Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:30
Behavioral task
behavioral1
Sample
JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe
-
Size
1.3MB
-
MD5
3f77e2241cdcc58863c4f163f54e9ddc
-
SHA1
832240f2fa8d8af926425476f4eeca78080a58b2
-
SHA256
b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644
-
SHA512
592c9e1275d6738b6310ec1a45c1e52d04f2b7ba94ba5b66902ae2e81bcd6ad7e27dc05fcaf2d3e79b0db2e80bd6d464c0737fa0443c64452f349791171bb573
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2920 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2920 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000015d81-9.dat dcrat behavioral1/memory/2124-13-0x0000000000F80000-0x0000000001090000-memory.dmp dcrat behavioral1/memory/2460-275-0x0000000001350000-0x0000000001460000-memory.dmp dcrat behavioral1/memory/1292-334-0x00000000013B0000-0x00000000014C0000-memory.dmp dcrat behavioral1/memory/864-855-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2216 powershell.exe 1860 powershell.exe 112 powershell.exe 1128 powershell.exe 2588 powershell.exe 2480 powershell.exe 892 powershell.exe 2384 powershell.exe 624 powershell.exe 3036 powershell.exe 2600 powershell.exe 1992 powershell.exe 1748 powershell.exe 1304 powershell.exe 2072 powershell.exe 1980 powershell.exe 1548 powershell.exe 496 powershell.exe 764 powershell.exe 1932 powershell.exe 1580 powershell.exe 2736 powershell.exe 832 powershell.exe 2764 powershell.exe 2380 powershell.exe 1212 powershell.exe 320 powershell.exe 2184 powershell.exe 2096 powershell.exe 1996 powershell.exe 1444 powershell.exe 2196 powershell.exe 1872 powershell.exe 1788 powershell.exe 2392 powershell.exe 2040 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2124 DllCommonsvc.exe 2020 DllCommonsvc.exe 2460 WmiPrvSE.exe 1292 WmiPrvSE.exe 2388 WmiPrvSE.exe 3048 WmiPrvSE.exe 2904 WmiPrvSE.exe 1500 WmiPrvSE.exe 2964 WmiPrvSE.exe 2196 WmiPrvSE.exe 1052 WmiPrvSE.exe 2396 WmiPrvSE.exe 864 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2360 cmd.exe 2360 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 5 raw.githubusercontent.com 9 raw.githubusercontent.com 19 raw.githubusercontent.com 23 raw.githubusercontent.com 26 raw.githubusercontent.com 41 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 38 raw.githubusercontent.com -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\skins\fonts\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\75a57c1bdf437c DllCommonsvc.exe File created C:\Program Files\Common Files\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\24dbde2999530e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\886983d96e3d3e DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\27d1bcfc3c54e0 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe DllCommonsvc.exe File created C:\Program Files\Common Files\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\authman\smss.exe DllCommonsvc.exe File created C:\Windows\Microsoft.NET\authman\69ddcba757bf72 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1420 schtasks.exe 2860 schtasks.exe 1220 schtasks.exe 2136 schtasks.exe 2168 schtasks.exe 2728 schtasks.exe 2740 schtasks.exe 1760 schtasks.exe 3028 schtasks.exe 2588 schtasks.exe 884 schtasks.exe 108 schtasks.exe 1920 schtasks.exe 664 schtasks.exe 2020 schtasks.exe 1448 schtasks.exe 1900 schtasks.exe 1708 schtasks.exe 1980 schtasks.exe 1920 schtasks.exe 1456 schtasks.exe 700 