Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:07
Behavioral task
behavioral1
Sample
JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe
-
Size
1.3MB
-
MD5
2be4fa432dd092fce0fece274002ab43
-
SHA1
384636d068269221e4d456815d41e7e42f752f85
-
SHA256
85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3
-
SHA512
1a608746afefb98aa7346a95ab5d1f98d8e53c9a751cddb9aedfc0c13bd2fc4bac4560097ccb526374d4b505a11b773526f1c0d7b875066b384fbb444cdc5df0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 272 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2248 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2248 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0009000000016c23-9.dat dcrat behavioral1/memory/2396-13-0x00000000010E0000-0x00000000011F0000-memory.dmp dcrat behavioral1/memory/3684-164-0x0000000000140000-0x0000000000250000-memory.dmp dcrat behavioral1/memory/3008-223-0x0000000000D20000-0x0000000000E30000-memory.dmp dcrat behavioral1/memory/2540-402-0x0000000000290000-0x00000000003A0000-memory.dmp dcrat behavioral1/memory/3692-462-0x0000000000910000-0x0000000000A20000-memory.dmp dcrat behavioral1/memory/1688-522-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/1732-641-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2408 powershell.exe 1548 powershell.exe 1804 powershell.exe 2948 powershell.exe 556 powershell.exe 796 powershell.exe 564 powershell.exe 1932 powershell.exe 2988 powershell.exe 924 powershell.exe 1356 powershell.exe 1780 powershell.exe 1808 powershell.exe 1604 powershell.exe 1992 powershell.exe 2616 powershell.exe 1656 powershell.exe 1296 powershell.exe 1952 powershell.exe 2764 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2396 DllCommonsvc.exe 3684 smss.exe 3008 smss.exe 3020 smss.exe 3240 smss.exe 2540 smss.exe 3692 smss.exe 1688 smss.exe 2088 smss.exe 1732 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 cmd.exe 2464 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 4 raw.githubusercontent.com 9 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 19 raw.githubusercontent.com 30 raw.githubusercontent.com -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\6cb0b6c459d5d3 DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Media\Landscape\csrss.exe DllCommonsvc.exe File created C:\Windows\Media\Landscape\886983d96e3d3e DllCommonsvc.exe File created C:\Windows\PLA\Rules\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Windows\PLA\Rules\ja-JP\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2972 schtasks.exe 1148 schtasks.exe 2648 schtasks.exe 3052 schtasks.exe 2516 schtasks.exe 1028 schtasks.exe 1520 schtasks.exe 2076 schtasks.exe 2340 schtasks.exe 1964 schtasks.exe 2004 schtasks.exe 2892 schtasks.exe 2488 schtasks.exe 1976 schtasks.exe 2672 schtasks.exe 2980 schtasks.exe 2876 schtasks.exe 672 schtasks.exe 2640 schtasks.exe 2184 schtasks.exe 2380 schtasks.exe 2140 schtasks.exe 268 schtasks.exe 1796 schtasks.exe 2668 schtasks.exe 2616 schtasks.exe 2992 schtasks.exe 3028 schtasks.exe 2612 schtasks.exe 1800 schtasks.exe 2844 schtasks.exe 1984 schtasks.exe 660 schtasks.exe 2624 schtasks.exe 1528 schtasks.exe 936 schtasks.exe 1864 schtasks.exe 2548 schtasks.exe 1756 schtasks.exe 2632 schtasks.exe 2224 schtasks.exe 272 schtasks.exe 2704 schtasks.exe 1920 schtasks.exe 3068 schtasks.exe 2884 schtasks.exe 2628 schtasks.exe 2564 schtasks.exe 2916 schtasks.exe 2040 schtasks.exe 2960 schtasks.exe 1968 schtasks.exe 1660 schtasks.exe 2312 schtasks.exe 1748 schtasks.exe 1392 schtasks.exe 2288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2396 DllCommonsvc.exe 2764 powershell.exe 1804 powershell.exe 1548 powershell.exe 1604 powershell.exe 796 powershell.exe 1656 powershell.exe 1992 powershell.exe 1780 powershell.exe 1296 powershell.exe 924 powershell.exe 2948 powershell.exe 2988 powershell.exe 2616 powershell.exe 1356 powershell.exe 1808 powershell.exe 2408 powershell.exe 1952 powershell.exe 564 powershell.exe 1932 powershell.exe 556 powershell.exe 3684 smss.exe 3008 smss.exe 3020 smss.exe 3240 smss.exe 2540 smss.exe 3692 smss.exe 1688 smss.exe 2088 smss.exe 1732 smss.