Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:08
Behavioral task
behavioral1
Sample
JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe
-
Size
1.3MB
-
MD5
c15e937fb952f8d30752b67a62073bf3
-
SHA1
0c60be5e4fbceac78315bb97963bc8f1ac738ef9
-
SHA256
e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84
-
SHA512
82ca40ef9fc2d955803cb490fa2e0b42034478f8b78130632dd11d8b61771d1860929b5711c8b7544c4e19f6537ad20c64972d6486138eb3913f94c3eccc613a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 824 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 444 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 352 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2624 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2624 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00080000000156a8-9.dat dcrat behavioral1/memory/1708-13-0x0000000000930000-0x0000000000A40000-memory.dmp dcrat behavioral1/memory/2328-150-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2976-505-0x00000000002A0000-0x00000000003B0000-memory.dmp dcrat behavioral1/memory/2556-565-0x0000000001010000-0x0000000001120000-memory.dmp dcrat behavioral1/memory/828-625-0x0000000000170000-0x0000000000280000-memory.dmp dcrat behavioral1/memory/1680-686-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/2288-746-0x0000000000230000-0x0000000000340000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2588 powershell.exe 2868 powershell.exe 2728 powershell.exe 2220 powershell.exe 2712 powershell.exe 2720 powershell.exe 2840 powershell.exe 2880 powershell.exe 1904 powershell.exe 2580 powershell.exe 2112 powershell.exe 2604 powershell.exe 1224 powershell.exe 2816 powershell.exe 2228 powershell.exe 2796 powershell.exe 2892 powershell.exe 2672 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 1708 DllCommonsvc.exe 2328 audiodg.exe 2000 audiodg.exe 2260 audiodg.exe 1292 audiodg.exe 3012 audiodg.exe 2184 audiodg.exe 2976 audiodg.exe 2556 audiodg.exe 828 audiodg.exe 1680 audiodg.exe 2288 audiodg.exe -
Loads dropped DLL 2 IoCs
pid Process 2856 cmd.exe 2856 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 9 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 28 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Defender\es-ES\ebf1f9fa8afd6d DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\addins\cmd.exe DllCommonsvc.exe File created C:\Windows\addins\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\fr-FR\conhost.exe DllCommonsvc.exe File created C:\Windows\fr-FR\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 352 schtasks.exe 1288 schtasks.exe 1420 schtasks.exe 2340 schtasks.exe 1592 schtasks.exe 1496 schtasks.exe 2080 schtasks.exe 2520 schtasks.exe 1260 schtasks.exe 1748 schtasks.exe 1988 schtasks.exe 1548 schtasks.exe 844 schtasks.exe 1580 schtasks.exe 444 schtasks.exe 748 schtasks.exe 2332 schtasks.exe 2948 schtasks.exe 2416 schtasks.exe 2180 schtasks.exe 824 schtasks.exe 948 schtasks.exe 688 schtasks.exe 2128 schtasks.exe 2184 schtasks.exe 320 schtasks.exe 2256 schtasks.exe 1376 schtasks.exe 2412 schtasks.exe 2484 schtasks.exe 1652 schtasks.exe 2064 schtasks.exe 2076 schtasks.exe 2676 schtasks.exe 2788 schtasks.exe 1344 schtasks.exe 1584 schtasks.exe 2312 schtasks.exe 2776 schtasks.exe 1296 schtasks.exe 2068 schtasks.exe 1532 schtasks.exe 1516 schtasks.exe 1756 schtasks.exe 936 schtasks.exe 2108 schtasks.exe 