Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 22:37
Behavioral task
behavioral1
Sample
JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe
-
Size
1.3MB
-
MD5
d29b8c09e76961a7506c3f775fa2b3f0
-
SHA1
8521dfd680d92707974e8051bf779eace7db02ff
-
SHA256
601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2
-
SHA512
815324a33ace3227b7463a875575f9856e42425e1ec472349eb75cb51bb2ec1ebf26bad11384eb48c9e0b0ab04ef5c1115ca7547b69251adfddd2b078e68c6e1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 780 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 780 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015e48-9.dat dcrat behavioral1/memory/2640-13-0x00000000013E0000-0x00000000014F0000-memory.dmp dcrat behavioral1/memory/1396-138-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/2084-198-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/1728-259-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/568-319-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2716-380-0x00000000012C0000-0x00000000013D0000-memory.dmp dcrat behavioral1/memory/2412-559-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/968-620-0x0000000001160000-0x0000000001270000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2940 powershell.exe 2252 powershell.exe 2360 powershell.exe 1940 powershell.exe 1440 powershell.exe 2212 powershell.exe 1988 powershell.exe 1412 powershell.exe 1948 powershell.exe 2316 powershell.exe 2452 powershell.exe 1296 powershell.exe 2052 powershell.exe 3020 powershell.exe 2448 powershell.exe 1500 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2640 DllCommonsvc.exe 2224 DllCommonsvc.exe 1396 lsm.exe 2084 lsm.exe 1728 lsm.exe 568 lsm.exe 2716 lsm.exe 1696 lsm.exe 2140 lsm.exe 2412 lsm.exe 968 lsm.exe 692 lsm.exe 2768 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2368 cmd.exe 2368 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 15 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 31 raw.githubusercontent.com 18 raw.githubusercontent.com 28 raw.githubusercontent.com 34 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\5940a34987c991 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CSC\v2.0.6\csrss.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\lsm.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\101b941d020240 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe 2860 schtasks.exe 380 schtasks.exe 1160 schtasks.exe 2560 schtasks.exe 2860 schtasks.exe 2864 schtasks.exe 2436 schtasks.exe 1064 schtasks.exe 1528 schtasks.exe 1832 schtasks.exe 1500 schtasks.exe 1876 schtasks.exe 3008 schtasks.exe 2732 schtasks.exe 1512 schtasks.exe 2956 schtasks.exe 584 schtasks.exe 336 schtasks.exe 584 schtasks.exe 2056 schtasks.exe 396 schtasks.exe 1724 schtasks.exe 2068 schtasks.exe 2072 schtasks.exe 2964 schtasks.exe 1308 schtasks.exe 1976 schtasks.exe 2440 schtasks.exe 2464 schtasks.exe 2880 schtasks.exe 2924 schtasks.exe 2512 schtasks.exe 2604 schtasks.exe 3024 schtasks.exe 860 schtasks.exe 2656 schtasks.exe 1972 schtasks.exe 1272 schtasks.exe 2280 schtasks.exe 1848 schtasks.exe 1736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 2640 DllCommonsvc.exe 1440 powershell.exe 2316 powershell.exe 1948 powershell.exe 2360 powershell.exe 2452 powershell.exe 1940 powershell.exe 1412 powershell.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 2224 DllCommonsvc.exe 3020 powershell.exe 2052 powershell.exe 1500 powershell.exe 2940 powershell.exe 2448 powershell.exe 1988 powershell.exe 1296 powershell.exe 2252 powershell.exe 2212 powershell.exe 1396 lsm.exe 2084 lsm.exe 1728 lsm.exe 568 lsm.exe 2716 lsm.exe 1696 lsm.exe 2140 lsm.exe 2412 lsm.exe 968 lsm.exe 692 lsm.exe 2768 lsm.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2640 DllCommonsvc.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 2224 DllCommonsvc.