Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:16
Behavioral task
behavioral1
Sample
JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe
-
Size
1.3MB
-
MD5
9708e132f7decac513ba63b18c3bda83
-
SHA1
bf0716a01c4809bcdcaa17071ba15dd1259cc4e5
-
SHA256
498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1
-
SHA512
7efa95c47e1f7f9b2e822ef32f04aa6978c0cc8e2006f54d3b5df694d644ec38c350094cbfe4607031fcab903325494883184058c32eae82d011a9415bdc4aad
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2536 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2536 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016ce0-9.dat dcrat behavioral1/memory/1304-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/688-153-0x0000000000D50000-0x0000000000E60000-memory.dmp dcrat behavioral1/memory/2988-212-0x0000000001090000-0x00000000011A0000-memory.dmp dcrat behavioral1/memory/2680-300-0x00000000000B0000-0x00000000001C0000-memory.dmp dcrat behavioral1/memory/2856-360-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/2784-420-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/2388-480-0x0000000000120000-0x0000000000230000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2916 powershell.exe 2752 powershell.exe 1264 powershell.exe 2000 powershell.exe 1784 powershell.exe 1940 powershell.exe 2568 powershell.exe 2232 powershell.exe 2708 powershell.exe 2528 powershell.exe 2744 powershell.exe 1956 powershell.exe 2860 powershell.exe 2760 powershell.exe 1340 powershell.exe 2196 powershell.exe 2936 powershell.exe 2148 powershell.exe 1860 powershell.exe 2880 powershell.exe -
Executes dropped EXE 8 IoCs
pid Process 1304 DllCommonsvc.exe 688 lsm.exe 2988 lsm.exe 2936 lsm.exe 2680 lsm.exe 2856 lsm.exe 2784 lsm.exe 2388 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2388 cmd.exe 2388 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Java\csrss.exe DllCommonsvc.exe File created C:\Program Files\Java\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\lsm.exe DllCommonsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\tracing\dllhost.exe DllCommonsvc.exe File created C:\Windows\tracing\5940a34987c991 DllCommonsvc.exe File created C:\Windows\debug\WIA\lsm.exe DllCommonsvc.exe File created C:\Windows\debug\WIA\101b941d020240 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2920 schtasks.exe 2948 schtasks.exe 1836 schtasks.exe 1604 schtasks.exe 2836 schtasks.exe 2676 schtasks.exe 2376 schtasks.exe 1284 schtasks.exe 2312 schtasks.exe 2516 schtasks.exe 1336 schtasks.exe 1484 schtasks.exe 2188 schtasks.exe 560 schtasks.exe 660 schtasks.exe 2452 schtasks.exe 2364 schtasks.exe 2580 schtasks.exe 1600 schtasks.exe 2584 schtasks.exe 2608 schtasks.exe 2412 schtasks.exe 2548 schtasks.exe 448 schtasks.exe 2128 schtasks.exe 2472 schtasks.exe 2772 schtasks.exe 2768 schtasks.exe 2668 schtasks.exe 1788 schtasks.exe 2004 schtasks.exe 2336 schtasks.exe 2040 schtasks.exe 1964 schtasks.exe 976 schtasks.exe 1684 schtasks.exe 1008 schtasks.exe 2616 schtasks.exe 1028 schtasks.exe 1664 schtasks.exe 2928 schtasks.exe 1368 schtasks.exe 2352 schtasks.exe 1636 schtasks.exe 2356 schtasks.exe 1760 schtasks.exe 948 schtasks.exe 2512 schtasks.exe 2120 schtasks.exe 3000 schtasks.exe 2904 schtasks.exe 684 schtasks.exe 2248 