Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:14
Behavioral task
behavioral1
Sample
JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe
-
Size
1.3MB
-
MD5
77a3ee4f03b385ed4de69f367c07c3b6
-
SHA1
a6bd818f8a68d6ea0acf6d270a3366fc85f925e1
-
SHA256
9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51
-
SHA512
d9fdb616926305cc510ab54e4ee4b6de0cae87b2e1610e59b5546c891f25fd151299da26d7ee75f937e0f4d8ad20148d7f3b85caca8d1940ed625a9ad44a627d
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2564 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2564 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016c7c-12.dat dcrat behavioral1/memory/2580-13-0x0000000000030000-0x0000000000140000-memory.dmp dcrat behavioral1/memory/596-44-0x0000000000D60000-0x0000000000E70000-memory.dmp dcrat behavioral1/memory/2720-165-0x0000000000AB0000-0x0000000000BC0000-memory.dmp dcrat behavioral1/memory/2356-224-0x0000000001250000-0x0000000001360000-memory.dmp dcrat behavioral1/memory/2312-462-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/1796-522-0x0000000000980000-0x0000000000A90000-memory.dmp dcrat behavioral1/memory/2856-552-0x0000000000A80000-0x0000000000B90000-memory.dmp dcrat behavioral1/memory/1268-611-0x0000000000C50000-0x0000000000D60000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2328 powershell.exe 2776 powershell.exe 2964 powershell.exe 2984 powershell.exe 2724 powershell.exe 1576 powershell.exe 2200 powershell.exe 2916 powershell.exe 2192 powershell.exe 2820 powershell.exe 916 powershell.exe 1148 powershell.exe 2196 powershell.exe 2376 powershell.exe 2980 powershell.exe 584 powershell.exe 2768 powershell.exe 2760 powershell.exe 2192 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2580 DllCommonsvc.exe 596 DllCommonsvc.exe 2720 lsass.exe 2356 lsass.exe 2752 lsass.exe 2168 lsass.exe 2872 lsass.exe 2312 lsass.exe 1796 lsass.exe 2856 lsass.exe 1268 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 cmd.exe 2964 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Common Files\Services\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Services\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\smss.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Journal\en-US\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Windows Journal\en-US\System.exe DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7 DllCommonsvc.exe File created C:\Program Files\Windows Journal\fr-FR\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2528 schtasks.exe 2356 schtasks.exe 2852 schtasks.exe 2588 schtasks.exe 2060 schtasks.exe 2112 schtasks.exe 1548 schtasks.exe 3012 schtasks.exe 992 schtasks.exe 1020 schtasks.exe 2976 schtasks.exe 2680 schtasks.exe 2840 schtasks.exe 2372 schtasks.exe 1936 schtasks.exe 1068 schtasks.exe 272 schtasks.exe 2380 schtasks.exe 1760 schtasks.exe 2200 schtasks.exe 2300 schtasks.exe 784 schtasks.exe 3004 schtasks.exe 780 schtasks.exe 1780 schtasks.exe 2472 schtasks.exe 3016 schtasks.exe 1496 schtasks.exe 1056 schtasks.exe 2188 schtasks.exe 684 schtasks.exe 1968 schtasks.exe 1952 schtasks.exe 2160 schtasks.exe 1692 schtasks.exe 2816 schtasks.exe 2996 schtasks.exe 1608 schtasks.exe 976 schtasks.exe 2524 schtasks.exe 1804 schtasks.exe 2008 schtasks.exe 1652 schtasks.exe 2656 schtasks.exe 3052 schtasks.exe 2384 schtasks.exe 2464 schtasks.exe 1624 schtasks.exe 3040 schtasks.exe 1784 schtasks.exe 1320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2580 DllCommonsvc.exe 2376 powershell.exe 2192 powershell.exe 916 powershell.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 596 DllCommonsvc.exe 2200 powershell.exe 2760 powershell.exe 1576 powershell.exe 2724 powershell.exe 2916 powershell.exe 1148 powershell.exe 2980 powershell.exe 2984 powershell.exe 2768 powershell.exe 2776 powershell.exe 2964 powershell.exe 584 powershell.exe 2192 powershell.exe 2196 powershell.exe 2820 powershell.exe 2328 powershell.exe 2720 lsass.exe 2356 lsass.exe 2752 lsass.exe 2168 lsass.exe 2872 lsass.exe 2312 lsass.exe 1796 lsass.exe 2856 lsass.exe 1268 lsass.