Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:41
Behavioral task
behavioral1
Sample
6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe
Resource
win10-20220812-en
General
-
Target
6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe
-
Size
1.3MB
-
MD5
3f08062dec8c3da63ec82160172de788
-
SHA1
03a8656f37fa99ef74f693a38c53b0bfcf195b54
-
SHA256
6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d
-
SHA512
f1cac8a0b725e1ebff89c5224e6db8c315d78f8b335a2594d7f017d29b424fe8088cad8ce54021c4de1df1f3e5b2346c39ec9551e1bfa07ee7afb75a51062226
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4596 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3796 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3412 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 188 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 204 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 4880 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 4880 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000400000001ac49-283.dat dcrat behavioral1/files/0x000400000001ac49-284.dat dcrat behavioral1/memory/1316-285-0x0000000000540000-0x0000000000650000-memory.dmp dcrat behavioral1/files/0x000600000001ac5c-371.dat dcrat behavioral1/files/0x000600000001ac5c-372.dat dcrat behavioral1/files/0x000600000001ac5c-860.dat dcrat behavioral1/files/0x000600000001ac5c-867.dat dcrat behavioral1/files/0x000600000001ac5c-873.dat dcrat behavioral1/files/0x000600000001ac5c-879.dat dcrat behavioral1/files/0x000600000001ac5c-884.dat dcrat behavioral1/files/0x000600000001ac5c-889.dat dcrat behavioral1/files/0x000600000001ac5c-895.dat dcrat behavioral1/files/0x000600000001ac5c-901.dat dcrat behavioral1/files/0x000600000001ac5c-906.dat dcrat behavioral1/files/0x000600000001ac5c-912.dat dcrat -
Executes dropped EXE 12 IoCs
pid Process 1316 DllCommonsvc.exe 3060 dllhost.exe 5704 dllhost.exe 5888 dllhost.exe 6072 dllhost.exe 5276 dllhost.exe 5536 dllhost.exe 4456 dllhost.exe 5600 dllhost.exe 4676 dllhost.exe 1836 dllhost.exe 3076 dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Microsoft Office\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe DllCommonsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f DllCommonsvc.exe File created C:\Program Files\Microsoft Office\spoolsv.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\L2Schemas\taskhostw.exe DllCommonsvc.exe File created C:\Windows\L2Schemas\ea9f0e6c9e2dcd DllCommonsvc.exe File created C:\Windows\ELAMBKUP\cmd.exe DllCommonsvc.exe File created C:\Windows\ELAMBKUP\ebf1f9fa8afd6d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3400 schtasks.exe 3396 schtasks.exe 2188 schtasks.exe 4924 schtasks.exe 4476 schtasks.exe 1360 schtasks.exe 916 schtasks.exe 2160 schtasks.exe 2292 schtasks.exe 1192 schtasks.exe 2756 schtasks.exe 3200 schtasks.exe 3076 schtasks.exe 4744 schtasks.exe 1744 schtasks.exe 1620 schtasks.exe 204 schtasks.exe 4596 schtasks.exe 4900 schtasks.exe 508 schtasks.exe 1000 schtasks.exe 60 schtasks.exe 792 schtasks.exe 1212 schtasks.exe 3184 schtasks.exe 656 schtasks.exe 4660 schtasks.exe 2392 schtasks.exe 3796 schtasks.exe 820 schtasks.exe 188 schtasks.exe 1332 schtasks.exe 4464 schtasks.exe 4500 schtasks.exe 4704 schtasks.exe 1848 schtasks.exe 1584 