Analysis
-
max time kernel
35s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:54
Behavioral task
behavioral1
Sample
68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe
Resource
win10-20220812-en
General
-
Target
68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe
-
Size
1.3MB
-
MD5
7e27554bec453471ca9e7fe05048dc6f
-
SHA1
320172e80965c23c2e4868ed3cde43ad1d8cfaa8
-
SHA256
68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40
-
SHA512
77bd5878c5f388d836f51782e26278beccf9aa0d782c0f45b46babd2ce67bb43f9919b2139bd6cca2443e470505f8f72e806389f00ea0b603e536bb45288e115
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3704 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4296 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 4176 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 4176 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac0c-280.dat dcrat behavioral1/files/0x000800000001ac0c-281.dat dcrat behavioral1/memory/3884-282-0x0000000000E20000-0x0000000000F30000-memory.dmp dcrat behavioral1/files/0x000800000001ac0c-309.dat dcrat behavioral1/files/0x000600000001ac59-574.dat dcrat behavioral1/files/0x000600000001ac59-575.dat dcrat behavioral1/files/0x000600000001ac59-577.dat dcrat behavioral1/files/0x000600000001ac59-579.dat dcrat behavioral1/files/0x000600000001ac59-581.dat dcrat behavioral1/files/0x000600000001ac59-583.dat dcrat behavioral1/files/0x000600000001ac59-587.dat dcrat behavioral1/files/0x000600000001ac59-585.dat dcrat behavioral1/files/0x000600000001ac59-589.dat dcrat behavioral1/files/0x000600000001ac59-591.dat dcrat behavioral1/files/0x000600000001ac59-593.dat dcrat behavioral1/files/0x000600000001ac59-595.dat dcrat behavioral1/files/0x000600000001ac59-597.dat dcrat behavioral1/files/0x000600000001ac59-603.dat dcrat behavioral1/files/0x000600000001ac59-607.dat dcrat behavioral1/files/0x000600000001ac59-608.dat dcrat behavioral1/files/0x000600000001ac59-605.dat dcrat behavioral1/files/0x000600000001ac59-601.dat dcrat behavioral1/files/0x000600000001ac59-599.dat dcrat behavioral1/files/0x000600000001ac59-610.dat dcrat -
Executes dropped EXE 21 IoCs
pid Process 3884 DllCommonsvc.exe 2288 DllCommonsvc.exe 4328 powershell.exe 3488 powershell.exe 1280 powershell.exe 4060 powershell.exe 2284 powershell.exe 4388 powershell.exe 4792 powershell.exe 4312 powershell.exe 4292 powershell.exe 5096 powershell.exe 4580 powershell.exe 1688 powershell.exe 2220 powershell.exe 4748 powershell.exe 2388 powershell.exe 4344 powershell.exe 4824 powershell.exe 1112 powershell.exe 4544 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\MsDtc\Trace\ea9f0e6c9e2dcd DllCommonsvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\conhost.exe DllCommonsvc.exe File created C:\Program Files\7-Zip\Lang\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Mail\en-US\7a0fd90576e088 DllCommonsvc.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\ModemLogs\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe DllCommonsvc.exe File opened for modification C:\Windows\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Windows\es-ES\cc11b995f2a76d DllCommonsvc.exe File created C:\Windows\DigitalLocker\smss.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\Microsoft.NET\Framework64\1041\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Windows\es-ES\winlogon.exe DllCommonsvc.exe File created C:\Windows\ModemLogs\sppsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3304 schtasks.exe 4320 schtasks.exe 5056 schtasks.exe 4432 schtasks.exe 5100 schtasks.exe 4576 schtasks.exe 5080 schtasks.exe 3260 schtasks.exe 1036 schtasks.exe 2352 schtasks.exe 4316 schtasks.exe 5068 schtasks.exe 1460 schtasks.exe 4684 schtasks.exe 3368 schtasks.exe 4260 schtasks.exe 4484 schtasks.exe 3260 schtasks.exe 584 schtasks.exe 3516 schtasks.exe 4324 schtasks.exe 4076 schtasks.exe 4380 schtasks.exe 4584 schtasks.exe 3752 schtasks.exe 2232 schtasks.exe 3784 schtasks.exe 3424 schtasks.exe 4952 schtasks.exe 4640 schtasks.exe 4424 schtasks.exe 4504 