Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:56
Behavioral task
behavioral1
Sample
JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe
-
Size
1.3MB
-
MD5
3054790b27d498c8c829297c5e0a5659
-
SHA1
92d0860380e5475d7e0ba2bdebdbcb59e2b92205
-
SHA256
5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23
-
SHA512
68c89596f5995b742e886f010d355a5e76e399a19ce65c8de68e7dcb804ab491732b97161661e6fb24f19546a0caa0bba28217f15fdb61a52ba4ce6bed3567f6
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2612 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2612 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000193d9-9.dat dcrat behavioral1/memory/2728-13-0x0000000001060000-0x0000000001170000-memory.dmp dcrat behavioral1/memory/888-156-0x0000000001310000-0x0000000001420000-memory.dmp dcrat behavioral1/memory/1032-392-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/1036-452-0x0000000000A30000-0x0000000000B40000-memory.dmp dcrat behavioral1/memory/1924-512-0x0000000000310000-0x0000000000420000-memory.dmp dcrat behavioral1/memory/1776-572-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/1988-632-0x0000000000DB0000-0x0000000000EC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2800 powershell.exe 2696 powershell.exe 2552 powershell.exe 2392 powershell.exe 2520 powershell.exe 2652 powershell.exe 2804 powershell.exe 2796 powershell.exe 2600 powershell.exe 2116 powershell.exe 576 powershell.exe 2724 powershell.exe 2160 powershell.exe 1968 powershell.exe 2636 powershell.exe 2556 powershell.exe 2536 powershell.exe 2576 powershell.exe 2172 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2728 DllCommonsvc.exe 888 dwm.exe 3068 dwm.exe 2376 dwm.exe 2728 dwm.exe 1032 dwm.exe 1036 dwm.exe 1924 dwm.exe 1776 dwm.exe 1988 dwm.exe 1940 dwm.exe -
Loads dropped DLL 2 IoCs
pid Process 2748 cmd.exe 2748 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 30 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 20 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 38 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\en-US\services.exe DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\smss.exe DllCommonsvc.exe File created C:\Program Files\Common Files\SpeechEngines\Microsoft\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files\DVD Maker\en-US\services.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2256 schtasks.exe 592 schtasks.exe 1116 schtasks.exe 2484 schtasks.exe 2740 schtasks.exe 2152 schtasks.exe 2192 schtasks.exe 892 schtasks.exe 2476 schtasks.exe 1560 schtasks.exe 1840 schtasks.exe 3068 schtasks.exe 3012 schtasks.exe 2684 schtasks.exe 2168 schtasks.exe 1500 schtasks.exe 1860 schtasks.exe 2908 schtasks.exe 3024 schtasks.exe 2072 schtasks.exe 2272 schtasks.exe 1600 schtasks.exe 2480 schtasks.exe 1740 schtasks.exe 2164 schtasks.exe 2836 schtasks.exe 572 schtasks.exe 1572 schtasks.exe 1332 schtasks.exe 1724 schtasks.exe 888 schtasks.exe 2952 schtasks.exe 2328 schtasks.exe 2076 schtasks.exe 1532 schtasks.exe 1932 schtasks.exe 992 schtasks.exe 1028 schtasks.exe 2320 schtasks.exe 2956 schtasks.exe 2040 schtasks.exe 2000 schtasks.exe 1504 schtasks.exe 2396 schtasks.exe 484 schtasks.exe 2184 schtasks.exe 1864 schtasks.exe 1696 schtasks.exe 2248 schtasks.exe 2216 schtasks.exe 1136 schtasks.exe 1916 schtasks.exe 772 schtasks.exe 276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2728 DllCommonsvc.exe 2552 powershell.exe 2160 powershell.exe 2520 powershell.exe 2800 powershell.exe 1968 powershell.exe 2804 powershell.exe 2652 powershell.exe 576 powershell.exe 2636 powershell.exe 2576 powershell.exe 2172 powershell.exe 2392 powershell.exe 2116 powershell.exe 2536 powershell.exe 2696 powershell.exe 2724 powershell.exe 2556 powershell.exe 2600 powershell.exe 2796 powershell.exe 888 dwm.exe 3068 dwm.exe 2376 dwm.exe 2728 dwm.exe 1032 dwm.exe 1036 dwm.exe 1924 dwm.exe 1776 dwm.exe 1988 dwm.exe 1940 dwm.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2728 DllCommonsvc.