schtasks.exe 2876 schtasks.exe 2732 schtasks.exe 3044 schtasks.exe 2284 schtasks.exe 2268 schtasks.exe 2348 schtasks.exe 2288 schtasks.exe 3012 schtasks.exe 2220 schtasks.exe 1088 schtasks.exe 1432 schtasks.exe 1516 schtasks.exe 3040 schtasks.exe 444 schtasks.exe 1528 schtasks.exe 2572 schtasks.exe 2556 schtasks.exe 3064 schtasks.exe 2292 schtasks.exe 2416 schtasks.exe 2912 schtasks.exe 1600 schtasks.exe 912 schtasks.exe 2752 schtasks.exe 2540 schtasks.exe 2012 schtasks.exe 2784 schtasks.exe 3060 schtasks.exe 3020 schtasks.exe 2276 schtasks.exe 2072 schtasks.exe 1860 schtasks.exe 2144 schtasks.exe 2240 schtasks.exe 1856 schtasks.exe 1708 schtasks.exe 2956 schtasks.exe 2752 schtasks.exe 556 schtasks.exe 2560 schtasks.exe 3016 schtasks.exe 1548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2124 DllCommonsvc.exe 2124 DllCommonsvc.exe 2124 DllCommonsvc.exe 2124 DllCommonsvc.exe 2124 DllCommonsvc.exe 2072 powershell.exe 2096 powershell.exe 1580 powershell.exe 1444 powershell.exe 1980 powershell.exe 496 powershell.exe 892 powershell.exe 2600 powershell.exe 1996 powershell.exe 2384 powershell.exe 1860 powershell.exe 2380 powershell.exe 2196 powershell.exe 764 powershell.exe 1992 powershell.exe 2020 DllCommonsvc.exe 2020 DllCommonsvc.exe 2020 DllCommonsvc.exe 1548 powershell.exe 2736 powershell.exe 2216 powershell.exe 2392 powershell.exe 320 powershell.exe 624 powershell.exe 2480 powershell.exe 1932 powershell.exe 1788 powershell.exe 3036 powershell.exe 2184 powershell.exe 832 powershell.exe 1748 powershell.exe 112 powershell.exe 1304 powershell.exe 2040 powershell.exe 1872 powershell.exe 1128 powershell.exe 2588 powershell.exe 2764 powershell.exe 2460 WmiPrvSE.exe 1292 WmiPrvSE.exe 2388 WmiPrvSE.exe 3048 WmiPrvSE.exe 2904 WmiPrvSE.exe 1500 WmiPrvSE.exe 2964 WmiPrvSE.exe 2196 WmiPrvSE.exe 1052 WmiPrvSE.exe 2396 WmiPrvSE.exe 864 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2124 DllCommonsvc.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 496 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2020 DllCommonsvc.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2460 WmiPrvSE.exe Token: SeDebugPrivilege 1292 WmiPrvSE.exe Token: SeDebugPrivilege 2388 WmiPrvSE.exe Token: SeDebugPrivilege 3048 WmiPrvSE.exe Token: SeDebugPrivilege 2904 WmiPrvSE.exe Token: SeDebugPrivilege 1500 WmiPrvSE.exe Token: SeDebugPrivilege 2964 WmiPrvSE.exe Token: SeDebugPrivilege 2196 WmiPrvSE.exe Token: SeDebugPrivilege 1052 WmiPrvSE.exe Token: SeDebugPrivilege 2396 WmiPrvSE.exe Token: SeDebugPrivilege 864 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1372 wrote to memory of 3056 1372 JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe 30 PID 1372 wrote to memory of 3056 1372 JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe 30 PID 1372 wrote to memory of 3056 1372 JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe 30 PID 1372 wrote to memory of 3056 1372 JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe 30 PID 3056 wrote to memory of 2360 3056 WScript.exe 31 PID 3056 wrote to memory of 2360 3056 WScript.exe 31 PID 3056 wrote to memory of 2360 3056 WScript.exe 31 PID 3056 wrote to memory of 2360 3056 WScript.exe 31 PID 2360 wrote to memory of 2124 2360 cmd.exe 33 PID 2360 wrote to memory of 2124 2360 cmd.exe 33 PID 2360 wrote to memory of 2124 2360 cmd.exe 33 PID 2360 wrote to memory of 2124 2360 cmd.exe 33 PID 2124 wrote to