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1396 lsm.exe Token: SeDebugPrivilege 2084 lsm.exe Token: SeDebugPrivilege 1728 lsm.exe Token: SeDebugPrivilege 568 lsm.exe Token: SeDebugPrivilege 2716 lsm.exe Token: SeDebugPrivilege 1696 lsm.exe Token: SeDebugPrivilege 2140 lsm.exe Token: SeDebugPrivilege 2412 lsm.exe Token: SeDebugPrivilege 968 lsm.exe Token: SeDebugPrivilege 692 lsm.exe Token: SeDebugPrivilege 2768 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2736 3008 JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe 30 PID 3008 wrote to memory of 2736 3008 JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe 30 PID 3008 wrote to memory of 2736 3008 JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe 30 PID 3008 wrote to memory of 2736 3008 JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe 30 PID 2736 wrote to memory of 2368 2736 WScript.exe 31 PID 2736 wrote to memory of 2368 2736 WScript.exe 31 PID 2736 wrote to memory of 2368 2736 WScript.exe 31 PID 2736 wrote to memory of 2368 2736 WScript.exe 31 PID 2368 wrote to memory of 2640 2368 cmd.exe 33 PID 2368 wrote to memory of 2640 2368 cmd.exe 33 PID 2368 wrote to memory of 2640 2368 cmd.exe 33 PID 2368 wrote to memory of 2640 2368 cmd.exe 33 PID 2640 wrote to memory of 1412 2640 DllCommonsvc.exe 53 PID 2640 wrote to memory of 1412 2640 DllCommonsvc.exe 53 PID 2640 wrote to memory of 1412 2640 DllCommonsvc.exe 53 PID 2640 wrote to memory of 1440 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 1440 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 1440 2640 DllCommonsvc.exe 54 PID 2640 wrote to memory of 1940 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 1940 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 1940 2640 DllCommonsvc.exe 55 PID 2640 wrote to memory of 2452 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 2452 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 2452 2640 DllCommonsvc.exe 56 PID 2640 wrote to memory of 2316 2640 DllCommonsvc.exe 57 PID 2640 wrote to memory of 2316 2640 DllCommonsvc.exe 57 PID 2640 wrote to memory of 2316 2640 DllCommonsvc.exe 57 PID 2640 wrote to memory of 2360 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 2360 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 2360 2640 DllCommonsvc.exe 60 PID 2640 wrote to memory of 1948 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 1948 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 1948 2640 DllCommonsvc.exe 61 PID 2640 wrote to memory of 2224 2640 DllCommonsvc.exe 67 PID 2640 wrote to memory of 2224 2640 DllCommonsvc.exe 67 PID 2640 wrote to memory of 2224 2640 DllCommonsvc.exe 67 PID 2224 wrote to memory of 2940 2224 DllCommonsvc.exe 92 PID 2224 wrote to memory of 2940 2224 DllCommonsvc.exe 92 PID 2224 wrote to memory of 2940 2224 DllCommonsvc.exe 92 PID 2224 wrote to memory of 2252 2224 DllCommonsvc.exe 93 PID 2224 wrote to memory of 2252 2224 DllCommonsvc.exe 93 PID 2224 wrote to memory of 2252 2224 DllCommonsvc.exe 93 PID 2224 wrote to memory of 3020 2224 DllCommonsvc.exe 95 PID 2224 wrote to memory of 3020 2224 DllCommonsvc.exe 95 PID 2224 wrote to memory of 3020 2224 DllCommonsvc.exe 95 PID 2224 wrote to memory of 2448 2224 DllCommonsvc.exe 96 PID 2224 wrote to memory of 2448 2224 DllCommonsvc.exe 96 PID 2224 wrote to memory of 2448 2224 DllCommonsvc.exe 96 PID 2224 wrote to memory of 2212 2224 DllCommonsvc.exe 97 PID 2224 wrote to memory of 2212 2224 DllCommonsvc.exe 97 PID 2224 wrote to memory of 2212 2224 DllCommonsvc.exe 97 PID 2224 wrote to memory of 1988 2224 DllCommonsvc.exe 98 PID 2224 wrote to memory of 1988 2224 DllCommonsvc.exe 98 PID 2224 wrote to memory of 1988 2224 DllCommonsvc.exe 98 PID 2224 wrote to memory of 1500 2224 DllCommonsvc.exe 99 PID 2224 wrote to memory of 1500 2224 DllCommonsvc.exe 99 PID 2224 wrote to memory of 1500 2224 DllCommonsvc.exe 99 PID 2224 wrote to memory of 2052 2224 DllCommonsvc.exe 100 PID 2224 wrote to memory of 2052 2224 DllCommonsvc.exe 100 PID 2224 wrote to memory of 2052 2224 DllCommonsvc.exe 100 PID 2224 wrote to memory of 1296 2224 DllCommonsvc.exe 101 PID 2224 wrote to memory of 1296 2224 DllCommonsvc.exe 101 PID 2224 wrote to memory of 1296 2224 DllCommonsvc.exe 101 PID 2224 wrote to memory of 1396 2224 DllCommonsvc.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601ad0e1260258028f432a3746a87816a2a2d0c8bd3e22f50cd0ee85faa666a2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\lsm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"7⤵PID:2380