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2580 DllCommonsvc.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 596 DllCommonsvc.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2720 lsass.exe Token: SeDebugPrivilege 2356 lsass.exe Token: SeDebugPrivilege 2752 lsass.exe Token: SeDebugPrivilege 2168 lsass.exe Token: SeDebugPrivilege 2872 lsass.exe Token: SeDebugPrivilege 2312 lsass.exe Token: SeDebugPrivilege 1796 lsass.exe Token: SeDebugPrivilege 2856 lsass.exe Token: SeDebugPrivilege 1268 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2840 2212 JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe 30 PID 2212 wrote to memory of 2840 2212 JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe 30 PID 2212 wrote to memory of 2840 2212 JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe 30 PID 2212 wrote to memory of 2840 2212 JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe 30 PID 2840 wrote to memory of 2964 2840 WScript.exe 31 PID 2840 wrote to memory of 2964 2840 WScript.exe 31 PID 2840 wrote to memory of 2964 2840 WScript.exe 31 PID 2840 wrote to memory of 2964 2840 WScript.exe 31 PID 2964 wrote to memory of 2580 2964 cmd.exe 33 PID 2964 wrote to memory of 2580 2964 cmd.exe 33 PID 2964 wrote to memory of 2580 2964 cmd.exe 33 PID 2964 wrote to memory of 2580 2964 cmd.exe 33 PID 2580 wrote to memory of 2376 2580 DllCommonsvc.exe 41 PID 2580 wrote to memory of 2376 2580 DllCommonsvc.exe 41 PID 2580 wrote to memory of 2376 2580 DllCommonsvc.exe 41 PID 2580 wrote to memory of 916 2580 DllCommonsvc.exe 42 PID 2580 wrote to memory of 916 2580 DllCommonsvc.exe 42 PID 2580 wrote to memory of 916 2580 DllCommonsvc.exe 42 PID 2580 wrote to memory of 2192 2580 DllCommonsvc.exe 43 PID 2580 wrote to memory of 2192 2580 DllCommonsvc.exe 43 PID 2580 wrote to memory of 2192 2580 DllCommonsvc.exe 43 PID 2580 wrote to memory of 2784 2580 DllCommonsvc.exe 47 PID 2580 wrote to memory of 2784 2580 DllCommonsvc.exe 47 PID 2580 wrote to memory of 2784 2580 DllCommonsvc.exe 47 PID 2784 wrote to memory of 1244 2784 cmd.exe 49 PID 2784 wrote to memory of 1244 2784 cmd.exe 49 PID 2784 wrote to memory of 1244 2784 cmd.exe 49 PID 2784 wrote to memory of 596 2784 cmd.exe 50 PID 2784 wrote to memory of 596 2784 cmd.exe 50 PID 2784 wrote to memory of 596 2784 cmd.exe 50 PID 596 wrote to memory of 2724 596 DllCommonsvc.exe 96 PID 596 wrote to memory of 2724 596 DllCommonsvc.exe 96 PID 596 wrote to memory of 2724 596 DllCommonsvc.exe 96 PID 596 wrote to memory of 2760 596 DllCommonsvc.exe 97 PID 596 wrote to memory of 2760 596 DllCommonsvc.exe 97 PID 596 wrote to memory of 2760 596 DllCommonsvc.exe 97 PID 596 wrote to memory of 2820 596 DllCommonsvc.exe 99 PID 596 wrote to memory of 2820 596 DllCommonsvc.exe 99 PID 596 wrote to memory of 2820 596 DllCommonsvc.exe 99 PID 596 wrote to memory of 2964 596 DllCommonsvc.exe 100 PID 596 wrote to memory of 2964 596 DllCommonsvc.exe 100 PID 596 wrote to memory of 2964 596 DllCommonsvc.exe 100 PID 596 wrote to memory of 2984 596 DllCommonsvc.exe 102 PID 596 wrote to memory of 2984 596 DllCommonsvc.exe 102 PID 596 wrote to memory of 2984 596 DllCommonsvc.exe 102 PID 596 wrote to memory of 1576 596 DllCommonsvc.exe 103 PID 596 wrote to memory of 1576 596 DllCommonsvc.exe 103 PID 596 wrote to memory of 1576 596 DllCommonsvc.exe 103 PID 596 wrote to memory of 2200 596 DllCommonsvc.exe 104 PID 596 wrote to memory of 2200 596 DllCommonsvc.exe 104 PID 596 wrote to memory of 2200 596 DllCommonsvc.exe 104 PID 596 wrote to memory of 2980 596 DllCommonsvc.exe 105 PID 596 wrote to memory of 2980 596 DllCommonsvc.exe 105 PID 596 wrote to memory of 2980 596 DllCommonsvc.exe 105 PID 596 wrote to memory of 