schtasks.exe 292 schtasks.exe 2108 schtasks.exe 752 schtasks.exe 1140 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1304 DllCommonsvc.exe 1784 powershell.exe 2232 powershell.exe 2196 powershell.exe 2760 powershell.exe 1940 powershell.exe 1264 powershell.exe 2000 powershell.exe 2752 powershell.exe 2148 powershell.exe 2744 powershell.exe 2916 powershell.exe 2528 powershell.exe 2880 powershell.exe 1340 powershell.exe 2708 powershell.exe 2568 powershell.exe 2860 powershell.exe 1860 powershell.exe 2936 powershell.exe 1956 powershell.exe 688 lsm.exe 2988 lsm.exe 2936 lsm.exe 2680 lsm.exe 2856 lsm.exe 2784 lsm.exe 2388 lsm.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 1304 DllCommonsvc.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 688 lsm.exe Token: SeDebugPrivilege 2988 lsm.exe Token: SeDebugPrivilege 2936 lsm.exe Token: SeDebugPrivilege 2680 lsm.exe Token: SeDebugPrivilege 2856 lsm.exe Token: SeDebugPrivilege 2784 lsm.exe Token: SeDebugPrivilege 2388 lsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2288 2412 JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe 31 PID 2412 wrote to memory of 2288 2412 JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe 31 PID 2412 wrote to memory of 2288 2412 JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe 31 PID 2412 wrote to memory of 2288 2412 JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe 31 PID 2288 wrote to memory of 2388 2288 WScript.exe 32 PID 2288 wrote to memory of 2388 2288 WScript.exe 32 PID 2288 wrote to memory of 2388 2288 WScript.exe 32 PID 2288 wrote to memory of 2388 2288 WScript.exe 32 PID 2388 wrote to memory of 1304 2388 cmd.exe 34 PID 2388 wrote to memory of 1304 2388 cmd.exe 34 PID 2388 wrote to memory of 1304 2388 cmd.exe 34 PID 2388 wrote to memory of 1304 2388 cmd.exe 34 PID 1304 wrote to memory of 2916 1304 DllCommonsvc.exe 93 PID 1304 wrote to memory of 2916 1304 DllCommonsvc.exe 93 PID 1304 wrote to memory of 2916 1304 DllCommonsvc.exe 93 PID 1304 wrote to memory of 2936 1304 DllCommonsvc.exe 94 PID 1304 wrote to memory of 2936 1304 DllCommonsvc.exe 94 PID 1304 wrote to memory of 2936 1304 DllCommonsvc.exe 94 PID 1304 wrote to memory of 2708 1304 DllCommonsvc.exe 95 PID 1304 wrote to memory of 2708 1304 DllCommonsvc.exe 95 PID 1304 wrote to memory of 2708 1304 DllCommonsvc.exe 95 PID 1304 wrote to memory of 2528 1304 DllCommonsvc.exe 97 PID 1304 wrote to memory of 2528 1304 DllCommonsvc.exe 97 PID 1304 wrote to memory of 2528 1304 DllCommonsvc.exe 97 PID 1304 wrote to memory of 2232 1304 DllCommonsvc.exe 99 PID 1304 wrote to memory of 2232 1304 DllCommonsvc.exe 99 PID 1304 wrote to memory of 2232 1304 DllCommonsvc.exe 99 PID 1304 wrote to memory of 2196 1304 DllCommonsvc.exe 101 PID 1304 wrote to memory of 2196 1304 DllCommonsvc.exe 101 PID 1304 wrote to memory of 2196 1304 DllCommonsvc.exe 101 PID 1304 wrote to memory of 2760 1304 DllCommonsvc.exe 103 PID 1304 wrote to memory of 2760 1304 DllCommonsvc.exe 103 PID 1304 wrote to memory of 2760 1304 DllCommonsvc.exe 103 PID 1304 wrote to memory of 2568 1304 DllCommonsvc.exe 104 PID 1304 wrote to memory of 2568 1304 DllCommonsvc.exe 104 PID 1304 wrote to memory of 2568 1304 DllCommonsvc.exe 104 PID 1304 wrote to memory of 1340 1304 