schtasks.exe 4760 schtasks.exe 3412 schtasks.exe 2208 schtasks.exe 2480 schtasks.exe 4772 schtasks.exe 4752 schtasks.exe 212 schtasks.exe 304 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 1316 DllCommonsvc.exe 2500 powershell.exe 2500 powershell.exe 2868 powershell.exe 2868 powershell.exe 2500 powershell.exe 4980 powershell.exe 4980 powershell.exe 2868 powershell.exe 1944 powershell.exe 1944 powershell.exe 4980 powershell.exe 1944 powershell.exe 2056 powershell.exe 2056 powershell.exe 2820 powershell.exe 2820 powershell.exe 2500 powershell.exe 3904 powershell.exe 3904 powershell.exe 2868 powershell.exe 2056 powershell.exe 5024 powershell.exe 5024 powershell.exe 4688 powershell.exe 4688 powershell.exe 5040 powershell.exe 5040 powershell.exe 4568 powershell.exe 4568 powershell.exe 4980 powershell.exe 4644 powershell.exe 4644 powershell.exe 3424 powershell.exe 3424 powershell.exe 5024 powershell.exe 1944 powershell.exe 3996 powershell.exe 3996 powershell.exe 3972 powershell.exe 3972 powershell.exe 3424 powershell.exe 4688 powershell.exe 2056 powershell.exe 3996 powershell.exe 2820 powershell.exe 5024 powershell.exe 3904 powershell.exe 3704 powershell.exe 3704 powershell.exe 3996 powershell.exe 4688 powershell.exe 3424 powershell.exe 5040 powershell.exe 4568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1316 DllCommonsvc.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 3904 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 3424 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3060 dllhost.exe Token: SeIncreaseQuotaPrivilege 1944 powershell.exe Token: SeSecurityPrivilege 1944 powershell.exe Token: SeTakeOwnershipPrivilege 1944 powershell.exe Token: SeLoadDriverPrivilege 1944 powershell.exe Token: SeSystemProfilePrivilege 1944 powershell.exe Token: SeSystemtimePrivilege 1944 powershell.exe Token: SeProfSingleProcessPrivilege 1944 powershell.exe Token: SeIncBasePriorityPrivilege 1944 powershell.exe Token: SeCreatePagefilePrivilege 1944 powershell.exe Token: SeBackupPrivilege 1944 powershell.exe Token: SeRestorePrivilege 1944 powershell.exe Token: SeShutdownPrivilege 1944 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeSystemEnvironmentPrivilege 1944 powershell.exe Token: SeRemoteShutdownPrivilege 1944 powershell.exe Token: SeUndockPrivilege 1944 powershell.exe Token: SeManageVolumePrivilege 1944 powershell.exe Token: 33 1944 powershell.exe Token: 34 1944 powershell.exe Token: 35 1944 powershell.exe Token: 36 1944 powershell.exe Token: SeIncreaseQuotaPrivilege 2868 powershell.exe Token: SeSecurityPrivilege 2868 powershell.exe Token: SeTakeOwnershipPrivilege 2868 powershell.exe Token: SeLoadDriverPrivilege 2868 powershell.exe Token: SeSystemProfilePrivilege 2868 powershell.exe Token: SeSystemtimePrivilege 2868 powershell.exe Token: SeProfSingleProcessPrivilege 2868 powershell.exe Token: SeIncBasePriorityPrivilege 2868 powershell.exe Token: SeCreatePagefilePrivilege 2868 powershell.exe Token: SeBackupPrivilege 2868 powershell.exe Token: SeRestorePrivilege 2868 powershell.exe Token: SeShutdownPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeSystemEnvironmentPrivilege 2868 powershell.exe Token: SeRemoteShutdownPrivilege 2868 powershell.exe Token: SeUndockPrivilege 