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2396 DllCommonsvc.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 3684 smss.exe Token: SeDebugPrivilege 3008 smss.exe Token: SeDebugPrivilege 3020 smss.exe Token: SeDebugPrivilege 3240 smss.exe Token: SeDebugPrivilege 2540 smss.exe Token: SeDebugPrivilege 3692 smss.exe Token: SeDebugPrivilege 1688 smss.exe Token: SeDebugPrivilege 2088 smss.exe Token: SeDebugPrivilege 1732 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2348 2380 JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe 30 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe 30 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe 30 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe 30 PID 2348 wrote to memory of 2464 2348 WScript.exe 31 PID 2348 wrote to memory of 2464 2348 WScript.exe 31 PID 2348 wrote to memory of 2464 2348 WScript.exe 31 PID 2348 wrote to memory of 2464 2348 WScript.exe 31 PID 2464 wrote to memory of 2396 2464 cmd.exe 33 PID 2464 wrote to memory of 2396 2464 cmd.exe 33 PID 2464 wrote to memory of 2396 2464 cmd.exe 33 PID 2464 wrote to memory of 2396 2464 cmd.exe 33 PID 2396 wrote to memory of 1804 2396 DllCommonsvc.exe 93 PID 2396 wrote to memory of 1804 2396 DllCommonsvc.exe 93 PID 2396 wrote to memory of 1804 2396 DllCommonsvc.exe 93 PID 2396 wrote to memory of 1604 2396 DllCommonsvc.exe 94 PID 2396 wrote to memory of 1604 2396 DllCommonsvc.exe 94 PID 2396 wrote to memory of 1604 2396 DllCommonsvc.exe 94 PID 2396 wrote to memory of 556 2396 DllCommonsvc.exe 95 PID 2396 wrote to memory of 556 2396 DllCommonsvc.exe 95 PID 2396 wrote to memory of 556 2396 DllCommonsvc.exe 95 PID 2396 wrote to memory of 2948 2396 DllCommonsvc.exe 96 PID 2396 wrote to memory of 2948 2396 DllCommonsvc.exe 96 PID 2396 wrote to memory of 2948 2396 DllCommonsvc.exe 96 PID 2396 wrote to memory of 924 2396 DllCommonsvc.exe 98 PID 2396 wrote to memory of 924 2396 DllCommonsvc.exe 98 PID 2396 wrote to memory of 924 2396 DllCommonsvc.exe 98 PID 2396 wrote to memory of 1548 2396 DllCommonsvc.exe 99 PID 2396 wrote to memory of 1548 2396 DllCommonsvc.exe 99 PID 2396 wrote to memory of 1548 2396 DllCommonsvc.exe 99 PID 2396 wrote to memory of 2764 2396 DllCommonsvc.exe 100 PID 2396 wrote to memory of 2764 2396 DllCommonsvc.exe 100 PID 2396 wrote to memory of 2764 2396 DllCommonsvc.exe 100 PID 2396 wrote to memory of 1296 2396 DllCommonsvc.exe 101 PID 2396 wrote to memory of 1296 2396 DllCommonsvc.exe 101 PID 2396 wrote to memory of 1296 2396 DllCommonsvc.exe 101 PID 2396 wrote to memory of 2616 2396 DllCommonsvc.exe 102 PID 2396 wrote to memory of 2616 2396 DllCommonsvc.exe 102 PID 2396 wrote to memory of 2616 2396 DllCommonsvc.exe 102 PID 2396 wrote to memory of 564 2396 DllCommonsvc.exe 104 PID 2396 wrote to memory of 564 2396 DllCommonsvc.exe 104 PID 2396 wrote to memory of 564 2396 DllCommonsvc.exe 104 PID 2396 wrote to memory of 1356 2396 DllCommonsvc.exe 105 PID 2396 wrote to memory of 1356 2396 DllCommonsvc.exe 105 PID 2396 wrote to memory of 1356 2396 DllCommonsvc.exe 105 PID 2396 wrote to memory of 1992 2396 DllCommonsvc.exe 106 PID 2396 wrote to memory of 1992 2396 DllCommonsvc.exe 106 PID 2396 wrote to memory of 1992 2396 DllCommonsvc.exe 106 PID 2396 wrote to memory of 796 2396 DllCommonsvc.exe 107 PID 2396 wrote to memory of 796 2396 DllCommonsvc.exe 107 PID 2396 wrote to memory of 796 2396 DllCommonsvc.exe 107 PID 2396 wrote to memory of 1780 2396 DllCommonsvc.exe 