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 888 dwm.exe Token: SeDebugPrivilege 3068 dwm.exe Token: SeDebugPrivilege 2376 dwm.exe Token: SeDebugPrivilege 2728 dwm.exe Token: SeDebugPrivilege 1032 dwm.exe Token: SeDebugPrivilege 1036 dwm.exe Token: SeDebugPrivilege 1924 dwm.exe Token: SeDebugPrivilege 1776 dwm.exe Token: SeDebugPrivilege 1988 dwm.exe Token: SeDebugPrivilege 1940 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2796 2664 JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe 30 PID 2664 wrote to memory of 2796 2664 JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe 30 PID 2664 wrote to memory of 2796 2664 JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe 30 PID 2664 wrote to memory of 2796 2664 JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe 30 PID 2796 wrote to memory of 2748 2796 WScript.exe 31 PID 2796 wrote to memory of 2748 2796 WScript.exe 31 PID 2796 wrote to memory of 2748 2796 WScript.exe 31 PID 2796 wrote to memory of 2748 2796 WScript.exe 31 PID 2748 wrote to memory of 2728 2748 cmd.exe 33 PID 2748 wrote to memory of 2728 2748 cmd.exe 33 PID 2748 wrote to memory of 2728 2748 cmd.exe 33 PID 2748 wrote to memory of 2728 2748 cmd.exe 33 PID 2728 wrote to memory of 2652 2728 DllCommonsvc.exe 89 PID 2728 wrote to memory of 2652 2728 DllCommonsvc.exe 89 PID 2728 wrote to memory of 2652 2728 DllCommonsvc.exe 89 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 90 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 90 PID 2728 wrote to memory of 2804 2728 DllCommonsvc.exe 90 PID 2728 wrote to memory of 1968 2728 DllCommonsvc.exe 91 PID 2728 wrote to memory of 1968 2728 DllCommonsvc.exe 91 PID 2728 wrote to memory of 1968 2728 DllCommonsvc.exe 91 PID 2728 wrote to memory of 2800 2728 DllCommonsvc.exe 92 PID 2728 wrote to memory of 2800 2728 DllCommonsvc.exe 92 PID 2728 wrote to memory of 2800 2728 DllCommonsvc.exe 92 PID 2728 wrote to memory of 2696 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2696 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2696 2728 DllCommonsvc.exe 93 PID 2728 wrote to memory of 2796 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2796 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2796 2728 DllCommonsvc.exe 94 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2636 2728 DllCommonsvc.exe 95 PID 2728 wrote to memory of 2556 2728 DllCommonsvc.exe 96 PID 2728 wrote to memory of 2556 2728 DllCommonsvc.exe 96 PID 2728 wrote to memory of 2556 2728 DllCommonsvc.exe 96 PID 2728 wrote to memory of 2536 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2536 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2536 2728 DllCommonsvc.exe 97 PID 2728 wrote to memory of 2552 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2552 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2552 2728 DllCommonsvc.exe 98 PID 2728 wrote to memory of 2576 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 2576 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 2576 2728 DllCommonsvc.exe 99 PID 2728 wrote to memory of 2600 2728 DllCommonsvc.exe 100 PID 2728 wrote to memory of 2600 2728 DllCommonsvc.exe 100 PID 2728 wrote to memory of 2600 2728 DllCommonsvc.exe 100 PID 2728 wrote to memory of 2116 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 2116 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 2116 2728 DllCommonsvc.exe 101 PID 2728 wrote to memory of 576 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 576 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 576 2728 DllCommonsvc.exe 102 PID 2728 wrote to memory of 2520 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2520 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2520 2728 DllCommonsvc.exe 103 PID 2728 wrote to memory of 2724 2728 DllCommonsvc.exe 104 PID 2728 wrote to memory of 2724 2728 DllCommonsvc.exe 104 PID 2728 wrote to memory of 2724 2728 DllCommonsvc.exe 104 PID 2728 wrote to memory of 2172 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2172 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2172 2728 DllCommonsvc.exe 105 PID 2728 wrote to memory of 2392 2728 DllCommonsvc.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5e6daa8d3c295c5a0cf8e4e79c0b85fb216ae875d7218c725cbc4195bd0d6a23.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qucRPaNotZ.bat"5⤵PID:2020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2996