schtasks.exe 5088 schtasks.exe 3028 schtasks.exe 4536 schtasks.exe 3064 schtasks.exe 1316 schtasks.exe 3144 schtasks.exe 1924 schtasks.exe 4512 schtasks.exe 4980 schtasks.exe 4604 schtasks.exe 4504 schtasks.exe 2980 schtasks.exe 3444 schtasks.exe 4980 schtasks.exe 3156 schtasks.exe 3760 schtasks.exe 1816 schtasks.exe 4312 schtasks.exe 2528 schtasks.exe 3316 schtasks.exe 3880 schtasks.exe 4500 schtasks.exe 4296 schtasks.exe 4552 schtasks.exe 4576 schtasks.exe 4580 schtasks.exe 3392 schtasks.exe 4388 schtasks.exe 4196 schtasks.exe 3144 schtasks.exe 2808 schtasks.exe 5004 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings 68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 3884 DllCommonsvc.exe 3884 DllCommonsvc.exe 3884 DllCommonsvc.exe 4544 powershell.exe 4680 powershell.exe 4456 powershell.exe 576 powershell.exe 3904 powershell.exe 1236 powershell.exe 1672 powershell.exe 612 powershell.exe 4680 powershell.exe 1672 powershell.exe 576 powershell.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 4680 powershell.exe 4544 powershell.exe 1672 powershell.exe 4456 powershell.exe 1236 powershell.exe 3904 powershell.exe 612 powershell.exe 576 powershell.exe 4544 powershell.exe 4456 powershell.exe 612 powershell.exe 3904 powershell.exe 1236 powershell.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe 2288 DllCommonsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3884 DllCommonsvc.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 3904 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 2288 DllCommonsvc.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeIncreaseQuotaPrivilege 4680 powershell.exe Token: SeSecurityPrivilege 4680 powershell.exe Token: SeTakeOwnershipPrivilege 4680 powershell.exe Token: SeLoadDriverPrivilege 4680 powershell.exe Token: SeSystemProfilePrivilege 4680 powershell.exe Token: SeSystemtimePrivilege 4680 powershell.exe Token: SeProfSingleProcessPrivilege 4680 powershell.exe Token: SeIncBasePriorityPrivilege 4680 powershell.exe Token: SeCreatePagefilePrivilege 4680 powershell.exe Token: SeBackupPrivilege 4680 powershell.exe Token: SeRestorePrivilege 4680 powershell.exe Token: SeShutdownPrivilege 4680 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeSystemEnvironmentPrivilege 4680 powershell.exe Token: SeRemoteShutdownPrivilege 4680 powershell.exe Token: SeUndockPrivilege 4680 powershell.exe Token: SeManageVolumePrivilege 4680 powershell.exe Token: 33 4680 powershell.exe Token: 34 4680 powershell.exe Token: 35 4680 powershell.exe Token: 36 4680 powershell.exe Token: SeIncreaseQuotaPrivilege 1672 powershell.exe Token: SeSecurityPrivilege 1672 powershell.exe Token: SeTakeOwnershipPrivilege 1672 powershell.exe Token: SeLoadDriverPrivilege 1672 powershell.exe Token: SeSystemProfilePrivilege 1672 powershell.exe Token: SeSystemtimePrivilege 1672 powershell.exe Token: SeProfSingleProcessPrivilege 1672 powershell.exe Token: SeIncBasePriorityPrivilege 1672 powershell.exe Token: SeCreatePagefilePrivilege 1672 powershell.exe Token: SeBackupPrivilege 1672 powershell.exe Token: SeRestorePrivilege 1672 powershell.exe Token: SeShutdownPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeSystemEnvironmentPrivilege 1672 powershell.exe Token: SeRemoteShutdownPrivilege 1672 powershell.exe Token: SeUndockPrivilege 1672 powershell.exe Token: SeManageVolumePrivilege 1672 powershell.exe Token: 33 1672 powershell.exe Token: 34 1672 powershell.exe Token: 35 1672 powershell.exe Token: 36 1672 powershell.exe Token: SeIncreaseQuotaPrivilege 576 powershell.exe Token: SeSecurityPrivilege 576 powershell.exe Token: SeTakeOwnershipPrivilege 576 powershell.exe Token: SeLoadDriverPrivilege 576 powershell.exe Token: SeSystemProfilePrivilege 576 powershell.exe Token: SeSystemtimePrivilege 576 powershell.exe Token: SeProfSingleProcessPrivilege 576 powershell.exe Token: SeIncBasePriorityPrivilege 576 powershell.exe Token: SeCreatePagefilePrivilege 576 powershell.exe Token: SeBackupPrivilege 576 powershell.exe Token: SeRestorePrivilege 