2276 schtasks.exe 1728 schtasks.exe 2544 schtasks.exe 2508 schtasks.exe 1512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1708 DllCommonsvc.exe 1708 DllCommonsvc.exe 1708 DllCommonsvc.exe 2112 powershell.exe 2840 powershell.exe 2672 powershell.exe 2720 powershell.exe 2868 powershell.exe 2588 powershell.exe 2228 powershell.exe 2796 powershell.exe 1224 powershell.exe 2580 powershell.exe 2220 powershell.exe 2880 powershell.exe 2728 powershell.exe 1904 powershell.exe 2604 powershell.exe 2816 powershell.exe 2712 powershell.exe 2892 powershell.exe 2328 audiodg.exe 2000 audiodg.exe 2260 audiodg.exe 1292 audiodg.exe 3012 audiodg.exe 2184 audiodg.exe 2976 audiodg.exe 2556 audiodg.exe 828 audiodg.exe 1680 audiodg.exe 2288 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 1708 DllCommonsvc.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2328 audiodg.exe Token: SeDebugPrivilege 2000 audiodg.exe Token: SeDebugPrivilege 2260 audiodg.exe Token: SeDebugPrivilege 1292 audiodg.exe Token: SeDebugPrivilege 3012 audiodg.exe Token: SeDebugPrivilege 2184 audiodg.exe Token: SeDebugPrivilege 2976 audiodg.exe Token: SeDebugPrivilege 2556 audiodg.exe Token: SeDebugPrivilege 828 audiodg.exe Token: SeDebugPrivilege 1680 audiodg.exe Token: SeDebugPrivilege 2288 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2836 2984 JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe 30 PID 2984 wrote to memory of 2836 2984 JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe 30 PID 2984 wrote to memory of 2836 2984 JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe 30 PID 2984 wrote to memory of 2836 2984 JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe 30 PID 2836 wrote to memory of 2856 2836 WScript.exe 31 PID 2836 wrote to memory of 2856 2836 WScript.exe 31 PID 2836 wrote to memory of 2856 2836 WScript.exe 31 PID 2836 wrote to memory of 2856 2836 WScript.exe 31 PID 2856 wrote to memory of 1708 2856 cmd.exe 33 PID 2856 wrote to memory of 1708 2856 cmd.exe 33 PID 2856 wrote to memory of 1708 2856 cmd.exe 33 PID 2856 wrote to memory of 1708 2856 cmd.exe 33 PID 1708 wrote to memory of 2728 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2728 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2728 1708 DllCommonsvc.exe 86 PID 1708 wrote to memory of 2672 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2672 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2672 1708 DllCommonsvc.exe 87 PID 1708 wrote to memory of 2892 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 2892 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 2892 1708 DllCommonsvc.exe 88 PID 1708 wrote to memory of 2816 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 2816 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 2816 1708 DllCommonsvc.exe 89 PID 1708 wrote to memory of 2840 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 2840 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 2840 1708 DllCommonsvc.exe 90 PID 1708 wrote to memory of 2720 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 2720 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 2720 1708 DllCommonsvc.exe 91 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 2712 1708 DllCommonsvc.exe 92 PID 1708 wrote to memory of 1224 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 1224 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 