Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:12
Behavioral task
behavioral1
Sample
JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe
-
Size
1.3MB
-
MD5
ea810a3185582eb2ecc3fb665b1ec6f7
-
SHA1
6aa04bba789cd526cd08d2598e4083149dff0830
-
SHA256
049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389
-
SHA512
9e3babf4345d4c46675927d128126c51f4d90e8431128a2391c5fe377560618add6c3972c49d2c9bb05202e1679165dfc4f3111ed290ab3911d9b4a117bf084f
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 280 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 376 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 376 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000015d87-9.dat dcrat behavioral1/memory/1708-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/792-56-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat behavioral1/memory/1300-197-0x0000000000AF0000-0x0000000000C00000-memory.dmp dcrat behavioral1/memory/2256-257-0x0000000000BA0000-0x0000000000CB0000-memory.dmp dcrat behavioral1/memory/2680-317-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/3064-377-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/3060-437-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/800-497-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/944-557-0x0000000000050000-0x0000000000160000-memory.dmp dcrat behavioral1/memory/1720-618-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/1192-738-0x0000000000350000-0x0000000000460000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2752 powershell.exe 2092 powershell.exe 1508 powershell.exe 1540 powershell.exe 1544 powershell.exe 1648 powershell.exe 1640 powershell.exe 2504 powershell.exe 2800 powershell.exe 2708 powershell.exe 2712 powershell.exe 2564 powershell.exe 2940 powershell.exe 2772 powershell.exe 2756 powershell.exe 2832 powershell.exe 2844 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1708 DllCommonsvc.exe 792 winlogon.exe 1300 winlogon.exe 2256 winlogon.exe 2680 winlogon.exe 3064 winlogon.exe 3060 winlogon.exe 800 winlogon.exe 944 winlogon.exe 1720 winlogon.exe 1432 winlogon.exe 1192 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2580 cmd.exe 2580 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 19 raw.githubusercontent.com 27 raw.githubusercontent.com 37 raw.githubusercontent.com 33 raw.githubusercontent.com 40 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe DllCommonsvc.exe File opened for modification C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Internet Explorer\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Internet Explorer\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\wininit.exe DllCommonsvc.exe File created C:\Windows\ja-JP\56085415360792 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 400 schtasks.exe 2232 schtasks.exe 1416 schtasks.exe 1892 schtasks.exe 1156 schtasks.exe 1872 schtasks.exe 924 schtasks.exe 1288 schtasks.exe 2992 schtasks.exe 2520 schtasks.exe 976 schtasks.exe 760 schtasks.exe 2140 schtasks.exe 2376 schtasks.exe 2904 schtasks.exe 2892 schtasks.exe 2984 schtasks.exe 768 schtasks.exe 2032 schtasks.exe 2272 schtasks.exe 1720 schtasks.exe 1588 schtasks.exe 784 schtasks.exe 2196 schtasks.exe 2456 schtasks.exe 1376 schtasks.exe 648 schtasks.exe 800 schtasks.exe 1740 schtasks.exe 2852 schtasks.exe 1724 schtasks.exe 1228 schtasks.exe 2344 schtasks.exe 536 schtasks.exe 332 schtasks.exe 2128 schtasks.exe 280 schtasks.exe 2920 schtasks.exe 1860 schtasks.exe 2440 schtasks.exe 1196 schtasks.exe 1884 schtasks.exe 2368 schtasks.exe 2184 schtasks.exe 3064 schtasks.exe 1112 schtasks.exe 2300 schtasks.exe 2508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1708 DllCommonsvc.exe 2940 powershell.exe 2772 powershell.exe 1508 powershell.exe 2504 powershell.exe 1640 powershell.exe 2800 powershell.exe 2712 powershell.exe 2756 powershell.exe 2832 powershell.exe 1648 powershell.exe 1544 powershell.exe 2844 powershell.exe 1540 powershell.exe 2708 powershell.exe 2564 powershell.exe 2752 powershell.exe 792 winlogon.exe 1300 winlogon.exe 2256 winlogon.exe 2680 winlogon.exe 3064 winlogon.exe 3060 winlogon.exe 800 winlogon.exe 944 winlogon.exe 1720 winlogon.exe 1432 winlogon.exe 1192 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 1708 DllCommonsvc.