1f0da2579de5c2036c96d089b596356
SHA512152255979ad141b42ca20ef4b0cc1885e9517857dd134138a5391d4e1cd695f07fb8e347c809aa38f594d513a5cc26b745caae0315308f3ccfe5cf1b6448a0b9
-
Filesize
221B
MD55da94142fdcb848cc23166a3b9db90bc
SHA1913a6504dabebc01b84cd4bbe46f2d9db7a9654b
SHA256faee6922c4677c51cf66716fcff55a9de23d0229973377831a720081ef5c7519
SHA512fd5ac09de87934facda4b3e41f2e42218bd76e2aaa8a4e56aae887ba1d5396cfd9e76190b3b6eb62f27bbfdf49e3b99e4bf9da1bd830cd8c62dca9814f32e16f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD5cb29637a0c46429f31a2f82e80188015
SHA1cb1f85bcf16f71bdb686a19a39b6d5a551e0486e
SHA256a9f79dc0d0548b7f81466c1c385165d83e46f1fe2782d703ea5b6086a65da485
SHA5126758ad1d68123f07f7668136f0a312d7a83a00c299d1ff7f1eefe8e41a45f90541a82866944af932fc11d8b04d687ef637e40d72ca235c832edf6a120e4a528e
-
Filesize
221B
MD5bf17b3861196441ea23da2d30ccecb84
SHA1aa86df7fa0bc8c31893c145b0a96d6a3a74adb75
SHA256116542271d6b51e56575cc0708a900977ddb7a4aaca6e2cf9e4ff67a31639171
SHA51252374e1ac478cba5734a45127be74b58bf6cc5bdfb927b11e0d9fd4f788dc873b0c4e41e38ef54dbebd57a5be07804569b30126559370a2329b1f44e198200b5
-
Filesize
221B
MD5bc72a1661194113367b11366994b2f7c
SHA110a1a82d30c3715166e26bce961b49f7a0045b6b
SHA256c75b0c4931c1afc4f2723283e179f4b8c97a10d77cebebeccc778a6fa6f13f71
SHA5126248fb7a9b0e1333b801f2dbc61f4fe67ddd97054a9aeddbdaf4dfd00c20554ef33c12e93d1c435ba170ffc10e7a78957107ba7f537fec6263bc448e1a0f632a
-
Filesize
221B
MD59275e6e4fe86e6993c741b9f932d8e06
SHA1b84156b937b0ba4ef52a534fed1d40376df55ec8
SHA2561e9b41e25378157b740005f280bd745ff622c7a23dd6adcc8d49bd90659a9d74
SHA512e4e4715089ef08f0d251b2a865abc81b9539a0da37532ab1cfc5db5091d6cf679d1ac1db737865411bf21ee48e47c985101f251f354705361f426fc8b0a7772c
-
Filesize
221B
MD52f83bf360e1abca6ddd0a704fd0b85d1
SHA128d3eafb2ec9789451eca6b92d661b7e50b86d9b
SHA2561ed89cbdcaa9956e19a05a8dbf60d192441e49f8b7c7b470ab56359aa16dbff5
SHA512bf16f49c44411abc651eabc1dc2c81cc07d5c68495e49e18ac40c429dff9a3383d8677c949ddffeeb9f2991e2df13e9f91a9ba83308bfb611b7d7f2ba8beede4
-
Filesize
221B
MD5ad1a52b158fc338e4230d276d357b26a
SHA1faff5b98af35651e0ca25aa14bc97fdff8110006
SHA25686819139a99effffc3a5a43f781cb9171c917902542f3ccc6005e084f278c466
SHA512017a5d30f735aba8c40354ffd88ed315f2ea4b059a4081e23870e9d0dad994a1ab115ed4e7a2fbfbb50280e19f9e6d63b16d8f011b4916b8005489ca9f96d505
-
Filesize
221B
MD5c39f28ff7446c9223fd7d276197c63ad
SHA12063744911c3c671a3ad4cbf875ea787d71ada61
SHA256b8e8e22b5b8ad255a71454efb16917e4613e3d66cf5bb12ce50017a13731db2d
SHA512ee39aaff49c3a611d601f8cac3bb46cf815a36bd082a1048ff64a830df6f5ab5ebcfe4c34e8c9516e71c6f2f3b8d5bb4a594e1d5bdd85539b434bbdd2eba033a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20GRBQJ5PLRL0RM93WAO.temp
Filesize7KB
MD544dd966e54de22458824ba0e33ad42bd
SHA127292f62aa5400892549d120daf0738d23572662
SHA2567621b43914924d1d79606516cc0ae7772fe5ae64e24ed9c74ad12add1ba9f92f
SHA512be3d9040fd596d2eda7d9b03265631f085452f6a1d3f2bc6f7eeb25eb48740f18589921d0194978efe37263f6f4f4a0c9f79d7bd2b863a6b49495a3c420b42f6
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394