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"7⤵PID:2228
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1700
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"9⤵PID:2752
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2352
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"11⤵PID:2248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2640
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"13⤵PID:2164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1168
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"15⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1972
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"17⤵PID:2772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1116
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"19⤵PID:2700
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:316
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"21⤵PID:2856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2452
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"23⤵PID:2272
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:3044
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"25⤵PID:2872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Microsoft\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d63fb8a5d520b9b8dc2d775f12e78fe0
SHA169be817801b59cb91acde89c3df5b3dc93769cb9
SHA256b6fb3abd97649c7bca5673ae8d8c258540e907afcbefaed0149a6bf91e73f7ea
SHA5129186000719d1d35c5982732abd8efbf2a5260105fdc3323bdcf48579be3a00d8c66eabfdaea9494f01b5788769656ff5658d74868d77ee0544b5571a358caaaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570bc51d21f776fa115f35146783e1715
SHA106d8340fbe0bfc62cc0a8304c6df58646916fdcd
SHA256ddc006178a0bcf3f2f79aae0269bb3fe9d0b73bda5741dae965b5df85547391e
SHA512486626a7f8d6d726b7597c240ca4a8612736ade9a93d260effb95975335b23b9511863ab0fb5d436c2b5e0026a29d09f9595412cc9449e290b6380901585e718
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5719b074d2c7fe429ee04c77dfc705c59
SHA161d41493b71f36a83ef0dc21121e043113eb93bf
SHA2569a73ce93fbce526a7b8dbad87d8760aaeef1f3010a64f978ce85ab99d6cd1894
SHA512e805fed2258bb1a057fbc0eec3b620241d13d4f3dec77bbd17915154dcb20df7d7349c476d8d9487ac0980033ffef94f62eadbc2e3621adc4c2160fcfd4f81f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d7d3b3cfd95d64d246bfff3ceb9ca89b
SHA10727572b43376f111facec7f44ea100af36a51f6
SHA256279779bb50bc129ec67602f31aea811d0dbc32197caf21501eaf9e25e83bf254
SHA512811f6e47c453ed10cc62fb0da4bb6b4e6d1487d740c4f17a21a52e11590ed62236793a10ec19bb01271c48583db3f0dd1197c9879392348a69e71a78a5e95e9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5368d716c14958629e74f25b2572c03be
SHA1469a06977ac9e809947ba35cace219ca50d01bc4
SHA256dd27827a2c5e65fa85e0b8751d16a0bba1540ac7cc3738f6f62a2824957f503d
SHA512de880eb85d7c4af45b591d6e37a664503d60f33a5b1461de6f1a2d19e8996bc9d46f32c5c8b0d21e42a515be3b6dd395b5f54a4346aa338fe8e888fc58496cc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a561a1a63f878e4e65624454aaf2d05f
SHA134dc3277da54ace6740fbdfeca5fde533371525c
SHA2568dff8d7281555cf16a08b56beba08732bb3646dd723c43b065eeb43138a74376
SHA51244955c098d5d9dbfe23aa83e742431ed2b03bcef7c3aa43554ed93cc177abec6fc251daccc0e6797754b16c5a87fd25cf2c873227ec20af24b6a91c14d11ef98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53a38157165a7e89d2768823ee8611754
SHA1c91a7edf6fceaffbca60a3af904f9f026c9716b8
SHA256d9d0cf3a9317f1f802ced10f94e4d24547fe972dbe04deffb76a291b23dda2d9
SHA512aff7d6b0a22a2ffaa2821a74970844d52685c7b9ca2d653b61dcd4c662d451b557e1308a8de2e54b01a881ae99772621e153c88d5308d57eed88aec0d5f3f48f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5339f761944f4c47512becb5d02f32b11
SHA1cbd9d6ebde799db73cd9ba53b488e0f67356225e
SHA256f3f5eca92f0b8b5d5f62ebf152b528b94f81f47e7f0b466d5c0d2d1ef90a7e4c
SHA512310f349dcea7293420dafe0b70699a0b24e6741e9e89fdb23b18667cbf10eb5424bc3994a4609267d54f0879a721c8375beb2e083abd9b2c2323af7c97ccda3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c11df0db75aedaa19c243778a383265c