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 792 winlogon.exe Token: SeDebugPrivilege 1300 winlogon.exe Token: SeDebugPrivilege 2256 winlogon.exe Token: SeDebugPrivilege 2680 winlogon.exe Token: SeDebugPrivilege 3064 winlogon.exe Token: SeDebugPrivilege 3060 winlogon.exe Token: SeDebugPrivilege 800 winlogon.exe Token: SeDebugPrivilege 944 winlogon.exe Token: SeDebugPrivilege 1720 winlogon.exe Token: SeDebugPrivilege 1432 winlogon.exe Token: SeDebugPrivilege 1192 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2960 2748 JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe 30 PID 2748 wrote to memory of 2960 2748 JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe 30 PID 2748 wrote to memory of 2960 2748 JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe 30 PID 2748 wrote to memory of 2960 2748 JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe 30 PID 2960 wrote to memory of 2580 2960 WScript.exe 31 PID 2960 wrote to memory of 2580 2960 WScript.exe 31 PID 2960 wrote to memory of 2580 2960 WScript.exe 31 PID 2960 wrote to memory of 2580 2960 WScript.exe 31 PID 2580 wrote to memory of 1708 2580 cmd.exe 33 PID 2580 wrote to memory of 1708 2580 cmd.exe 33 PID 2580 wrote to memory of 1708 2580 cmd.exe 33 PID 2580 wrote to memory of 1708 2580 cmd.exe 33 PID 1708 wrote to memory of 2504 1708 DllCommonsvc.exe 83 PID 1708 wrote to memory of 2504 1708 DllCommonsvc.exe 83 PID 1708 wrote to memory of 2504 1708 DllCommonsvc.exe 83 PID 1708 wrote to memory of 1648 1708 DllCommonsvc.exe 84 PID 1708 wrote to memory of 1648 1708 DllCommonsvc.exe 84 PID 1708 wrote to memory of 1648 1708 DllCommonsvc.exe 84 PID 1708 wrote to memory of 2092 1708 DllCommonsvc.exe 85 PID 1708 wrote to memory of 2092 1708 DllCommonsvc.exe 85 PID 1708 wrote to memory of 2092 1708 DllCommonsvc.exe 85 PID 1708 wrote to memory of 2772 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2772 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2772 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2800 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2800 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2800 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2752 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 2752 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 2752 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 1508 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 1508 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 1508 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 1540 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 1540 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 1540 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 1640 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 1640 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 1640 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 1544 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 1544 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 1544 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 2708 1708 DllCommonsvc.exe 93 PID 1708 wrote to memory of 2708 1708 DllCommonsvc.exe 93 PID 1708 wrote to memory of 2708 1708 DllCommonsvc.exe 93 PID 1708 wrote to memory of 2756 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 2756 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 2756 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 95 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 95 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 95 PID 1708 wrote to memory of 2564 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2564 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2564 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2832 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2832 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2832 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2844 1708 DllCommonsvc.exe 98 PID 1708 wrote to memory of 2844 1708 DllCommonsvc.exe 98 PID 1708 wrote to memory of 2844 1708 DllCommonsvc.exe 98 PID 1708 wrote to memory of 2940 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 2940 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 2940 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 792 1708 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049e30ee53d3c7805dec407f0a2a6c1209c1d93fbf8d5bbfad66677aa4194389.