DllCommonsvc.exe 106 PID 1304 wrote to memory of 1340 1304 DllCommonsvc.exe 106 PID 1304 wrote to memory of 1340 1304 DllCommonsvc.exe 106 PID 1304 wrote to memory of 2880 1304 DllCommonsvc.exe 107 PID 1304 wrote to memory of 2880 1304 DllCommonsvc.exe 107 PID 1304 wrote to memory of 2880 1304 DllCommonsvc.exe 107 PID 1304 wrote to memory of 1940 1304 DllCommonsvc.exe 108 PID 1304 wrote to memory of 1940 1304 DllCommonsvc.exe 108 PID 1304 wrote to memory of 1940 1304 DllCommonsvc.exe 108 PID 1304 wrote to memory of 2860 1304 DllCommonsvc.exe 109 PID 1304 wrote to memory of 2860 1304 DllCommonsvc.exe 109 PID 1304 wrote to memory of 2860 1304 DllCommonsvc.exe 109 PID 1304 wrote to memory of 1860 1304 DllCommonsvc.exe 110 PID 1304 wrote to memory of 1860 1304 DllCommonsvc.exe 110 PID 1304 wrote to memory of 1860 1304 DllCommonsvc.exe 110 PID 1304 wrote to memory of 1784 1304 DllCommonsvc.exe 111 PID 1304 wrote to memory of 1784 1304 DllCommonsvc.exe 111 PID 1304 wrote to memory of 1784 1304 DllCommonsvc.exe 111 PID 1304 wrote to memory of 2752 1304 DllCommonsvc.exe 112 PID 1304 wrote to memory of 2752 1304 DllCommonsvc.exe 112 PID 1304 wrote to memory of 2752 1304 DllCommonsvc.exe 112 PID 1304 wrote to memory of 2000 1304 DllCommonsvc.exe 113 PID 1304 wrote to memory of 2000 1304 DllCommonsvc.exe 113 PID 1304 wrote to memory of 2000 1304 DllCommonsvc.exe 113 PID 1304 wrote to memory of 2148 1304 DllCommonsvc.exe 114 PID 1304 wrote to memory of 2148 1304 DllCommonsvc.exe 114 PID 1304 wrote to memory of 2148 1304 DllCommonsvc.exe 114 PID 1304 wrote to memory of 1264 1304 DllCommonsvc.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\laZcHbiAhz.bat"5⤵PID:1076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1728
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"7⤵PID:1964
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3028
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"9⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1992
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"11⤵PID:2276
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2524
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"13⤵PID:2692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:688
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"15⤵PID:2016
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2468
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"17⤵PID:1668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2708
-
-
C:\providercommon\lsm.exe"C:\providercommon\lsm.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e58033018dd2de4f7e354dde9e55699c
SHA135f895a5fff018f2121b929101027ecf74cfa6cc
SHA2567e9d334aa79340451e2fc30d3aac6c3b0af2ee162b87bc933e2d67c4ead91336
SHA51230b31a5986f3907cec7cc5c2b332caeb1c82564bc5ff6cd9aacd32aa630828089e45a7bb93965e8968bf8a4e8874d1472918ed676cb0e1a9a29a629d9e15425c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD591e10bfdff0182f4d866cb0af4a412b9
SHA13b27e314fa4f170ee4cac8ac83781c3962a39806
SHA25634f58ee517a1ffaf013304ebd87898002d49e944b2f1dad2cd23f1731687d43e
SHA5122f1d8a8b4403af700cabaa192be70795a349990c6cff0f2a3736d2c39f3f6fa318c0d66d0ea8abeff06f9c92d5052dac1d227e81a9614201d9d47d3010bc6bbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53b1af541748470d7f588b0d362814f13