memory of 2096 2124 DllCommonsvc.exe 80 PID 2124 wrote to memory of 2096 2124 DllCommonsvc.exe 80 PID 2124 wrote to memory of 2096 2124 DllCommonsvc.exe 80 PID 2124 wrote to memory of 496 2124 DllCommonsvc.exe 81 PID 2124 wrote to memory of 496 2124 DllCommonsvc.exe 81 PID 2124 wrote to memory of 496 2124 DllCommonsvc.exe 81 PID 2124 wrote to memory of 1996 2124 DllCommonsvc.exe 82 PID 2124 wrote to memory of 1996 2124 DllCommonsvc.exe 82 PID 2124 wrote to memory of 1996 2124 DllCommonsvc.exe 82 PID 2124 wrote to memory of 2072 2124 DllCommonsvc.exe 83 PID 2124 wrote to memory of 2072 2124 DllCommonsvc.exe 83 PID 2124 wrote to memory of 2072 2124 DllCommonsvc.exe 83 PID 2124 wrote to memory of 892 2124 DllCommonsvc.exe 84 PID 2124 wrote to memory of 892 2124 DllCommonsvc.exe 84 PID 2124 wrote to memory of 892 2124 DllCommonsvc.exe 84 PID 2124 wrote to memory of 2600 2124 DllCommonsvc.exe 85 PID 2124 wrote to memory of 2600 2124 DllCommonsvc.exe 85 PID 2124 wrote to memory of 2600 2124 DllCommonsvc.exe 85 PID 2124 wrote to memory of 1980 2124 DllCommonsvc.exe 86 PID 2124 wrote to memory of 1980 2124 DllCommonsvc.exe 86 PID 2124 wrote to memory of 1980 2124 DllCommonsvc.exe 86 PID 2124 wrote to memory of 1580 2124 DllCommonsvc.exe 87 PID 2124 wrote to memory of 1580 2124 DllCommonsvc.exe 87 PID 2124 wrote to memory of 1580 2124 DllCommonsvc.exe 87 PID 2124 wrote to memory of 1992 2124 DllCommonsvc.exe 88 PID 2124 wrote to memory of 1992 2124 DllCommonsvc.exe 88 PID 2124 wrote to memory of 1992 2124 DllCommonsvc.exe 88 PID 2124 wrote to memory of 1444 2124 DllCommonsvc.exe 89 PID 2124 wrote to memory of 1444 2124 DllCommonsvc.exe 89 PID 2124 wrote to memory of 1444 2124 DllCommonsvc.exe 89 PID 2124 wrote to memory of 2196 2124 DllCommonsvc.exe 90 PID 2124 wrote to memory of 2196 2124 DllCommonsvc.exe 90 PID 2124 wrote to memory of 2196 2124 DllCommonsvc.exe 90 PID 2124 wrote to memory of 764 2124 DllCommonsvc.exe 91 PID 2124 wrote to memory of 764 2124 DllCommonsvc.exe 91 PID 2124 wrote to memory of 764 2124 DllCommonsvc.exe 91 PID 2124 wrote to memory of 2380 2124 DllCommonsvc.exe 92 PID 2124 wrote to memory of 2380 2124 DllCommonsvc.exe 92 PID 2124 wrote to memory of 2380 2124 DllCommonsvc.exe 92 PID 2124 wrote to memory of 2384 2124 DllCommonsvc.exe 93 PID 2124 wrote to memory of 2384 2124 DllCommonsvc.exe 93 PID 2124 wrote to memory of 2384 2124 DllCommonsvc.exe 93 PID 2124 wrote to memory of 1212 2124 DllCommonsvc.exe 94 PID 2124 wrote to memory of 1212 2124 DllCommonsvc.exe 94 PID 2124 wrote to memory of 1212 2124 DllCommonsvc.exe 94 PID 2124 wrote to memory of 1860 2124 DllCommonsvc.exe 95 PID 2124 wrote to memory of 1860 2124 DllCommonsvc.exe 95 PID 2124 wrote to memory of 1860 2124 DllCommonsvc.exe 95 PID 2124 wrote to memory of 2924 2124 DllCommonsvc.exe 102 PID 2124 wrote to memory of 2924 2124 DllCommonsvc.exe 102 PID 2124 wrote to memory of 2924 2124 DllCommonsvc.exe 102 PID 2924 wrote to memory of 2856 2924 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b95d1f9d25bc967f8360738896e7ec042226f03eb6291bfc0e67633099626644.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S83eOrzA5b.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2856
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\smss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSDKEC6Vm9.bat"7⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2132