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:2092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"6⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWW2tbEWSD.bat"8⤵PID:2240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"10⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"12⤵PID:1736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"14⤵PID:2044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:596
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"16⤵PID:2488
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"18⤵PID:2912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:576
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"20⤵PID:1744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"22⤵PID:1004
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"24⤵PID:352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"26⤵PID:2084
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba11f549b5fffdd949124970dd3860fb
SHA1f9f99bb6e310a139377b588eed7db6ca5c10ad45
SHA2567e96131eca7acd1e1de91b8a57b88d8865dfc904262358ff6408bfd9f81ec459
SHA512e751c063e39e117690002f1fdf3f0d185dcc81281e62b84ce8b1deccfceb2fc4ae9a4e8fa43625436d3cc84dd19d054bd95a2e24c0e8159dc886c3c4b1b4def6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5208b68ccce3782703f7b6acf1e80a916
SHA14dd853b17818ffe28e567b0a9e8bf4c1e42782c5
SHA2561408346386c369f07663a47014c619b39f26735cee0187547d7e3ce0054de099
SHA512d008b41cf03e6ba304a0c09ce46592c547cae92824a3d4b081c4db23624fc295fe3843855cde6432b4e118b4ec93dae9f6db2a74b34a9f5b4cf1313e03331478
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57915dc9992b367a2455615789fbf5b8f
SHA1e41aedfd5900e9cddd8a5f33122664ca86af3123
SHA2564010964460e6eba93235bb7dd69a318fc521067ae52b857a20e7bf28c8d8ca5e
SHA5129d91a1c49c3e5afca4b112813b60e7c7e72cf31827294b51b43d7dc90cd0b6cbc88eadb306722e3b4a1d22bb34113dd4d76531bbc01af476e89173e3d331a50c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522e3d78a7662fdc746df502458850f84
SHA11cdf74c31ff2826fad6c838c4be24ed76c2aa08f
SHA2566955117b01d4bb2d35ec737e8da6666506122d4120c80788eda46966356ef29a
SHA512ba19bfcc1989574522404b1cc3d1e088b194bd70d7dce4b19f1d381a4ab4d3c305ecc534a537419b03732501501926bd44f1d93e6deffba492e7e3159e94d337
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52506b714f6c5b0ee07408d3048d7a5ac
SHA1b58f6730747638bc104be5baf9ac082d462f381c
SHA256ef4c662df6813a350753072f63adc0ea005fa4f50174e9fd21a23ddc1e327b9f
SHA512f29b5967b5229d2f537e3ec768f1420be21b50de5c930c56bf920411d0e5072fdbfcb0842c04e5f3bc4cc6aab66d0a6d560d03b70161f8cf7cd8f5ab23fc55a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b82798404b95c4de30b92ce4feacf9c7
SHA1b4b21dacf94ed8fb4c02bf25aa55da12cb456815
SHA256c21d845d2c1da22a45f3bd3f5a9de2cf669e47c2e73c47e97cb060efd49d4446
SHA5122f21fd0fff9ae1857a603be436b63cb9769c5a384a733e6304674cd7a89827da6758cea8dfbe8592ca3493f2804521e264733881647e77ae0798302a49f242c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acdf8f3244bdae0aadaf0bf5cd1f3b6e
SHA16fc16135836348e820c4aca5d9ba1944f6c1f411
SHA25617c7c1527007b5e9fc106b34d9c11bc29c4379c66a3757e677a1b6d4aab7765e
SHA512643dcf86a789d2dcfd9a942c57a296f6ca1aa93cd147b674cb967601d74d1b670a6c37fb72023016640fc60162c85ff9950592d997dac168b73f152d1a7251d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5926b8cbd7953decf221c228efc504e91
SHA18514cc8acc3f2be33ed961daabb91b60d9571847
SHA256e96e136e7112753a053259cd7ca6e4a8ca637e9b83021e3309dc82eb3600642e
SHA5126a1e9510ac83dfbeef1ae0587a4e50987200686b4be5a01a07b62c9387b81269c31a8e1245993d67bd6719a3ae0a213ecea9af7f1b4d6600d9d3dad2fdfb8f73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564915a6999ac9c5a274ad63976112142
SHA1f6e79318b3ddc1377d1304490a7a1726eac2f459
SHA2565de42cac563b44b0c9b83c926536d13d154926e30e1d994fd23c2c72fe533575