2328 596 DllCommonsvc.exe 106 PID 596 wrote to memory of 2328 596 DllCommonsvc.exe 106 PID 596 wrote to memory of 2328 596 DllCommonsvc.exe 106 PID 596 wrote to memory of 584 596 DllCommonsvc.exe 107 PID 596 wrote to memory of 584 596 DllCommonsvc.exe 107 PID 596 wrote to memory of 584 596 DllCommonsvc.exe 107 PID 596 wrote to memory of 2768 596 DllCommonsvc.exe 108 PID 596 wrote to memory of 2768 596 DllCommonsvc.exe 108 PID 596 wrote to memory of 2768 596 DllCommonsvc.exe 108 PID 596 wrote to memory of 2196 596 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c589596888515924b85bd2510f7faab0a1cd8a992b6363ace3c9f6852b10c51.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1rrT6S9XIJ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1244
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RF07RVHSBH.bat"7⤵PID:2416
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2440
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"9⤵PID:1720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1352
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"11⤵PID:2468
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2220
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"13⤵PID:624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1560
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"15⤵PID:1932
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2852
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"17⤵PID:1256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2348
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"19⤵PID:1488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2592
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"21⤵PID:2780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2472
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"23⤵PID:1784
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2288
-
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
605B
MD5cc9d704c0c3c092e474f0c3ef52c768d
SHA1d73c2b7f4e8efe5ec6dbc58b110eacb35c93920d
SHA256c116c9f105664ef936fbd5d19874672db39f1542a714be21c89eb8d9287666e5
SHA5128e0ceca4c455f51beea218c3acac9eb521ba3f4af63157d342804adfc5715b0c42bfde69ef4258c1625f4d63e3e94e29b67c35bcb4f0cadafb4161b7e6c35311
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5371e06d4c6d93b6c13fe68fecfefc1d3
SHA1c59df3ff3fbf1eec3dbe96fd429c1a7b344ff8a4
SHA256a4f6c2539cd7cdb851c8ff7d1fe1006e129687f4562fe2b51f0982f22ddd600b
SHA51287c63d86a91326de33d1cd5cbb28cb112e107645e9e806ac802966f62566e9f76d6ff858c05c231281d574fb902e8bbdc0bf2706cd8dd66832b5a44e0998dd23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57392ade6e85a68d3df7899b97a7761ff
SHA1d7894523250e923244649ab63f85082c3a2028b1
SHA2568ab2ad504062ba83f182e8a9e279a9bed45e350b98865ca18eb600e42c9215ba
SHA51203e7f0e97306841f55e1dbea17546dbaa9a74bf31f14248fc4d0976985514822e37ff20eb432ceae7c8cb14640d37ef57f9777bf743349314d7b33fc376e2fde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504c11a3c2158f940f6adedd28a43e7f6
SHA1df9ba04574befb62652ba734d2f54fe6a8e86e1d
SHA256296ad3dabb0921ad909b01974deb25cca12f1910ee8052baac10a71e893dd3f7
SHA512544b6ab32c810d4e33f08682d56debd907b5e107c897b95f9ab54103853e85544c525bd8767f1b51a5c10b2e5f3c33f74f46fbe78e16f3e17a3e7b80ac770edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e165825938bd48a3b6399229ab0a8a66
SHA135e44379560acd7fba45a2819f2ea1119fb7bcd8
SHA256a59c81680cf290f0f49574c2bae8975d811fe242169767cfccf03db78936dc89
SHA512a044132138ef11149c97b2d099e9c1dbc217af846c0f7785383ae6f69b945ba477ba1bcc1afdc5f34d6433748e640e5745683b8761d524b3af8c5533326c34ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570ec68f5752fc3928e2ce80ef063eb9b
SHA109aea04e0fb235a8b3aaa8a4790ba6a8205328b3
SHA256bdd55a8f62583722282aafa39a07d6d57f6f46a765548e33e093a9b676195a1a
SHA5128863a23beb656cadd4c0618a4c64863814277346402371d0defadb95a8897aa6aec0710844f34bd121474cd2aaca7e9ceae3b8847102d161446b1acd2f2eb108
