Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 02:08
Behavioral task
behavioral1
Sample
JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe
-
Size
1.3MB
-
MD5
3b8f9c2564d9a6710fa828ba91d3bde3
-
SHA1
9f454ce98c215691e5f292b5ef179caea8ffe317
-
SHA256
8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86
-
SHA512
2a93fb5867b88d54dcbfedc2c7e2b26e30e30c3192fd9c28f22624395088b4bb1a2db949473c792b5879999806ccd48d9990226f3067ce9c73020c7a1d780f06
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2708 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2708 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016855-12.dat dcrat behavioral1/memory/2700-13-0x00000000003D0000-0x00000000004E0000-memory.dmp dcrat behavioral1/memory/2868-56-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat behavioral1/memory/1124-201-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/1804-261-0x0000000001350000-0x0000000001460000-memory.dmp dcrat behavioral1/memory/1968-321-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/2496-381-0x0000000001170000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/1868-441-0x00000000000D0000-0x00000000001E0000-memory.dmp dcrat behavioral1/memory/3004-501-0x00000000002C0000-0x00000000003D0000-memory.dmp dcrat behavioral1/memory/2128-561-0x0000000000890000-0x00000000009A0000-memory.dmp dcrat behavioral1/memory/2216-622-0x0000000000080000-0x0000000000190000-memory.dmp dcrat behavioral1/memory/2264-683-0x0000000000A60000-0x0000000000B70000-memory.dmp dcrat behavioral1/memory/1068-743-0x0000000000DF0000-0x0000000000F00000-memory.dmp dcrat behavioral1/memory/1072-803-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1912 powershell.exe 2904 powershell.exe 1756 powershell.exe 856 powershell.exe 2416 powershell.exe 2372 powershell.exe 2084 powershell.exe 2364 powershell.exe 2380 powershell.exe 2396 powershell.exe 1556 powershell.exe 3020 powershell.exe 2404 powershell.exe 2676 powershell.exe 1592 powershell.exe 2088 powershell.exe 812 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2700 DllCommonsvc.exe 2868 csrss.exe 1124 csrss.exe 1804 csrss.exe 1968 csrss.exe 2496 csrss.exe 1868 csrss.exe 3004 csrss.exe 2128 csrss.exe 2216 csrss.exe 2264 csrss.exe 1068 csrss.exe 1072 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2484 cmd.exe 2484 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 17 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 40 raw.githubusercontent.com 43 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 26 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cc11b995f2a76d DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\cmd.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Internet Explorer\en-US\101b941d020240 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\AppPatch\it-IT\services.exe DllCommonsvc.exe File created C:\Windows\AppPatch\it-IT\c5b4cb5e9653cc DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2476 schtasks.exe 1120 schtasks.exe 2764 schtasks.exe 1428 schtasks.exe 2184 schtasks.exe 1600 schtasks.exe 1704 schtasks.exe 2948 schtasks.exe 2824 schtasks.exe 1636 schtasks.exe 480 schtasks.exe 1812 schtasks.exe 3008 schtasks.exe 1388 schtasks.exe 2108 schtasks.exe 3028 schtasks.exe 2432 schtasks.exe 2968 schtasks.exe 2276 schtasks.exe 2408 schtasks.exe 1648 schtasks.exe 1432 schtasks.exe 1492 schtasks.exe 2960 schtasks.exe 2644 schtasks.exe 2288 schtasks.exe 1512 schtasks.exe 276 schtasks.exe 2036 schtasks.exe 1872 schtasks.exe 2124 schtasks.exe 2588 schtasks.exe 1536 schtasks.exe 2908 schtasks.exe 1664 schtasks.exe 1068 schtasks.exe 2420 schtasks.exe 2952 schtasks.exe 2216 schtasks.exe 376 schtasks.exe 