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2932
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"9⤵PID:3032
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2172
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"11⤵PID:1296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1956
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"13⤵PID:2556
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1524
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"15⤵PID:3044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2528
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"17⤵PID:1348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1668
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"19⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2188
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"21⤵PID:2992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2060
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"23⤵PID:2476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1984
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"25⤵PID:2420
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2660
-
-
C:\Users\All Users\Adobe\Updater6\lsm.exe"C:\Users\All Users\Adobe\Updater6\lsm.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572011156c20eba01b8291a6c170a01d3
SHA17dff963749ebcfe1a91750b756fd471738c6bfc5
SHA256cb956ea91608e1718d4a8b8fc8a5e9e0e80047e4709d04e5026271575e8c09ce
SHA512282a0aef32e2b49c3809276d6a699c77f0c156c45ed4b26c90866c414f426551ea5a7f41fee6bf6217edd8b031c5618a8819dd0b3b7ea113ac6c954b4e3096e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5071f0681c9b935b22255725eb8327f52
SHA13841585ebbe330f31823df510d4ca9bd6f159abd
SHA256d7a6d4ba062ac5228e7d9e56982a091b52da9ff3f611b8eb1f346b65a41c18f2
SHA512563c5e465d904a56bffe4d5e76b2569384bb79035f65e80f2cb7030202d9e150792b7cafb574398995cafc9749afa20a698d1247ee9e5d0ae12768bf51d61dce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e50e59bcf726093ec75915a875090fe
SHA158b73dbbd36aa06eb69d670ea9b403e8119e9b47
SHA256ae64686da57b18229ec1b0dcd59e73377c253aea8d3ddbe25b3408c8173d2e28
SHA5120eed8cc7cfb135182f27c05ac92e09b5ad61b240124f12119e18c6b4ffeca17502a3bf443ccdd63b869fba27bea546d625b6e97ffe9e51807b6e4398e1940654
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea3972f0319ee0ce70f88df17829cfc5
SHA1004ac06d3f016885fd666a9fa4804fd3a966727a
SHA256978e0d1fe1e819fd57f8cd8cb0a12a10741a0202bab84e8b2c434e9d488941fb
SHA512ff6e8756fcb80536b4645eabc9a4d0396758b7b5d89e1a773bc1d7341a0843d067eefe440391c915212be6c700cd6c09098a7fb0526e7ebaa345dcee304cd1a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5175d55ec76be21705f2d04f05516d97a
SHA1bc5bf2957d707039aec64dd41c69e64b4c19377a
SHA25654a33539d6e1ab82afcfd954a74c0d6c49cb64941f08b7311d273a9c7800c9b2
SHA512ae68bf56e230b37fa04cbb68f546a98020fc3470ee6524f4f56cc027714fc34466d35afdf19e87db53204df750fd6671ea111ace64bfcf29fca05ee6ec812a76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f14d8991d33ff043aaa8ff2638cf57e
SHA16df23ffd04f6fbfa95aec4da68f0e1d2768dc64b
SHA2562f8ca25fceedcca1f4173e8ece5214f358e4d1846c3dfb747f3c8a0c6b421693
SHA512cc49b0024cb47ca0508e7ef5bf83bcc7cf830f7ed697fac2fbec51626f222e21c642a61f67835dab351d53ad0973372d62976e9cd778376995786315ac9f36d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5597386a5d9edcd9ac7102bd28e3fdde7
SHA18239378e1fafc7d70c19f6375ead8d8e4b1385c0
SHA25695f683872b4ee5d737c4ad4e655d29de80584a66ffced602829a609c3f4fe51a
SHA5123fb31b77b8d3e8eb47c51e5e273f2caae25b6e38963d42b572bd14c7ca85c843490073ce522a7b7e6d69f2e7a537336c3112edb2f88efe403a3da50474e1d83a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569cfa586f519e40d58b569ebe3f419ec
SHA15b5f209edf398dc333ef43129e7dcb0d5cf3c51f