SHA5128b3ef4b7ec07d5bab2665c07344e154700da1c0d98939c37a44ede929e37de79a7f650998b1a9f4f0532134bec077a444b48688c170d56624fd6b0959af716dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570d00f306d30b3001d5c154da8f647ed
SHA1455932f52c9e50907662f4e6c6054ec4cc2436d9
SHA256a9fa4862b1e043e9563b4ed506b1b2f8867ea85b2173e7312aea143a32d26aa8
SHA512b37329c6c433f931c2fa37277ead96ee9806917f4542c850be537111d5c43d8ced8a1c6801d4e9ceaa4ee1d053238140193924036a9c6fe298d055c62c9626af
-
Filesize
248B
MD52cb690a31fe21f8d01cd845339500df7
SHA15fd8889b2dd243eab7df36b9c048a30a47bf5115
SHA25623a657d6ab0c9783bf47eab07ad17c56a9727e91cf0deac0e4fb630da2b4de01
SHA512e31fa48726dca48685e77f0dfe643a1820e96051cdbc72bf2c699c1770bddac09d326f9c9905c74a09de7a2485a77fea07d877c2635672f757f8813ce10dfc57
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
248B
MD5c801ba1a790a2b0434809628f7a6cc2f
SHA1358dc9e583769840324237515d4e74b4f94df136
SHA25688ad0a98174894e57563dcf55b0b917bff0db785acf25bddee180ff39cd41ec9
SHA51208000ddf24723aa9528310990f2dde1c5068b31756f7386f0649d0b8d72c43c244c15535d940ed37dcfd903b8a5f5e141a0313c8c49ebdb72622f505dd7ccb16
-
Filesize
248B
MD5566f4794e197b51b3be446c45374ed15
SHA1e75c46215c92e9dc26e9cf9ae45f2b15d14720a5
SHA256063acb6a529cadb5a68ea2260e71e943a9d4089f6687c20d220f5627b52ff7c1
SHA5129885ecb0913b492c34035c3e95e6b44bdc70ba808385a5b99a8c7bff24e206e95033809ce26ee6f786914e5ad5e46501e0046f08903a10f2626e5f95b53db5a6
-
Filesize
248B
MD5f5efafbc6467c140fb9aa4626492a034
SHA1158bc55f47960de8b58a5d052a70e2da0a0cb4c2
SHA256bf3011c8ac174f3f99d064f90791fdeaa7d37062a2e5afb4ebf8e9f0fe79ed0c
SHA5120fa54a34732aef4430dd407b8925152a287a2ccefe5e9e8c960b645c08a0bf9d8d0c6ea8b16d746d3f42e9f2deb816906f98a24a7dccc97f804d3ca351ea093f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
248B
MD564bb050cfa30359c842c33a2cfb5cf98
SHA1153025b3963e7a8f892d7371562df0f8cfe36e62
SHA256f034bc753ac68b86c89368671373004c42eac49a7a8ded2046b2becdba247386
SHA512a5753290347e6ebbfcf98a94dd4aff88079a5ca11d22eee77f3377943796255cab02ba1fda914f3c7e5e548677c3beb131aab2415e21a471849f7909f3f4aaa1
-
Filesize
248B
MD5d0d84f136636ede806bdbbda58d0ce62
SHA19eab8dc946de6ec7dc50b46fa52acf5e03c6a604
SHA256f1673ae1282b8f60c7faeeb091a2b27683083d4153e723f9addad29dfb248c88
SHA51237bcdb7c6ba75f4dfb0047b71b90ebfb92f0704cba937fc6a58a5651005e67c9f715b58644428e0425e3cb2921b8fee11bd5141539f3dbe5f934311b2c88685b
-
Filesize
248B
MD57bcb6fe743279bbe694cacf467ee9f45
SHA138dd4fb9d662c5fcf64bcb7d0029ea6caa32a2db
SHA2569817896c26019f800e0499341511bed01d63aef9f7469046427ce13a48f96ade
SHA512b321cfcafea143399af1561e7d44292152445289c991b2accc4c8b32b5f68d5fd597c229a1d826c8f29c55a3460105feaa792680530a9e03717592214c6613b8
-
Filesize
248B
MD5bd29829b041d9ee8400d2f7bbb64fe95
SHA1bbde6e6d14aa995125689f9af7cb5324f91eaf87
SHA25647a1027df851f8d967152c90e6f78156d06cf246ccaeaeec6d4111da17b7bc3f
SHA51207902864bd19e17533066376a85db241137c2bf46a226e102c70a88af988bcef7f3c1b437ae4a36b8d18d309d020ef010bf164f4d311e0796269dbda4fa5d76d
-
Filesize
248B
MD549173b0e2ff21c55bcefcc06aaa1eaf0
SHA1815522754e2d06de1cc764a1bea332689c954b9a
SHA25632c001731587369f2cf9659439a11b5dd0fe8ac99f614599f2ba7e8ec7ed488d
SHA512fd5e0adc69ef7da43419d4b158a9e9842d9167559a1c3854ebf119d1a8fb19a596b66cfa786e49b7ee891d63849b95db29de93e3f0d3e4ec51270f69271b21f6
-
Filesize
248B
MD547b9f695b2cdd614d6b1f8fea4cce270
SHA14820f2da81143919914b47faa69a5aee95826d6f
SHA2563722fadda067af811e395ddb389e42ed27ce64d38d9d49cb5cf5c4964dcf47f7
SHA51238467597c77b11c93e9d7b63786bf738e1d62dd6e875aaa76eb0ae9ff815ac9d9c3a7f11df406b5fd37a0441a8b4c99e1d9a7a3f13b95a61de6da366a1d15673
-
Filesize
248B
MD5d542f274907613d963d4dd640a525ba3
SHA164af8fff6e390d37931cc8eb879b6f2ff7fbdcbd
SHA256dbd3ccde32fdd496d7f7b1e7476122f4fd11d3f889cb131f3feda1a792332f07
SHA5120b6a0c89f2df736db3b09b24a6c7a189257bfaa6a519c0c3a22b5fe8e1e254376c70665bced8ee3ba179508fed7529a70bb6fc4e65a5327372d5bbbe80f8871c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD526211c6876f6d31e015e3ac79f8092e2
SHA17af63169a85d80a68e6705d1a3bc758217546b17
SHA256a1e7003df5f3f1c58ed3be42091d7c748280b5737e47fff1956eb491d5e6df14
SHA512a3c22ccb5b3af6ac17996ad2f987c4f64cba92b9cd35226407b040bbc1dfdca7d6b6b9d9c55841475008cd96bdc396721968f43ffa5709fe4e1a1fb2278ea5b4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394