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"9⤵PID:2808
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2924
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"11⤵PID:2384
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1560
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"13⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2452
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"15⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1712
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"17⤵PID:1892
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2144
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"19⤵PID:1236
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3028
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"21⤵PID:2816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1220
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"23⤵PID:2624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2884
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"25⤵PID:1704
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1984
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"27⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2836
-
-
C:\providercommon\WmiPrvSE.exe"C:\providercommon\WmiPrvSE.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"29⤵PID:2088
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f1⤵PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /f1⤵PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /rl HIGHEST /f1⤵PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\smss.exe'" /rl HIGHEST /f1⤵PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f1⤵PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f1⤵PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f1⤵PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f1⤵PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WMIADAP.exe'" /f1⤵PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136B
MD51eeae4516291ab413655c94f93adffd7
SHA1fe772a84d41050f9118e81a7298f72da740346dc
SHA2568b74030ec6b73eada014751a78c16d033e9b9dcbaa2fc3e9db5ed4b1696402e7
SHA5120cc881a78943438eed63875cad21f170f460200aef73e2d4e60134c47bf55a1c2f1dce9737a2dcbcc95d64fb789fa58a3218b05c7a8c8a7f07ebeefae14dde7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e1afa321792990d51d4696b1abefea1
SHA14037a99b76abb566e377a2f6913333c9b59e0e51
SHA256cc8f89eb489e3dbbb522e66ed8285faf03f6b7cb198c143920225dc60280be99
SHA51235d15d80a6cf2ed2f3c61f828c32b075bec39537aa57b88c3e330568ada7095e41a1268e52780108204dab575dbc62ed430dd1c33f6ca15629cb1c6432f6d9a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56b1d2f818e2687a6744774868b057ad5
SHA10b64672c0f123d5e707a873091f0634a509517d4
SHA256fa6b6562f5b666ea73bc8dbd762bfbdf38a2286efe0a3cf8416f70f8a8acfc66
SHA51270525428773b40be892074c904065c74ca348293266ee9ec47ecab2116641d6a9b447d3e12c8fc5ac2b3da9e813c3bd6a9c05869cb874d36edbb8d767c4766d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56dd3154c6004b7161a06316432e57e36
SHA1c1bc86a547b1e3529e8cf5595ccebacea825c32a
SHA2562639b1037e8d18ff6fc529b7d97ced6caaa9b61920d3428da4035a00af582a6c
SHA51266dc98be4d8195e10bdafa012414a484c9c1c4c74383a6dc11084cb1b0ca9a72c3adf87994f2c8870653da5f6e7310248b528cf3bbf2479955a66a3d30d80c22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5170168af17050d6132f771708653b8c6
SHA1b0d1f3181b5d4aff9d404a9ace62f63083eeb992