SHA12116c736a7ab3aeaa538a3f5cf0d21e74bb74c37
SHA256ea7c7d889809e469a4a4952183fad81739d4df94903cad1a5d409147a5303167
SHA512e8f0d69b3f498ee979fc2f850bb07c85876b3042148b15fccfef0df4d8f70d281a17de1fd14ad83c98073288491459dd1f604c9f2bd8b75a877bd413449d7752
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD543a411ec52ee07205f1125f647af7a91
SHA1d516f78ca7b85c33be6d4b74dc14ea594e7cadc6
SHA2561bc0cc6c860b9c42f2ffeb5532e94eeae0f7ba190f0fcb5f0f9f6ca8170a0185
SHA512705480ce4a8f7588891fb55addb98e139e5f0bedf8d35a47268de5a8f72db855dd27f6735fbfef943f2ed6892e9ca5406e55ed435219cf3f506b8a5baa8636da
-
Filesize
190B
MD5122e64a8ac106d88f3f55a50c2187eb6
SHA1474b0dceb9b3ea05e418a596fb8d0115bf9492be
SHA256ad63fbcc697a4de02949e250b36e564c1508a01d9597e9c42d8ae455b1859aa1
SHA512f253732f1bda4d7fa16686c676dab3e286f17e02c135d2bf775ff80fc63fe5fae9556e64bea42210b8afb9ae0d4b5ec9a9dce3b975c2e206e1597df5be15efd6
-
Filesize
190B
MD5e54962540193c813d3d956f7e1469ae8
SHA186838fa90f8e039f008ed56c0c46ff87ce380ff8
SHA256cc0f2932695259c74de17cb25d8e464942f9513bdbf5c778a5f01218f9d2a31c
SHA512870e499e640b833706b4c5bb2e6db59e37011effbaebc9443ffa56e0fe42e450fb975f12c7cc9d71c9f9120690cbbba83fcf913b7186d55ffec38b3c4ab1ca9a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
190B
MD546c9a71720f51ff534edc4e895a7db37
SHA19f1ae6cee766b89e94d97557872705bc6b17d342
SHA256aa2d41d4555cfdf30e9937f38957def17c45ca52c45f12fb161c2fb6f9211249
SHA5127f591fc7714adb08e24fa2e5c449b4163484ef4f15aa93b412075de75b1b9956cf1bea279176162e13e6b868c7a28445fb11162e94966429d9e8edd1f5c0b529
-
Filesize
190B
MD5f8f95ca3e3e69d94c1df493c71e00c08
SHA1ac061ba39f813a6bceefbc5226bf13cfcf3c1546
SHA25691aa33d97c57e2390e1bb3b436a6afcff86a13d6b6787051853d866eeb183123
SHA512fb30304eeda7cd6e09ded5037f0f2acd6c67b61736b5c13455960780b2312916263787689b13ddeaa115d7924d859dbb99679f0748315e068b78f8a483318180
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
190B
MD57fbb31440009d0adb305e224d133b744
SHA1d8e8bf6317713030081cf88bb9a71b3a43061a2a
SHA25630f7ca319687a576f3056610a0d6a706d3dfc79247e23de55a398b9a7359c10d
SHA512f4c745cfa1101ea4959197481dbcb94ba8a004b803dc9ac815089eae6a8cb7b7a8075588cd5267c4a5380708422d579e45373cb5783840b7c3248f3af4200e23
-
Filesize
190B
MD547f1079db5ea331ef816f56e24dd086a
SHA1a1501c3ec067ad48897d278e9c3f5136064d0c4b
SHA256ffaf82a7483986caac8c6e96a4f7ea4490dc60886914c95b38bfcfb85fbaf48d
SHA512361f7c72db1ee35e371c11b338899baf7c41460daebbcc40d95cdc476031bd855a3029e0635f75858804f560dcde75c4cc840d7af327ba6f43003fb54f88b56f
-
Filesize
190B
MD5ec3075a6742a2092952f874b58bd1dc6
SHA1bd0fa38138cba4bd7b29b1afdea69ca3d80ffdfe
SHA2561abd3f9ef4bc6de7e3bcb1709ac78aa27d01d749cf71567feee4cf87c9ba1c89
SHA512e818e75ac5af0caf2faee6ce3892f4cc7c1164ed1196e53d368d17907cfa5c872833679d17181c41672bc7a73a6e183e1517a99634476df8bae836340cc459ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97DJ1JZ3MSRDO4CIQT4S.temp
Filesize7KB
MD5afdd8399b839306fa15c86fe8df1f720
SHA148f2c9c88772f8d59f0989a3604500b206f6b951
SHA25659a6e30b208dc90b0a48b45a8531984c98d07ca533aff4e85e802639a7243aa3
SHA5122804a00f4ddf014ef197ed90e89a5531ee49bbd571c08d24d35723ef138beb22a84a3fe2f8fd84d0336bfae8df3d08ee10892e147978fdec4c1d7dd3c567ee64
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394