SHA2566e9d63be038c03579494fb57f924a9cc71fb791791a62db0cb45bf4564a6a110
SHA512e1663a03b8126ea99fe0dd3dd90c46c815a3949e03fcde236b6ea211fa41e0bd7f4429715db4bf5fc78c400f7d5eca90d752f40d674f55746b74defc7948831f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b18897eb49c8e566a38b94bf1b34feb5
SHA14d9506a404c0bd440ecc33eb38d8eee7dac554a1
SHA2566e759b6444a655ca1dbab898cae3bc1964b013bb6c86bd5ef54e735818c82252
SHA51297e27a9d22d5b2270cccdcec948549cbab39d6b623c025e27cebaaa3d0de98f66000f4cf9dc9385c1d97c14eeb619b72906330059127680329f08aee370d20f6
-
Filesize
206B
MD5ca85bbd6438bdef8b534077e127a25de
SHA19b776294e23a6e1c02856155c8dfd32b4902f255
SHA2564d08b8cb32053bfa64b4ad799b18f26c9d54fb81d2756e8229fe09f8e9545d7e
SHA512ac5bad99400c6f2d82fcffdcf2a382240f55ecd3e9e3c9af6186142cce18c806f14ee41c6e32bd022e9935d4c27949094ff7f4c55cc98aafb697666ea90d653b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
206B
MD567bcd060ff9671e83e7db958776150b9
SHA170d70957d59c21f8596500eec8b6ab06e61102de
SHA25695165f093af999f2cf9e195275de5884ef270f09c8a35f2b7db578fd604107a8
SHA5129b5aa2c4035fa5c4df2e23bb7a575012dfbc03fd999fcd50c0a8cfca5529a5501bfa6a876b2832c385ff4f5215222184918502405f01121e8f460402ab63b364
-
Filesize
206B
MD5206ac31c0d34731ef87f17e02098bd74
SHA132899c998a4b0bca710c2dd57fc48efda9b99999
SHA256ac92409cc6c0afc47decc9ae86a74cdcfee9616f01d18ea539e07d2626bff2b8
SHA512eb13db08ed3444d04b7481206db8b3b930c8572505342eff2e4b459daba44f5506afc48f72341e0fb749aec1eb163a96e688d714b276f9d8137328cf20244836
-
Filesize
206B
MD5fd26fa14ff632632a191d6051ac73438
SHA113309bcd07b568aec659427497b4bb4ad8e03da6
SHA25643076998229d3af0cab050dad914c6014dc7745ff5dc686a062ef601cafc2f25
SHA5125d4700e89d99c5036e74c3b8eace9389eea193bf9c521a21ae54cc0c9f896e4f8647648fb922eb518cc03c7d270fd4490ba5da4e98dae32598a7401b6a741f63
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
206B
MD541b76755ab0d9e5695d0d809c34fce63
SHA18c58b7b6afd9f7679a646084c485506882ed333f
SHA25629c2057670a05fcba6c284ce25565b563b16f196d6fa3edde47b81740f3cc7a8
SHA51274e5211089bd716a669f41f03730bcc17cd492abf5a7a0d9147bac1fcc1b4be6694723ebf68de0f0e3dbc897f3f66808f33361ed19ce0128e0d70c16cd986baf
-
Filesize
206B
MD54e6a37208c3386b6e8f78fd779a9c82d
SHA1fb431a85454891272ed170e8f526ce99e5a17157
SHA25614db5a9e06e7607330251ed304300ec2a6c2a787326d4f20f89dad2bbe0ea3f7
SHA512efa260c0480c97875291f26185d9a550f61f226d78aa99e9b7945c58cb20022ce0e81d9af669e61df5c5640b7d184cf3581ab9d1a9530cb352ea4e915da6e72d
-
Filesize
206B
MD5fdc3749879eb15d20ab8869c2817c4d6
SHA1c23c5dd9f2f80e95283bf5095c0106d9e5e2335d
SHA25657ad67b7ac1cca67377612657f35a6dc8fdc1b1d9e134bae8fb2fa5c8977e8d0
SHA51211a58195999ab9003210c58845529aff9ddfebfcbd577a162b0bbcecd7e203e68098f4b2ab4969a4e1fde851c8dd731d1cf2ad652fdb03dd30bda20618fe6de7
-
Filesize
206B
MD52e6d88e06cc147ff096112a3a3fd9cc9
SHA164fbdc8a8822fa1753da205d981a1a6028bac85b
SHA2567150c5df5fc595188a23380d75875240f0255a810684d9c07021e07fce2d0220
SHA51232aa437cbec33b9a612eac955fff1578575c3c532ef4b0031669beabc2b6224e94c51a105894543005b531fbece49fc53190de178a314873c12725160a7898cb
-
Filesize
206B
MD51d026124f716e35006a32b4d06670381
SHA1415473b0db6ae8e3afb3e5603436ff6d101b4d92
SHA256a2152defbe752f552763167daca0a56a7df5ad23e0afb6f13e4fb1fedda950df
SHA51298378cac36aaf7f7d44ea1986bac16b27666144e6d43ee0b838c276709361e35a6bade894cc164c9140cde4f364a3d33e33d3b4ac90014e19339432c9a506501
-
Filesize
206B
MD547257ac8da0867308f0ae0382ce6c04f
SHA1d3b6ffd62a2df4ec7b385ab51b6d54046410aeb4
SHA2564e4411fc1c3cc1cdb550953548f7fd459b80a9db87f444852f9a516e0105aeaf
SHA512b05f7a3a085286dd5c34a208415b88d6f34b9c81c97c1b7f9135000f262df0b96a97945cf4c6376dc9cede87d986daa3cb8bb5768983d49b547985f9261c0ecd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5545cc32a4a472c759a38193b9df99140
SHA1c72f90440af3a39778d83e01f6bb24230f753263
SHA2563cb4bbc72f2926ba78b6615e9747da248ae201022e6c87a04cd729628bd52e76
SHA512f9bc95fa95cca558138384bcb58c270aa04b3a58e7c23a9adf3774a3c8f028a3d4c0db24d7c08305f2810f9dee6897e0efed951f9cb896e59ad37fb5eae30a39
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394