SHA2565485ae13f76176af74db23fd6b21e7241a73ed17e74e66d3e24a874d247f73ce
SHA5128e832ec9186279c2b37eee7cbbb90c7aa3a43c1870ccc4194d4db5b34b6a012b471eefdb8cbefecacde24e0b2f861b4d2bd6f6d96eb6536b4ff395818cdc5ab4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc552dac5621604a404e7f8c064c451a
SHA1481975bedc77a018d3c0b2302a179472db0ae59e
SHA2562d40d3985c1f3928977e24a44fbc60108b1069a08df5008d7746d451575af712
SHA512898b7e1bd4b907ab8a90239710be51c37fd679cfef1d4380e1a5073f75de7200690ad6535e0b3527a055e380c519665606bbf054811560b244336fbaf9da196b
-
Filesize
195B
MD568e5356d3a1928302d1e413eee8e6a55
SHA1b73697f7b0b297e23d02b150174783535b31d596
SHA256d296baa01e4d64148614655679348b76f896754b618baff7c2aec3cb29bafb70
SHA512f031b13249a0d2d9992f29b1e33d54942b8aa28d0bfd2b603bc2fd860d5b47be02580c612e7a262c20112575dfc986634fec1adf8dc1fa2f650100563fe3f4ae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD5ca47d17d25a15eb609cb706c8cbe9293
SHA11a11a5862803119dfadec63a234dc6a2061552cc
SHA25603d14de990214f2ac6c7d5bb02504dd18721e6b03a01b2bddbb9f3977efbeb11
SHA51298c0d9aa7940d25d0dccd15c472f68d4279d3dd7d35a9caa43f584bf88e2308ff963d7b68001d8d91201b2d9dcbbea8738e9654aeb524b3721f32798388e6dd7
-
Filesize
199B
MD5213ce7a4f7bd85fb8527696b55e8bdf4
SHA16b8180c9e1fe595a85ce81617722f542ff28e6a8
SHA2565e4bbb05f2e12ec2efe52138ed8f7c5c4919beff5772966920f0db2747dbaece
SHA512e1c9480778b1115475945222af05acee4c1c805c5e481d974af8e2839bdbc9b071fa1d5b9c1ae9173319ec8047b255df8f4bac6641ed9154ef5f10f3b4c41775
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD57d4a7dca1daa17ff2f1260a8d415fec5
SHA144924532df4114bbfa46d1f5ee3de6872bba924a
SHA2564edfb016487f8abaaafc399ebf4c77534f2f22bc12ed94cb5f1be5d9f407c933
SHA5126b73f1f56698186c2fba4d6ca826426b6b360853bb51086774da757172b56c21c0e0d87b9450b5a2eadcb457549333bc2128803c6e468a029ce5d71bcfdfc443
-
Filesize
195B
MD58f07a64f736efb2d9f6c517738cc89a3
SHA10f05a914395e2f407a80f6287e9926d8c61af675
SHA2567a6df224d8afacbf19ec63a7e440f318df79f61c0b8f3657d5cb594124ceadca
SHA5129ec35007c726eed03d63016021b82d89d0226b38f14d5a093e045bcf17e7ac8313d21a3f5262b1303aa50d2e101cb2996efd8a6652e761fd88c56414fc6e4ddf
-
Filesize
195B
MD5ded2b3b98279d5553179ea244a39c50a
SHA1f8a08a2612782637139001f21b73833593b1ed04
SHA256b090641d52d9ba0ab03efbd1e2fd71d5d91a784e2875c728f035f01d9f58ed20
SHA512c6327dbb6339ca03d8c7abe1ef32f8c96328fe9097204abab79cbb05282ad555d22dd7fc0210333ee3e747db7a48f6c31af358899c5b43c6e1a4b12dbbc6071a
-
Filesize
195B
MD57ee5d9b01b2862c481d0d2fea879c0ae
SHA1189a4e7f82ac78623aa67d4e730d67fef12c0335
SHA256afc9fe8e66e563d96847dcc07af0a4aa9a7c285ef832155ba38667f08b2133f9
SHA512cb1197d96b104ea1a10c5311b8d048dba225b9ca4aed698f3d8433ad097dae22c8b3a24aa226921570fb513e1f1a8b5651df55686a4820d3680bce50944dc057
-
Filesize
195B
MD5a06cb7f6a740e70f499e86605813df77
SHA10d5ec50d49fcf1553cba85eacc71929809af919e
SHA256fbb3785f79f98962fcd090c090921df91f7455a4e2a548dd45962e32b4c1a6ad
SHA512a91efb8c78bdc059a6a88ec4704157fd91e2cb5f9ff26f696686753a96312e2a2b863df75ec898321d23f1721d181d4b9290cfcfeef92de809e19f9b3f1054a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bae60e69dd0e3dfbc9ff74ccdaebc845
SHA1e63309b1dbcde0b6f71e7b1250ddfb122f90d4f6
SHA256f36a25fe8d4a419fb79411bdf77a3aa34640b3d927dfa43ee9435c3e7c7ac45c
SHA512f16008c1a32b4ca4235ac4e63e8da84a755b5d174ccc68519ad9074878cbddc092542cdb2337a3e45837d4f9e3175299f450f363727a0679cb51da8d4a9d298b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394