1868 schtasks.exe 1720 schtasks.exe 1148 schtasks.exe 2636 schtasks.exe 1632 schtasks.exe 2828 schtasks.exe 2840 schtasks.exe 1640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2700 DllCommonsvc.exe 2868 csrss.exe 3020 powershell.exe 856 powershell.exe 2416 powershell.exe 2372 powershell.exe 1756 powershell.exe 2380 powershell.exe 812 powershell.exe 2904 powershell.exe 1912 powershell.exe 2396 powershell.exe 2676 powershell.exe 2088 powershell.exe 2404 powershell.exe 2084 powershell.exe 1556 powershell.exe 2364 powershell.exe 1592 powershell.exe 1124 csrss.exe 1804 csrss.exe 1968 csrss.exe 2496 csrss.exe 1868 csrss.exe 3004 csrss.exe 2128 csrss.exe 2216 csrss.exe 2264 csrss.exe 1068 csrss.exe 1072 csrss.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2700 DllCommonsvc.exe Token: SeDebugPrivilege 2868 csrss.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1124 csrss.exe Token: SeDebugPrivilege 1804 csrss.exe Token: SeDebugPrivilege 1968 csrss.exe Token: SeDebugPrivilege 2496 csrss.exe Token: SeDebugPrivilege 1868 csrss.exe Token: SeDebugPrivilege 3004 csrss.exe Token: SeDebugPrivilege 2128 csrss.exe Token: SeDebugPrivilege 2216 csrss.exe Token: SeDebugPrivilege 2264 csrss.exe Token: SeDebugPrivilege 1068 csrss.exe Token: SeDebugPrivilege 1072 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2516 2032 JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe 30 PID 2032 wrote to memory of 2516 2032 JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe 30 PID 2032 wrote to memory of 2516 2032 JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe 30 PID 2032 wrote to memory of 2516 2032 JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe 30 PID 2516 wrote to memory of 2484 2516 WScript.exe 31 PID 2516 wrote to memory of 2484 2516 WScript.exe 31 PID 2516 wrote to memory of 2484 2516 WScript.exe 31 PID 2516 wrote to memory of 2484 2516 WScript.exe 31 PID 2484 wrote to memory of 2700 2484 cmd.exe 33 PID 2484 wrote to memory of 2700 2484 cmd.exe 33 PID 2484 wrote to memory of 2700 2484 cmd.exe 33 PID 2484 wrote to memory of 2700 2484 cmd.exe 33 PID 2700 wrote to memory of 1912 2700 DllCommonsvc.exe 83 PID 2700 wrote to memory of 1912 2700 DllCommonsvc.exe 83 PID 2700 wrote to memory of 1912 2700 DllCommonsvc.exe 83 PID 2700 wrote to memory of 2904 2700 DllCommonsvc.exe 84 PID 2700 wrote to memory of 2904 2700 DllCommonsvc.exe 84 PID 2700 wrote to memory of 2904 2700 DllCommonsvc.exe 84 PID 2700 wrote to memory of 1756 2700 DllCommonsvc.exe 85 PID 2700 wrote to memory of 1756 2700 DllCommonsvc.exe 85 PID 2700 wrote to memory of 1756 2700 DllCommonsvc.exe 85 PID 2700 wrote to memory of 2364 2700 DllCommonsvc.exe 86 PID 2700 wrote to memory of 2364 2700 DllCommonsvc.exe 86 PID 2700 wrote to memory of 2364 2700 DllCommonsvc.exe 86 PID 2700 wrote to memory of 856 2700 DllCommonsvc.exe 87 PID 2700 wrote to memory of 856 2700 DllCommonsvc.exe 87 PID 2700 wrote to memory of 856 2700 DllCommonsvc.exe 87 PID 2700 wrote to memory of 2416 2700 DllCommonsvc.exe 88 PID 2700 wrote to memory of 2416 2700 DllCommonsvc.exe 88 PID 2700 wrote to memory of 2416 2700 DllCommonsvc.exe 88 PID 2700 wrote to memory of 2372 2700 DllCommonsvc.exe 89 PID 2700 wrote to memory of 2372 2700 DllCommonsvc.exe 89 PID 2700 wrote to memory of 2372 2700 DllCommonsvc.exe 89 PID 2700 wrote to memory of 2676 2700 DllCommonsvc.exe 90 PID 2700 wrote to memory of 2676 2700 DllCommonsvc.exe 90 PID 2700 wrote to memory of 2676 2700 DllCommonsvc.exe 90 PID 2700 wrote to memory of 2084 2700 DllCommonsvc.exe 91 PID 2700 wrote to memory of 2084 2700 DllCommonsvc.exe 91 PID 2700 wrote to memory of 2084 2700 DllCommonsvc.exe 