1224 1708 DllCommonsvc.exe 94 PID 1708 wrote to memory of 2880 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2880 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2880 1708 DllCommonsvc.exe 96 PID 1708 wrote to memory of 2868 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2868 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2868 1708 DllCommonsvc.exe 97 PID 1708 wrote to memory of 2604 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 2604 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 2604 1708 DllCommonsvc.exe 99 PID 1708 wrote to memory of 2112 1708 DllCommonsvc.exe 100 PID 1708 wrote to memory of 2112 1708 DllCommonsvc.exe 100 PID 1708 wrote to memory of 2112 1708 DllCommonsvc.exe 100 PID 1708 wrote to memory of 2580 1708 DllCommonsvc.exe 102 PID 1708 wrote to memory of 2580 1708 DllCommonsvc.exe 102 PID 1708 wrote to memory of 2580 1708 DllCommonsvc.exe 102 PID 1708 wrote to memory of 2588 1708 DllCommonsvc.exe 103 PID 1708 wrote to memory of 2588 1708 DllCommonsvc.exe 103 PID 1708 wrote to memory of 2588 1708 DllCommonsvc.exe 103 PID 1708 wrote to memory of 1904 1708 DllCommonsvc.exe 105 PID 1708 wrote to memory of 1904 1708 DllCommonsvc.exe 105 PID 1708 wrote to memory of 1904 1708 DllCommonsvc.exe 105 PID 1708 wrote to memory of 2796 1708 DllCommonsvc.exe 106 PID 1708 wrote to memory of 2796 1708 DllCommonsvc.exe 106 PID 1708 wrote to memory of 2796 1708 DllCommonsvc.exe 106 PID 1708 wrote to memory of 2228 1708 DllCommonsvc.exe 108 PID 1708 wrote to memory of 2228 1708 DllCommonsvc.exe 108 PID 1708 wrote to memory of 2228 1708 DllCommonsvc.exe 108 PID 1708 wrote to memory of 2220 1708 DllCommonsvc.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e1f0f2f5e55c765cdbfc8e3c1253dae71a1e7bfaf2e356f2c88a083fda35fc84.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u7id3hG60a.bat"5⤵PID:2068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2136
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"7⤵PID:2920
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2180
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"9⤵PID:1788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1356
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"11⤵PID:2712
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2136
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"13⤵PID:1124
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2980
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"15⤵PID:2572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1900
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"17⤵PID:2216
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1288
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"19⤵PID:320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2120
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"21⤵PID:1772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2948
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"23⤵PID:1904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1180
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"25⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2516
-
-
C:\Users\Default\Templates\audiodg.exe"C:\Users\Default\Templates\audiodg.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc500820f99a9f72ea7214438746b030
SHA1052a37160c367af2fa87a40aef8ca0d65b242c4f