576 powershell.exe Token: SeShutdownPrivilege 576 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 4892 2716 68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe 66 PID 2716 wrote to memory of 4892 2716 68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe 66 PID 2716 wrote to memory of 4892 2716 68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe 66 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 4892 wrote to memory of 2000 4892 WScript.exe 67 PID 2000 wrote to memory of 3884 2000 cmd.exe 69 PID 2000 wrote to memory of 3884 2000 cmd.exe 69 PID 3884 wrote to memory of 4680 3884 DllCommonsvc.exe 92 PID 3884 wrote to memory of 4680 3884 DllCommonsvc.exe 92 PID 3884 wrote to memory of 4544 3884 DllCommonsvc.exe 97 PID 3884 wrote to memory of 4544 3884 DllCommonsvc.exe 97 PID 3884 wrote to memory of 4456 3884 DllCommonsvc.exe 93 PID 3884 wrote to memory of 4456 3884 DllCommonsvc.exe 93 PID 3884 wrote to memory of 576 3884 DllCommonsvc.exe 94 PID 3884 wrote to memory of 576 3884 DllCommonsvc.exe 94 PID 3884 wrote to memory of 3904 3884 DllCommonsvc.exe 98 PID 3884 wrote to memory of 3904 3884 DllCommonsvc.exe 98 PID 3884 wrote to memory of 1236 3884 DllCommonsvc.exe 102 PID 3884 wrote to memory of 1236 3884 DllCommonsvc.exe 102 PID 3884 wrote to memory of 1672 3884 DllCommonsvc.exe 100 PID 3884 wrote to memory of 1672 3884 DllCommonsvc.exe 100 PID 3884 wrote to memory of 612 3884 DllCommonsvc.exe 104 PID 3884 wrote to memory of 612 3884 DllCommonsvc.exe 104 PID 3884 wrote to memory of 2288 3884 DllCommonsvc.exe 108 PID 3884 wrote to memory of 2288 3884 DllCommonsvc.exe 108 PID 2288 wrote to memory of 4328 2288 DllCommonsvc.exe 161 PID 2288 wrote to memory of 4328 2288 DllCommonsvc.exe 161 PID 2288 wrote to memory of 3488 2288 DllCommonsvc.exe 162 PID 2288 wrote to memory of 3488 2288 DllCommonsvc.exe 162 PID 2288 wrote to memory of 1280 2288 DllCommonsvc.exe 163 PID 2288 wrote to memory of 1280 2288 DllCommonsvc.exe 163 PID 2288 wrote to memory of 4060 2288 DllCommonsvc.exe 165 PID 2288 wrote to memory of 4060 2288 DllCommonsvc.exe 165 PID 2288 wrote to memory of 2284 2288 DllCommonsvc.exe 164 PID 2288 wrote to memory of 2284 2288 DllCommonsvc.exe 164 PID 2288 wrote to memory of 4388 2288 DllCommonsvc.exe 166 PID 2288 wrote to memory of 4388 2288 DllCommonsvc.exe 166 PID 2288 wrote to memory of 4792 2288 DllCommonsvc.exe 167 PID 2288 wrote to memory of 4792 2288 DllCommonsvc.exe 167 PID 2288 wrote to memory of 4312 2288 DllCommonsvc.exe 168 PID 2288 wrote to memory of 4312 2288 DllCommonsvc.exe 168 PID 2288 wrote to memory of 4292 2288 DllCommonsvc.exe 169 PID 2288 wrote to memory of 4292 2288 DllCommonsvc.exe 169 PID 2288 wrote to memory of 5096 2288 DllCommonsvc.exe 170 PID 2288 wrote to memory of 5096 2288 DllCommonsvc.exe 170 PID 2288 wrote to memory of 4580 2288 DllCommonsvc.exe 171 PID 2288 wrote to memory of 4580 2288 DllCommonsvc.exe 171 PID 2288 wrote to memory of 1688 2288 DllCommonsvc.exe 172 PID 2288 wrote to memory of 1688 2288 DllCommonsvc.exe 172 PID 2288 wrote to memory of 2220 2288 DllCommonsvc.exe 179 PID 2288 wrote to memory of 2220 2288 DllCommonsvc.exe 179 PID 2288 wrote to memory of 4748 2288 DllCommonsvc.exe 173 PID 2288 wrote to memory of 4748 2288 DllCommonsvc.exe 173 PID 2288 wrote to memory of 2388 2288 DllCommonsvc.exe 174 PID 2288 wrote to memory of 2388 2288 DllCommonsvc.exe 174 PID 2288 wrote to memory of 4344 2288 DllCommonsvc.exe 175 PID 2288 wrote to memory of 4344 2288 DllCommonsvc.exe 175 PID 2288 wrote to memory of 4824 2288 DllCommonsvc.exe 178 PID 2288 wrote to memory of 4824 2288 DllCommonsvc.exe 178 PID 2288 wrote to memory of 1112 2288 DllCommonsvc.exe 176 PID 2288 wrote to memory of 1112 2288 DllCommonsvc.exe 176 PID 2288 wrote to memory of 4544 2288 DllCommonsvc.exe 177 PID 2288 wrote to memory of 4544 2288 DllCommonsvc.exe 177
Processes
-