SHA148db8361777a2e73243c4be49a8223e9157ec80d
SHA256c87aa2bc26b155b0c666ca149568ac73b247d6561512012827599081f54d3f80
SHA51266598c0bb87fd80d61c09d872df388d6d434d7f6a434a40424a64ff724edae13f5cf28504e551e506e2e5147087fe13f072ca0f15e5361efedc713253f045811
-
Filesize
221B
MD5dbcc041440085be632611ade84813624
SHA1db4e0ae14fb38a1537db88b52639df97d9b0c2de
SHA2561aeb4e37d563d546f9f0db61031ffb6d29d034c74d1994a022633569db99a61e
SHA5129e7134a24c6eb17bcd96f4bff7dc528301fc90c9f48f704e4fe1d98406c33fb39e3ff3e71b160032db789d9fb7f091beed9754420a3e7f42683a9b2454769fac
-
Filesize
221B
MD53062917296a04591571b3e5ff8c1f6aa
SHA1edf74bd3119e8415321e622caad4ec3a71f706fe
SHA2567600e7f1426d6a5328cc0024e26ce632785489f41ac7aee35e117d9877acca89
SHA512bd17bdbc34b5214b6099fce9fec59dcc88d65e7fd3bd2a457b10b1986ca7686414e3f306aad97b367488c5aea58b46765cbf0e69774681aed999e28feacb87ba
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
221B
MD53c2a14aadb48221a368dbe29db3178ca
SHA1ef5766fb5faaebc3bc203726ceb4f9a8a04f773e
SHA256f8e5712c756804c246ff52481b30b15dcf49af8e61e4c6e17309c829c8a7026c
SHA512201418ed50aa99defa90c7fb69f52b71477916425acb951a7cc4493f4a9574082808963e9d2482f1b22de30867c7e0d837d26bf3bec8c3cbf9e230de077e90b0
-
Filesize
221B
MD54169eef7b6d1a2c30b4f787a40e91994
SHA101c1a3329fa3a35e69d2a69c0dd6d4a605e966ba
SHA25606b51df0c0213c7e8cfea3cd21329fd49772efcd94fbd723aa1f0da5d58004a8
SHA512976a4579f04e0882f9d75c2a074b4c0efba6e35bb9fa59544f4f5393a5a2e4b641bf4b5985ce66bd516977c38f4dd6385cc70123d4355d7fe09684ebcb586ffa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
221B
MD529900c3a81d46d939db7b8ca6ec0f2b3
SHA146b4fdc4a44ccbaca11186f7d2d5bc586c8531e8
SHA256e69baa18fc536151adf39176249e3f8ec807a5b9aec2b748f2002f740f27bcb8
SHA512b09c469f1268897571299cf73cf44cbef0fc417230fdbfb425e8c07e8da8fddeeacecd7d6d473d27b791409cfe7a7f821fc971f7840b55be6411ce5108981e2c
-
Filesize
221B
MD53b09b40cad21ac737eeed5e865a136bd
SHA10782c1209501b11c42b6c2e8ece914f7a5c379fa
SHA25616b9f4803703ab5895759465ae969a6af9ca88426513763e766379d539c9b31e
SHA51219d2a39d3f6c7d0c9203b2d7cf52ba405dc1d4d211176dfd91e08dab04c0473b01182bbef1620d237e3879d813a14fbc32369c4e7d2e3421a8c80de384a92611
-
Filesize
221B
MD5ad2a459b0240bd48a16d134e4d0957ac
SHA1648de245af6947e274c3de51bbda5d7dee30fd31
SHA256dc81ac9ee9192ad5bda73d9dd879b2d76bf863939cd138eafa0abe103186ae72
SHA512743b80dccb3eb47490d2444f02da1a4e3651c438b5644c82496d9dc4221e5c7d23aa194c5c39657443e9d0f03fcc25d483e1e6ba14924b70ea6e26efe03d55ac
-
Filesize
221B
MD52ba1a3f152a9b2cf5b596d28d35f423f
SHA1be929710ce1f4d64a22cf3c2db3a3a3a3a3a9377
SHA2563f2c41b1818217d81ea5d653e4df6304b0c41ee41f42ce98fc2036a5c501b2ca
SHA51203d71c384edd270cbb3ff4045024d7520286f02cbbfbad70b100b84785cca108cd9e1691c7b28f9914f0cc1e3e9dc35fa9a1a728d153f637de6a951b32010ba3
-
Filesize
221B
MD56c57b2173442a8e273ef903bb1449aba
SHA11061e56848cf92f8fea88f93a5b9834158797200
SHA256105d32cd7bc56ba8a6fec33db2fb614bad642729e2db7677c7dfd44647bfed88
SHA512c3f7404b4e061ef8c86d65c8a92651e1ebe2e45e3c71b7f5deb97cbf9040187fbb9ff9e111d50b18e6f20002e2c54a96a8c71ec53b080e4d20428183e78786ad
-
Filesize
221B
MD5f1815f8bd8c981ba36785cc4d2a173e3
SHA10c8586b17abbc5166bcf4b0d270e1822767e6e1d
SHA256ee5a77a4e28c2ba29ea3abd8aa85bd363494cf73e4dc3ca53c98470a63ddb291
SHA512368ce0d3552bfb7acdf94b44a6bb6e9c6ddfee1ce5f9012d051d2369138128130d7bb2e0527f72d6f18704aa8ce428171deefac66ea4a77d9e122801796c74f1
-
Filesize
221B
MD5020ec178da30e37742f67857771fb77a
SHA1ab716cd78556999a9b5da05ee5451aad940d5413
SHA2564e493b3dfec95c9c9402deb7a69f50c7b7c9f57ebd9f38b04adbbe09b89c1092
SHA512945453e4e4e6da6c890c097c7c11e71fa2d6b953073860d6fd801b5617575cf520a22630fe8e1db8231144e1fd038d3c5fde534358cf0a98f92864a416512c04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD513938174fe44403cc9644763af6062ec
SHA17843e82fb268387bc6865c53e45d92182b455e72
SHA256fb605d0e85bb0a30f089fdd1e6154d934492cd415326d662927c60c3b9eb9d5b
SHA5124ea7edde8a6224dfb458fb2215f65c6ef0f9fae856032c867282b36e4f66646c10b622e9027447200a50161d15d88d6f3fc3290371e55b684a7034760349c4d1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394