91 PID 2700 wrote to memory of 2380 2700 DllCommonsvc.exe 92 PID 2700 wrote to memory of 2380 2700 DllCommonsvc.exe 92 PID 2700 wrote to memory of 2380 2700 DllCommonsvc.exe 92 PID 2700 wrote to memory of 1556 2700 DllCommonsvc.exe 93 PID 2700 wrote to memory of 1556 2700 DllCommonsvc.exe 93 PID 2700 wrote to memory of 1556 2700 DllCommonsvc.exe 93 PID 2700 wrote to memory of 1592 2700 DllCommonsvc.exe 94 PID 2700 wrote to memory of 1592 2700 DllCommonsvc.exe 94 PID 2700 wrote to memory of 1592 2700 DllCommonsvc.exe 94 PID 2700 wrote to memory of 2088 2700 DllCommonsvc.exe 95 PID 2700 wrote to memory of 2088 2700 DllCommonsvc.exe 95 PID 2700 wrote to memory of 2088 2700 DllCommonsvc.exe 95 PID 2700 wrote to memory of 2396 2700 DllCommonsvc.exe 96 PID 2700 wrote to memory of 2396 2700 DllCommonsvc.exe 96 PID 2700 wrote to memory of 2396 2700 DllCommonsvc.exe 96 PID 2700 wrote to memory of 3020 2700 DllCommonsvc.exe 97 PID 2700 wrote to memory of 3020 2700 DllCommonsvc.exe 97 PID 2700 wrote to memory of 3020 2700 DllCommonsvc.exe 97 PID 2700 wrote to memory of 812 2700 DllCommonsvc.exe 98 PID 2700 wrote to memory of 812 2700 DllCommonsvc.exe 98 PID 2700 wrote to memory of 812 2700 DllCommonsvc.exe 98 PID 2700 wrote to memory of 2404 2700 DllCommonsvc.exe 99 PID 2700 wrote to memory of 2404 2700 DllCommonsvc.exe 99 PID 2700 wrote to memory of 2404 2700 DllCommonsvc.exe 99 PID 2700 wrote to memory of 2868 2700 DllCommonsvc.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ba5a3b36ce1672defd8dff03b0b80a750ab2bd1ec69c6670e3e77fc2c9ecc86.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\it-IT\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"6⤵PID:1524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2940
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"8⤵PID:1860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2600
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"10⤵PID:264
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3056
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"12⤵PID:2188
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2424
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"14⤵PID:3020
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2688
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"16⤵PID:1756
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2804
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"18⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2820
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"20⤵PID:924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2024
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"22⤵PID:1320
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1372
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"24⤵PID:2240
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2428
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"26⤵PID:792
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1544
-
-
C:\Users\Public\Libraries\csrss.exe"C:\Users\Public\Libraries\csrss.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"28⤵PID:2764
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\it-IT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ea8033282c8e1769ec1e19aebbbec44
SHA15baddfd09c23170b9e0404b840baffeb94120619
SHA2561e3bc3c3bef65eb5dbfc2b92a0434526512e11260fa2bad76013c090bdec39c9
SHA5120e8294aac4f1d92acc1c90ed0075cf8686657f3ed836ffb6b0fc095a1fa266a7388f907f7670f963dd3b1a7ed650c2191d3d57b0868d816d9608a6c1d1a6dc41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a27afdb48c079215ff6a52db9bff1015
SHA10f4090fa9ab296a067a31d2924ac4e5bdb45f3de