C:\Users\Admin\AppData\Local\Temp\68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe"C:\Users\Admin\AppData\Local\Temp\68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\winlogon.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Executes dropped EXE
PID:4328
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'6⤵
- Executes dropped EXE
PID:3488
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\dllhost.exe'6⤵
- Executes dropped EXE
PID:1280
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'6⤵
- Executes dropped EXE
PID:2284
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'6⤵
- Executes dropped EXE
PID:4060
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'6⤵
- Executes dropped EXE
PID:4388
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'6⤵
- Executes dropped EXE
PID:4792
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\conhost.exe'6⤵
- Executes dropped EXE
PID:4312
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\sppsvc.exe'6⤵
- Executes dropped EXE
PID:4292
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'6⤵
- Executes dropped EXE
PID:5096
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'6⤵
- Executes dropped EXE
PID:4580
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\smss.exe'6⤵
- Executes dropped EXE
PID:1688
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'6⤵
- Executes dropped EXE
PID:4748
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'6⤵
- Executes dropped EXE
PID:2388
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\conhost.exe'6⤵
- Executes dropped EXE
PID:4344
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'6⤵
- Executes dropped EXE
PID:1112
-
-
C:\providercommon\powershell.exe"C:\providercommon\powershell.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'6⤵
- Executes dropped EXE
PID:4824
-
-
C:\providercommon\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'6⤵
- Executes dropped EXE
PID:2220
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- Process spawned unexpected child process
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\providercommon\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\providercommon\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f1⤵
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4268d8ae66fdd920476b97a1776bf85
SHA1f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA25661d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA51203b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD50bdfaa14d7814b541a77f4e97920dfd6
SHA1c239720eee47db7f7136bb78e37c539b9e735c4c
SHA2564c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608
-
Filesize
1KB
MD50bdfaa14d7814b541a77f4e97920dfd6
SHA1c239720eee47db7f7136bb78e37c539b9e735c4c
SHA2564c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608
-
Filesize
1KB
MD59354e505638093f20dfa38d9c6620235
SHA108f95f01067f7773367e78a0d2de873dd5985e22
SHA2568f87916468b41e7b623aeff0bd0cf8fc229a600c3e2ad6fd658bf7676d9ed3f2
SHA512655b3ef7bc0b14ddd45507df5fc5252fea8508fd1d2de75a53d26b5084d58c813673bf173e41b6f03bd06f5a4240db13945ef340483262b12e4fe93da5ff775e
-
Filesize
1KB
MD502b6c68dead38613d1a8ea25fc80efc8
SHA13ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9
SHA256e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7
SHA512baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492
-
Filesize
1KB
MD5666645396c2ed47289bcde84115d9d2c
SHA11dacfec155d8a12dcc82fe379065a2e8c40f0f2c
SHA2562913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5
SHA51201f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe
-
Filesize
1KB
MD5666645396c2ed47289bcde84115d9d2c
SHA11dacfec155d8a12dcc82fe379065a2e8c40f0f2c
SHA2562913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5
SHA51201f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe
-
Filesize
1KB
MD5b8b3d31292f7920c38c3a83906b632b7
SHA10c5d7a42b818fc8db912ab01dbe3b04dcda7d653
SHA256d0416df7bc7f535bf09de98008733d43ccf416fb6bb4085b9a95f018c5b34ff7
SHA5128d1d22938112c9f283e8b2db17e9319dbebf875be7cd088421b7804cad7d3a7ffced413aa29d54111acac819da07f3f5d55c637566488f8cb6d0fef6724f206c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478