SHA2560f3721986e9752e1b29e6aeadb16a68a6212a35f19f1a60de02ecb6f0b3c8de0
SHA5122a1ec7dd842881dd7cee3cbf9c3ecbb40fad94c1eff97b4848fb75375851b669b24adb91135ba91b77149c43808520626441debe3e52319c029dbe727f4c30b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536a6e2e1c10b322f2ac10b556de841f1
SHA110d56fd31191ca39a482a64b399afe6d12d5a390
SHA2562f2154aa2a467b179395c7540b896e90049d3d2fdaa61c97dd61974f51824703
SHA5122d754dcc63651e7c72843469ec6be89595f725bf815b1e99c4ff01c63e025c1ef7b8613ec4d2e5f66b36b691ea07a18480070033594b882d240212cdbf504502
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7a5ebd35cc1dbed2ed60d4c744ff0ea
SHA15da1260e1b4b0efbfd7f056cba796f81bd843230
SHA25649056039bcde584651bdbd4c6b1b86b761c53bc17befb8512ebfd4e35694b6a1
SHA51268b80bba8435602819ab8c25271a533eecddf73f00058c3bf57be3bc80db2fbf83da732aca62b26f0e99bc321c43ef16efe23a376a6088a6948ab2970ed688e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53178ec52091af5cc23e48a768aa7a100
SHA15ec5dd49227108c6a2ad1bff71752effc9cd526d
SHA2568dc04776f004eb2369fc712dc720467a0406a20872c2f7292078532ac40ba95f
SHA5129d9bfdcd091952c057b16431a5316a2f20c2793d9db4b3d4a30a9e332bbc8e141bba9730b94336785231cf04fa20f92145d3ee8659c9c11ae853492770f7783f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f45b3cce9c9731a741117bf29a16b36
SHA145cf2e35b93f538504a4170e0cb6f08ed8c2203c
SHA256aee192162f63e823f49c4b8958164071e83f560b54d75190325440b9417d7b28
SHA5128ec172464ed7563e112a223d245b396bf46a5803cab3c7d73e59697b245cb2fa38499ee7bc6e389a71707aeb5515fda045ad6e60a6b8e84961e13209cf4482b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59309e085dc50ac7022712cfe76b24bbd
SHA17ceda183a5c44a881481d66f853d354786d3fb31
SHA256c73ccba95f4ae2f7d99941d36a1329147a58f57f0c1b67d8594cc58d3304a403
SHA5127e61c7cc0b34ecb0230be30eb532d7fb92468b0ed0e8ce3dddae90639d1a25032a3a45cfbcf2dfca9ec6d4a28ad4c281450ff9911fd5cb8bc464ae6bd1684d45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf1b64e732460b143f988d20873c35da
SHA15fdcf922a2b5cbb5f3cbf743a982ca746dc6f6ec
SHA256fc029f7460d9613b327982411c9f21739d8d66004fea5ea26dc8651fe89ed379
SHA5127a2dd74c943d2f599bc79e77d5f2d50fd2dc0049f6cc86d1b6edf22c62c21d7a13c5ac15b654c326901ee94f2aa551e4520a9e351fa29f6e6783b70b18426a01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae8a3c4c91a1c832c87a493764018c40
SHA171bdf4d666de96a329f1301af295db6483f5b691
SHA256788125e0bda4d987947338432ad46582e4d02c793eb7730a87716d262f3e3de9
SHA5128e88373f24fc138759c9dc62fa288e96933f44b6ad082c7748801f66750747da6ce4fdd048d13c86635216b614c4090bbfedc68e5113e46b989d54524ff00092
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9c4662bb3c00bc0e0fc95bab1d83892
SHA1a56d9ef06db1100dc80f05a95fb38701ea65b907
SHA256a32524da5098b1c9cedfdc1be4e31b9dd962cadbfe354dce65104a9c6eeeb0ae
SHA5120668ee5ad560f8c4d5972da0f5652fdce3e7e9d1977c13a53abfdddea46099800dbb230a0b93983cd8083124d4dcf791934d2cbd4e215c8158f7763162e5260d
-
Filesize
203B
MD527274fb72924a52ceb7e02b10b7e28c5
SHA1ee551adf68b806b43f5f1b228f163fd6c48ef4e7
SHA25692b86435b08e498f5b56a9e1a4bdc8eab0246a7c345a5f4cd42586a5a41cc655
SHA5126b570a30e14dfac29cfd0d1f9c5266731b71657e10d4077b8266e8de6a1c32e417d0002a10d8df3de39d6870627c729659967d85fd049dea89a72325fc59a51f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
203B
MD5136f36561bd22c014da96a4477663646
SHA171018134dd64070595234a1f3657139db299d721
SHA256b506e6b6cfddbf223943c9dd265278cf6a9e0c3f40d92f23df09feb8e05a726c