111 PID 2396 wrote to memory of 1780 2396 DllCommonsvc.exe 111 PID 2396 wrote to memory of 1780 2396 DllCommonsvc.exe 111 PID 2396 wrote to memory of 2408 2396 DllCommonsvc.exe 112 PID 2396 wrote to memory of 2408 2396 DllCommonsvc.exe 112 PID 2396 wrote to memory of 2408 2396 DllCommonsvc.exe 112 PID 2396 wrote to memory of 1808 2396 DllCommonsvc.exe 113 PID 2396 wrote to memory of 1808 2396 DllCommonsvc.exe 113 PID 2396 wrote to memory of 1808 2396 DllCommonsvc.exe 113 PID 2396 wrote to memory of 1656 2396 DllCommonsvc.exe 114 PID 2396 wrote to memory of 1656 2396 DllCommonsvc.exe 114 PID 2396 wrote to memory of 1656 2396 DllCommonsvc.exe 114 PID 2396 wrote to memory of 1932 2396 DllCommonsvc.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_85b560412dd3da634269a2e7c8a1d07d4a3e6220f35e3c2c7f5f9c5f608239e3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Landscape\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u7nY0D41fZ.bat"5⤵PID:1044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3036
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"7⤵PID:4052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4092
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"9⤵PID:1680
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1580
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"11⤵PID:3348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2636
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"13⤵PID:2768
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2936
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"15⤵PID:1756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:3672
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"17⤵PID:3772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2900
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"19⤵PID:1584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:3040
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"21⤵PID:2440
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2640
-
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c78eacaf1ba42ba446bb96fb61d1ddc
SHA1bebeb29d611255a6d6b25737e2250d3bf4796425
SHA25615eb34c8dfe8724e838472fa4189f186157b2eec71b360b9ffa415fca845f765
SHA512e3bcf3a529bf35aff49b0bbed3b836e91dcc4c64c159bfd483844ed978fcdca49ce4e4f037da8ec4534dc440559da9e0d331a76c540d7af8499537c145936ba0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a6137464ccf0f4773e7be5f642a5c87
SHA12b48a6c5d96641f517b4716df5182bb121084fb9
SHA256e62261803b8eafe885db09bbc383428397ff79a467b4f36313ba779bcb861330
SHA5124ec2f588fc5f76e414e97fe56d4cd6b9edd56c1e16faf1ca11652d5c1b9da600346e50272bb30da564bd775f0c11822fa4b8864f22f5077f1df6d048c22fbb8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5866143b9afe91449379ec5c1672e1f3d
SHA1d5f6af304e3ee9938cd99fb2001ab59f3393c307
SHA2565834bf4aad67b6a6bf84dad92f1ab4ac76bcfafbd1562534e6896db5ef1133fb
SHA5128c3d9116faa32e1e4be5dcefc272e6ebf130547b007062b4eeefa7e5ea7de7a56641d192b6c3089000c6e8f4250e6e36c33607bebe4035e20e2cb3c413e596ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c82d9ad36e3d0739349c9b9ef63d7d0
SHA1c09ca4d97973fd22685aff744e760944b0a54075
SHA256210c808cf97ebef4815c13cc00ac225a002788f180d367617599a692a166a8b3
SHA5121ac1318369d63098b90bf78661d43bf837d4197450525c413976c884c11a6c35e24fe295b0c61b0facabb506a2f39f7a0ae62e9bb94af4c1b5ea2c29ee54e092
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a5897a6cf4897e574b5140943eafe557
SHA16ab65297b13247f644560ebf3a3f9daf7219d918
SHA256ccd6e8ccde7dd68fc3e24f92e62889750fe114a94bf8dc293988d151d7929e57
SHA5127d089fab45fd95a83bdcbf7660f6d736807f3bc2773c2d1cefdc7f7bf0dfe032116e59c9737331203b4abf741e276bcbc2cc3d776a02e0380cfa4fba3d6d4467
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5154475cc6ab97d7f7ee28d28544cfb37