SHA256ab9ebc2819f1be2afe81fd2832b39b70b4bd468a24a914a9f6485aa342a5df7d
SHA51239936a7ae8bb7a2bf8566009175f5661fbfa597f42c83176c4eed5c46088385f315bf8823b2059deec1283d82252301405aefe23344fd7ce5b790abb673e7e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a562907a5e3ee05af76f24c3fa0e018
SHA1847e1c98a2f1535dbc78e795e57dc7e2f9ecd44b
SHA256d09d58868d2831a36975fac3290aea77ebdc3d946a3d14401f57fc1266646564
SHA512b146fa6672f2bc27e083afbf5c28aee0fc9f53a289ca8c86a4686119ce3ab6feef2a364190d6e2ff322cdfcc815bb40fe9c237d894896c665fd1f515b2753e9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e6ca7e01848027fc34eacfa1267beb2
SHA1c6cad274ca6a32aeaf797ad1d16b996447f9fd8c
SHA256c4fa072e15ec115ed45ff3c3a269be28376602cfe40c7c574d91e6ccc8d9f76d
SHA512ec127841345b85e4284f2ce513cd46ccc709a4251c4a4cc49f4d984e4825d64dd35cca7ebf07bc29a14fc4b538a3ebfb1eec817d7171fe33442de6fc32b0a4d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577233742c1b0e23f9dae987e054f4d3e
SHA16ebd9017f3192f2eaf1e3bd780e5b15a868d4ab2
SHA256103a302d0312278c11e324cc020cb65b1d5bbcf8488f603a9c94302d78d7615e
SHA512edb8fa911316246575c5a08ac0de23ebc11a70d0f81343e0565fe03c9cb5c8438488459e946771db7381abb7ceb2d8b17b0171faaa2824e1a441c1c4e56bc89b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a88c84d4fe037c32b6eca99d0221b2a
SHA14e897d02418d50c7f4315e01c41bec5f1e5cea0d
SHA2566a09ebed5f68585669968b4922570bd119cdd518313314ad604d15f0a4a2a398
SHA512325840e505cd8b7ae9dfc667d04eee5a95017c47708e2f1ca80b425a28a382c989a442e6c6221c104bd3f29bd36c51b902a31591edbdbaf0d334669209959cd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567ac38a76a7c1b0098ece50187615aa3
SHA19f97426f64222676fc9abba5716a3d7212d24b1d
SHA25634818731a821fe74217506253464b0c18dcd6b36cadde25d541bb06e9a64f58e
SHA51281738d33bde393af7145856a5e655f1ffb4f8ddc83f4b8ed6cbe7a948dba1afd0786670a0707e982fcc71b66af9f339e8937d383467bff0b77ef4ba970bb6378
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59fdaf9952daac1029a85f6fd87c98d6f
SHA1a8e7bdfe372e08df5f14639759848301968f0bcc
SHA256a5467ff42188e3fd5d72b9c834c66c830411a267d302c5d4ac0ba2a31ca7fabc
SHA5121cbcef19daf0c3e333f231a633909bc92b92241bc1e546f8f420f39494901d3d96c5b43e63eb126b6bcc41d5497dfa9eeea0187df2ba008b8564a8d77dec631c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e8e888a022ef13192a6f2d765451b96
SHA1732dd3868eed40cc5ae883fa29b65cf3519e6207
SHA2569e0ee033815bcb8da41865f3174b132daa77e932d1235dce01754d3e55e69dcb
SHA5126c32aa14678e777f9cf5ec8bf652fd7af600b2180cc1a0ee16453acd6708ba7b969eb79d97ed95d9b0ec2aa57f9f3d727a15fe448c443416102c33ae61d7f269
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a290bdddb25849775fce8c3f899f2302
SHA14f7bf2418e4c8a65ef4b72a5ee8fe3193f1397d1
SHA256f72ce6d68ba9933da741885a6466f60e6141b188084fe543be4ff35c9deff18e
SHA512b1fd736fc084347f79d48e3f83bb0551bfc105c5c096d3d5612f0759383596ba81ad7284378c246f30d7d11113eca5aefb510057d0ab0950acfc04004ae4a671
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f28c9a9d256dc11eb6c530aa1f669ec
SHA13939d9ee25a6382581e6d6068bbd2c226e48925d
SHA256452d4cd8bb7b1eaa38a99c774d117d9ba57ba9dcb4fa734816f4153d3d45dc09
SHA5121b1cebda698bc9e40372b92a82d3b85f2239d11d05231442aa95d39de7554a1d1b3373fb06c3ee279cb9e816c1302ed0ffea51a4a165530bbd0cd8affbfa367a
-
Filesize
200B
MD5f2bef9e561e9712b51580e0b03f238c9
SHA17008a1c5fec30f3a145b6fda26f41e4b558ee733
SHA2563c7e09d887e0715df1a51cdb5395f2b23e7ee3e4520415ba8ce88b1166b83575
SHA5125df58e129ac771b00d4257c9f5317b74fa51ae70cde631eb768f28df24cff7f7b225053993b0298c2cc9ee142e59b3f6582b68d0293e217d05e2a05b8c66aed1
-
Filesize
200B
MD5302cd5ce795469c83142374695086c63
SHA154ca4ca10999c1e407420b624d9ed06b012c78d7
SHA25648b5f09c5f19f9c21914ee5a33476f94e10cef05c463702842d85d5f76e37483