SHA512fa55b93723d594d10993af99558df8d6db598ba72a89f2a018e2ea8345a53c4c849f0f76aa2240ea39c5e4dce55fc95bfc7f55cb06e5c23365ac1ed4dd88a2e3
-
Filesize
203B
MD51136c5027757773bfe31ffae501b3f2b
SHA1163779f1872611a92ecd98df269187ada1758144
SHA256e95838894a4849401fe450d275ad25b9eaab162c4e4ca775ef9d4acc0401ac9e
SHA51223ccd5d91b37be25c9da1d4b5a21f8a494ef9f57beb767e7283f83811e0d784692ca246fa008629de8350844bfcca4fff24986cb6c2775a8573bfbb365ca042c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
203B
MD51a3b80678a65b49809bb20c18f3c5c25
SHA14dcb932b2f5cbd54feb87f850680817d90d01d26
SHA256988c0cfb31618fb482e58d708cf04e3f8a0c6e42290bc2a25ac3890406d46f3f
SHA512aaa27ea79e7e8a6339fb6b381b3c296ae0c602b33818e212ad9ef7bc03826c9b9369dc7345158367756799ddd3ade5cf06b7dd8bbd10f50ce5059cf4b7abcca0
-
Filesize
203B
MD5a70430d109976746c88f30f067fb9194
SHA1eb0d4ee0bfb3e04c86f5828e40156340ac306d82
SHA256f8eec86bcd638fbb733d29faceaa72810615c94e85fe6236e1d1869d285345cc
SHA512149672e1237b0ed6105124244db74a6643b6606420a322d451327f2b7a4c981f988f0571127688fc6ed2e3f61e6a69a6a416c2379153096b8cb1979641437d1a
-
Filesize
203B
MD5c1eb28dd0971adbecb3a121be4458f7f
SHA1bcf9c03ba6a41a002a223ad86451276a56cbfd8a
SHA2569ccbfbdd797df8cc461cbb40165613574210e9cfcc82f4e21fa7e6be6061503a
SHA512ce5407e4ff125510fa9efd928c1a76f8d53ea4a1fa2cc5c2a37607ae6fbfcd54d9022fe08133c368d276631f056b1d74e87161a19df91e6bc2173b51b6f2edb8
-
Filesize
203B
MD524da641777d61ea9df2ea9d73b54f70a
SHA11e692dedd7f505b4e63d4ae0663a528c2d11248b
SHA256101e8218200dcf866696f20d3873d0c8d764b611d310144400a7675dfbb846fa
SHA51266b5f96e4999e6d8d7768259222b11b3090a472e5078eb1b0ce20729c65673a687a414f795cb821353a48b7b5f921d60a77137292e8814dc683a776b65e27b7d
-
Filesize
203B
MD52fdddff0490f044aa10a022532ae67aa
SHA1f3f22b2ff8362a517848708f322438248f02e7fb
SHA25610a9df8aa798f31c619433bc04a9b6359f2f792f93d1d5723ebc6ba3a2fbf263
SHA512463ffcc7edc0289f9b4837152cb3d1fa804b8b4d3e8dcb146a499264dd41b6acf4caadc3dba87df49462733897197f9aab9147a0b4f6bec025735a92dfbc3ff5
-
Filesize
203B
MD5df61474be7670e2f80b791a966b0eecf
SHA1c606120172ea95b30c69d8a61fe1694dbd9669b6
SHA2565cbb71bb2d4285ad4ef35a73d046ecd95f71422601987f98ba9b55fad7d0a0a4
SHA51288d37b756b8b2941b997b59239e82d9666493ad5cc923ff6db29b78a8aaaa405225d8141cdb52ed9c038e2682272c42abdf9132b482627a0eae133e407cc9139
-
Filesize
203B
MD5e8a3d79395e881949755e58c146a78c1
SHA1bf141ff9087dad8a653f3f40fb861b0753bfa08f
SHA256615e5d664944e5f003bebec4a71b2c3b8f96fa5c5904e814ceb979b735df5b8f
SHA512b9e64463aaaa6549ad764a70cf6072fda780cae3210e8cbc2800729ba9666603f3ea6d63fd3b4915590abf23c7a07296f12944cfda9c306ce1a4b1578eb184b6
-
Filesize
203B
MD58247802bb6bd95616eef8bd7542d2835
SHA15c3b83197b611b444709fab2c4b223f46cf2b6b5
SHA256a9de2373cfcd8c6f027f4fa81fb37d5eb9592e3b42f1513a18c38ecac41a3888
SHA51254cc0561ce65a99a1a36db10e630042983e006acde3dc2dfbf53c59603fcf582cca388074e9755c69a84068b4250e7dd1524c7f47c6cb05ac7f3ee020b2e623f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XHD0GWQFY8MAUHFAARLQ.temp
Filesize7KB
MD5c717556ac49f27994620167fde077f0b
SHA1d195e1aec5065ea33c4bc28199ddcf92fe2433d0
SHA2563cd3574b041299ae919ccf81a5aebd4b3a290672cb0404944b9308e80af60096
SHA512af3929827a03ba4d6dd7028cd5a1a1ba32c322aae8b41507cff371d816111fd6666f8a722e8575a0939c0016124014831ff42832dfe3142b184065445a64ed8a
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394