SHA1bad2ad07583334366ea4b68acbf71d2245f3965e
SHA256cdee78dabbcc51d75843f5400317e1363a2d866226a55294a2569bc9a75782f1
SHA512b84decba32cfc2a497b248f454bd7be1dcef1cd6f07a9492abbb2c1585a452ac72741241c8fd596cdf2570c621a2ce62fcf28b4e28a8eb5ad900db24c561a74e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb4ceca122fb98ba1dd6ba30cbd2c2f5
SHA1c91a59f4f0d78a96ab410b31d007dadbd90ad4d4
SHA256f9a9227d5461717a4dea019670f3d37ee3e52d865e5bdd33bdcc21da62fb6862
SHA512cb1f74f4ff4ca007123b266eadde648507e9a154ed0247d8b7942115228c6873dae9603e117b021e85eecd8a7cc271a96742e4442b8147686f78b74da7ced726
-
Filesize
236B
MD5c0e464d54d221af369d1fe927e7902f8
SHA15aee9a5c68dba27f2adf2cbe9589767b1f842666
SHA256bb0a9e64003587a991f4e3f511885f20a1bdce7edc46fa65fdb9d35a55020569
SHA5125a856d0c74e7b58f8728239a7c5cb36f2b73f3e753faccbc227af22108994b6ab88907690cbf4b8a4db2f2e74360883abf7ed84289533583c1e0c0dab004eca8
-
Filesize
236B
MD56fcb6ccaffacadd07cfb2f3561287c82
SHA1d44a1f5d536bedd566347ba83813e9603f1e383a
SHA25659ebc721ea6071c238ab377dc741e3a96c3f45e83d2e5c6c0c7f704464f4a411
SHA512c28afb5cbe2ba9c54d690b5fdf515e99180b22425b54411cbcd9a27a59e76e6a7cda1fa1bf6eb76623e6f90c8b60962470a2416749ee12b5ad9030b1f58c619b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
236B
MD52cea4da73516a2c6e505dc90749ec641
SHA13d9d17127ee6621d7513fee57a744fad5c5224fe
SHA256a804c97ecb79ed19487d3689034b91fa6eb0b251a2acfec9d1f771e9ae298f36
SHA512912afba9681ff92aedbd4fdff5818a6704575e4c5da2653c013cf7ef1949678f4aace5dbef76a93d8cb89c72576e201812807ad64feb17bbd80e2667440c6e20
-
Filesize
236B
MD58e9f5820558fef4d697d84c1f2f0b5b8
SHA1c78f0bde89ba6a2f1b6b18d0c7788a845927b0de
SHA25678c4358564e1e2d6a2d951b3ca7fd88d3a13dbeeb01f40eabf217ef09aef03d7
SHA51236b7b487450190e16601b4f50c5ff97d51540d7d7987d6a7c87156b7d14185efea65183cd91c3b5fca423515a30becb350ed36cca921c62a829c69e52c6bcc24
-
Filesize
236B
MD5c4afd762092091b40e4520750359515d
SHA1bd489e28693d70acd0550e45c6f7fb5bb48e252b
SHA25625888aaafeb531b1c3601462b9f91a524747884419592ae0a221039d4657de02
SHA512bc1873a3485f5b5b753c1860a93916386d3d019b4fa9dbbb99e624baed7c6e4edbe02cf6e29889f3476de7a7de35ad4cbccb4c653ca1ad750231d6281f001e9f
-
Filesize
236B
MD578898d31ddf8b5a13f65240171205ab9
SHA14d1f0298c7107c850818f7f979c0ca0de207223e
SHA25693b70ee372e5b2b85518432657e32bf1e218261f027955350e04160f0c71dfc6
SHA51260977891e39840d088293a9c654e02c1aedd4331b9c60ee2a79450c631f3872961d0ef7e1f90039f998b4d382a5c9644a29940c038615814f59445d1f680adc7
-
Filesize
236B
MD5746fa318b37acacc3b8d82fe464818b4
SHA166bf1ddc41fbe8c52cbb225ef077ce2b2b81904f
SHA2569a6a4bbb3e647c0e34be3a0c6f0f4d905a8b4af4f840fcd52a5d17fc83162cb7
SHA512ac6ec79bf8500f7db1d72c81e2a2fd0390f9c0ad103a54104548fdabbc18a93e91924d4d0e815e322904cf50a33b900bc85926789d566b9af64efde268976f57
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
236B
MD56d387229f3ee3182b814a46c03039dd9
SHA11b52b12e1bb14c02273e3334646c612d5d48ce21
SHA256566111cf9cd0d2c4f39c9344db48a320aa070417f1cb176784e65ded3bc6e8fb
SHA5120d97d56a48ee7960ef766e9d1ae44a4d66eec8e27b0157fe688e10453cb1b27130666bfd9f8526a7fe02cc1ad80b8ca7fa1549240fd150b67b5f20f1c263f000
-
Filesize
236B
MD52092e13b70d160e58b0896f44c65dd2f
SHA177fd0fc26f5c6dc825987ef9ce5da66eb27ad7d6
SHA2567071ae39ecb2fe34bcd6ca992cd34fcda945b049d5b1387e2a2d781cb640d1d7
SHA512e11e329637eb56d2545ee417ec01f53d6a4f2465588ae9b2bf221304faba26653376f7a576865bd4590a7d27be8691bd8c2ad716595e737430d1bf2415cf0e6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53458348b490a9a54dbc271517e52e639
SHA122c47651c9fe14babb6b1d843529308fc0b178b6
SHA256b1c9d80e9b6fb286e6f06a438023f77654dcce66cdba1d429da24bc3020806b4
SHA51204631498aa3806d71a00471961e63ccb5e750eab0f4c317fad9b9925a9a7e8696ea4ef652bc57f6796e3d58c601edf4cd058a85e4e04eb95f880f9d8130a0b35
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394