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56bcfd744aeb6f37016682ab7bc31e7b3
SHA1084ca96f8d651c46a900926101174a05e3fd29e6
SHA2568564dabed73ef22c5434b9c38232a91a6f3e172335a037de8c853db0c7435349
SHA51219c1c3f90e0eab16490f21a3f5b6a4d82b8601a2df31409d4fba8d9821d0fca9eb7bc4112bcc2edf341fbe706b5893ed8c221e7910afa99b36d1e3dd778a5ea6
-
Filesize
199B
MD56cc11e63639976c8ba8dd5d61e3254e0
SHA117548508a6d58f713c087df4e4972706e70b292a
SHA256026d5b626eda6b896922be5737ee6e1e036fb5f69a8e8e2e520b335a75c672c1
SHA5122023e91469486bb9cd7b32c36a9a1e6d95e11bd7c868ef41b667690b40f7b0b2c247c5097d02373f98c018174bdfe9c4c3607b99506cd589822fc6c5ad7dcf61
-
Filesize
230B
MD5c99377d35445a7989814ae1eea8dd853
SHA177ffc5d72ef07e70366bb5e417a69510ddea1286
SHA25634889b3c6f8ae6580e6c18f7ce0cda2d38871bb3648b39d6ebcedcf2ed497542
SHA5120a3bea9dd2af3751435e858ed78650b3b8d841923026c6ced01b247559a80a4948596b64be2b0b7d21789e04a886ad416c5e80db534b1f9655add762f45b0f72
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
230B
MD5ecc18fc7af10140d11c5eaa5c917193b
SHA19233bc1fce280da01e000835f4f2169d736fb4fa
SHA256eb2800d76cde02a3c695a289f45bd2e0bd8292a2c1649e2c08f47d653988d690
SHA512ea361a7459055554599f29d5e5464d79e9bfa8678cfda8d581481cd5112f8132095bbba6211fac7663a31c125694567c625e187847c3cfb4b782bf33bbc1063f
-
Filesize
230B
MD5811f9b3931ac892b9fb059f8c05120d0
SHA1ea1d1f9bc86257e6fbefb1da39a33179683c8432
SHA25671d86af6eed407fa16c691a6024f7550f07b2525105c53222f5f36e3eaab1bc3
SHA512c18689553ce7a229378fc14918d66d52db506c511b61b585dd62d57ece7b4a27890457816d750f97f29a2834224def83d2c4562a633df0503d09e2ccfa74204c
-
Filesize
230B
MD5db55dfd3286801e51c51d0051bc3d822
SHA1d9cd8e67e8504d1a00e9287734b2dff105dbe1ab
SHA256655c3ee85cef178448ecc55596e4ca8c91c9574573225f755a3d56eef325134f
SHA512580a115ee8adc1605be19af2bd08e3a9373d32d6e951f82a669d73ff5ef6b323b1b0bbc8cbeb30be3e8f352f091a981f35ebdb5dfdcf5fe7d81a5e100b159933
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
230B
MD54e411650b4de62f8236da31cdc3190b9
SHA16625993ffaca3dd13bd42efde02b9693ace043c3
SHA256922e0cc7bd7d9ded8bb31d2d014aedf6075611831605057e523228dca836e5e3
SHA51276c1405bac487c4f1ceddead3d49f589151486393a733dd17b73c0e7cd0ec888cbeb2a4a84e3ee2691166a2193341c14ec5b802368783c243771747ac9c6404e
-
Filesize
230B
MD5ea0fdc0d1880d6b97b8aa52a44c08414
SHA1e8e76210eebb05a783fd251ad555e6b3f723b5f7
SHA2564e4c5db1c9e687f428a0bf47ec638eb6e21cbcefb7e4a33a8c2aed05fcab6d32
SHA5125627e1975416acbe01ef4cb6fec182bdca0cb828b460bf381ff4490c842aa59ed068f7f122a09ab9b28a185e8dcf8c201dc26307fc37706ea7090dd53ead2a59
-
Filesize
230B
MD5689b68783690777fc787f62995d04fa8
SHA14e3526b2076e176fa530c139a9d075ba045b20ed
SHA256bc33e85e82f3d2d5302eeb61a6ffed409a0e0ff2f38f1a575ca5e629e397af8e
SHA51210177806e3d823d54d14d55367de803dd59c846d56ab49a82bb71b11f7ed3bb2899605a79cc47c35fa0a09efdc2d9b8eda5f8d8c851d2ababb2a2a8731129cde
-
Filesize
230B
MD514a58cc70177b827119cbb5b60d81402
SHA18975c095e9f5b7fa72af3c9ac713a59f14f2392b
SHA2566497757a3f52862fe07847155cc85df135d8f362a33f0895cd264b2be84507b9
SHA51242c6bbf6e118d9d33a97db239b76d2131cbaaf73c192ff7523538cf9800bfd187deed87b034f1359caab12eed6982e374e467b7efa4774277549cc9ce349e2ab
-
Filesize
230B
MD50c4001f72f2614239b42c3dfef2dceba
SHA1a6adf610d7e2c00ce506b22225cb0850b5ba37d0
SHA2567609ee4ac8b5504234e760aee2c605a0a022c39bc97cfdcbbcd75aef5745f55b
SHA512df014c71fa37d5f0509ecfa5dba734572f7f41e22eae15cde881b97b968da15f5e17e45d586bea0b794634d1c28de00b4d73c0b0c8d52aff46782929cbfcd435
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cdd58e148b04fcf5988b4cb01485c136
SHA17f7dcce86ab457daa4f8f717e023a82c42289f28
SHA256cb3370cfb678c82ad061e67058f89743144144e796296b67f361feb39e80d868
SHA512c4ed06f29e7ddfd97193bb4f0d9cf0818cc9aa9287c65e2f2f6e53184604f4d405cd5f9c4eb5c32881aa44fd8c53acb4a99170f33fc89aa8045de1d4e64e0257
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478