SHA512b85c49499d73182b84a31f5f973179d7e7489d79e5ffbab209dd5b616ccaf1aa032ad4b13e2aa627563c417c9b756daa4ba9872594cc5f80dc4ddef2af1db913
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
200B
MD582ce0c36dfd10669e1ba285113aabfce
SHA1adf0db940d7955e09e2782b9250e5083167bcb54
SHA256a93f20e234d4df905ca8f8a09b211105d52a9b59687b97fda6b16d61465bceba
SHA512f52422a56930866aa2c9f00d1a56b06bab2192c20d5c24d27837e9058565041ff4dd7e898c4de7a1df385e5e737e8ffdb8f53871e58654f8a44844f65360355b
-
Filesize
200B
MD5ae3c12b5bc0e4b819d2e18eaae907f0f
SHA137679bc40b8b11d8927b24a6157870fdaffe529d
SHA25668e15f485e98427917ba5d56528a6c9130dd26aae508e35d42b5d50ecdecd7e7
SHA512b09c647760bfadc0b114c118db70b7ee4e6503b70e6b4a2500b74d332b8f061990b2a48eea39b6ef1e4000c14aa1f751d2f74e1339a648f74a60ee3c2190a801
-
Filesize
200B
MD540f4612f2d34d722c1d8cf112d1ad3e9
SHA1f91c62ab5c31a744d49ccfa0a097357edd7688d5
SHA256a30b1dfd1ea5764caa2581be7d3cdb875a0e2ba5952e67aa66e5e4c5fa63419c
SHA512faa3098c3975600420d74d8f42510205c315f9dc4afca3528fe6b7fec06e6628c177d08220bd60b63ec04fe9cf9d3a032b3b95c2b662acc73ec014c98c2d6f5e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
200B
MD5d6c7c6ad129faca6bf220d318a073ae4
SHA1b8714a7cdd26ad1f459bd87acab37964dd17096e
SHA256c5659097aac11322e700d4e82d072c730ac0510b08234396ba8e14dfba2f0161
SHA512527d2e34c89f3fceb30c090248d42ad03b7f31b1663daab36d180e267beaabc7409109e618b6b8a9b2f44bc0701eb681b07c48476c099e1dccb5afed92a195f6
-
Filesize
200B
MD578a3f959dc7dc4c9533c5f55a353f936
SHA156dec9ced9811c8b5012032bf0b6eb9b28b0af93
SHA256cd720cbee7c100665f1be114bd27d792269c2ec52212b0a690140b57cc545e91
SHA5121005543c3b662bf6f500fd64405ccb9d2071ef0b735d9e7465463f91912dbea80a4ddc36b28d4b015f4f438dc0ae840945f2be02ef0d4a96f08bd01be147a0a4
-
Filesize
200B
MD5eb16e6c60bc2149971c12476863cc0ca
SHA16a62bb6b0b4f0bae59babdcd84f83db788f3391b
SHA2568cd16002dba558c24d1023c8ef4db7db48ac7195981410db3f4023349421302a
SHA512d4ada5ac7ae3375ae5fce797818b0719b8d7fd224ad1164d75188befb1882efb4b95dbd357eccbdbabd2a340122fa9d61ea21d4916b2c39432f59a9fe1efbab6
-
Filesize
200B
MD53e4fc0e7f69257b170e127084a4e4dc9
SHA19195a3bfe8c732cb3204a2fbf2539605f9c27e01
SHA2564d1b63665f350def3e47f131d9fb31c9b4766920dd6a92003ce4917ef58c714b
SHA512031eb4aabb9cd1b677b85ce2bf4d8cf1dadcf93e1d99ee6fe7c3b10d429a9af82f9f5a1f759a01f52136754c7e4fe520cee4a27c8879590801740292d3026227
-
Filesize
200B
MD5463c85df538d405f33e28f20849bb771
SHA1ddb9af23b39f07ae4009b34f717f2cb2651bee2a
SHA256c7430b87cdb1992dbb01e41d4ad520b56bcfdbcb3e5b20f9ad21415b3b568765
SHA5127f0d657d38a2614a44cc3b7860c24839d97f0e84f229aa2c19020a10b58790d09ea6b16406a1b884877296745e442248e0b6e58b50670077b7260211c165bebe
-
Filesize
200B
MD57e8e0784ac03fbd0ff19bfd85e37f7e7
SHA1cf46c0d0794bfd547bd634c81de385cd5350e192
SHA2560c4740ea76b65a1faa4e0097bee6354be9e6795b754eccfb09c39321a0507fb8
SHA5126dcf8e975f2e03b7e72b34f3e6e92677e6934d9803db1f498350738a9c788c7d86d11a4c65513ec1b79fc6237b56e6c44c2c5b0c6bf4554acb67e39cc6d6ff15
-
Filesize
200B
MD51ce0456a0ed8caf51c277c8312232292
SHA15b2bc4b94fc8ab43a5290152cd0acd5f323af7b2
SHA256d577c11d65d95a8b5ff71a5d5b49713dc6f12da6e28e266b46b8047ad7a1697d
SHA5125ad386a71d68caac1f57d96a81fb3f7727f7597c3560227d9a558465110fd61748b97b9d68540bbce0620e1c81da18953e8e6fe1948e2d6fd1e2d218f1187510
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5543f882f32380176c1b05e450d8fa82f
SHA197ac74cf7911431224b261ae69900cac67d17c95
SHA2564ef3c6e07541a7330a0d3f7875fd5d1a77895facc783cfd6fac404c827e2f005
SHA51229808997435760d8464b90d32b1a9f7a907338ef59096a020e7b16f8866dd38a79786e0fe9b371b30dfb833a27d0d47489601e8dc645028a23424a24ba8e50a4
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478