2868 powershell.exe Token: SeManageVolumePrivilege 2868 powershell.exe Token: 33 2868 powershell.exe Token: 34 2868 powershell.exe Token: 35 2868 powershell.exe Token: 36 2868 powershell.exe Token: SeIncreaseQuotaPrivilege 4980 powershell.exe Token: SeSecurityPrivilege 4980 powershell.exe Token: SeTakeOwnershipPrivilege 4980 powershell.exe Token: SeLoadDriverPrivilege 4980 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4248 wrote to memory of 3576 4248 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe 66 PID 4248 wrote to memory of 3576 4248 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe 66 PID 4248 wrote to memory of 3576 4248 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe 66 PID 3576 wrote to memory of 4496 3576 WScript.exe 67 PID 3576 wrote to memory of 4496 3576 WScript.exe 67 PID 3576 wrote to memory of 4496 3576 WScript.exe 67 PID 4496 wrote to memory of 1316 4496 cmd.exe 69 PID 4496 wrote to memory of 1316 4496 cmd.exe 69 PID 1316 wrote to memory of 2500 1316 DllCommonsvc.exe 116 PID 1316 wrote to memory of 2500 1316 DllCommonsvc.exe 116 PID 1316 wrote to memory of 2868 1316 DllCommonsvc.exe 124 PID 1316 wrote to memory of 2868 1316 DllCommonsvc.exe 124 PID 1316 wrote to memory of 4980 1316 DllCommonsvc.exe 118 PID 1316 wrote to memory of 4980 1316 DllCommonsvc.exe 118 PID 1316 wrote to memory of 1944 1316 DllCommonsvc.exe 122 PID 1316 wrote to memory of 1944 1316 DllCommonsvc.exe 122 PID 1316 wrote to memory of 2056 1316 DllCommonsvc.exe 120 PID 1316 wrote to memory of 2056 1316 DllCommonsvc.exe 120 PID 1316 wrote to memory of 2820 1316 DllCommonsvc.exe 128 PID 1316 wrote to memory of 2820 1316 DllCommonsvc.exe 128 PID 1316 wrote to memory of 3904 1316 DllCommonsvc.exe 127 PID 1316 wrote to memory of 3904 1316 DllCommonsvc.exe 127 PID 1316 wrote to memory of 4688 1316 DllCommonsvc.exe 130 PID 1316 wrote to memory of 4688 1316 DllCommonsvc.exe 130 PID 1316 wrote to memory of 5024 1316 DllCommonsvc.exe 147 PID 1316 wrote to memory of 5024 1316 DllCommonsvc.exe 147 PID 1316 wrote to memory of 5040 1316 DllCommonsvc.exe 146 PID 1316 wrote to memory of 5040 1316 DllCommonsvc.exe 146 PID 1316 wrote to memory of 4568 1316 DllCommonsvc.exe 133 PID 1316 wrote to memory of 4568 1316 DllCommonsvc.exe 133 PID 1316 wrote to memory of 4644 1316 DllCommonsvc.exe 134 PID 1316 wrote to memory of 4644 1316 DllCommonsvc.exe 134 PID 1316 wrote to memory of 3424 1316 DllCommonsvc.exe 135 PID 1316 wrote to memory of 3424 1316 DllCommonsvc.exe 135 PID 1316 wrote to memory of 3704 1316 DllCommonsvc.exe 136 PID 1316 wrote to memory of 3704 1316 DllCommonsvc.exe 136 PID 1316 wrote to memory of 3972 1316 DllCommonsvc.exe 143 PID 1316 wrote to memory of 3972 1316 DllCommonsvc.exe 143 PID 1316 wrote to memory of 3996 1316 DllCommonsvc.exe 139 PID 1316 wrote to memory of 3996 1316 DllCommonsvc.exe 139 PID 1316 wrote to memory of 3060 1316 DllCommonsvc.exe 148 PID 1316 wrote to memory of 3060 1316 DllCommonsvc.exe 148 PID 3060 wrote to memory of 5472 3060 dllhost.exe 150 PID 3060 wrote to memory of 5472 3060 dllhost.exe 150 PID 5472 wrote to memory of 5528 5472 cmd.exe 152 PID 5472 wrote to memory of 5528 5472 cmd.exe 152 PID 5472 wrote to memory of 5704 5472 cmd.exe 153 PID 5472 wrote to memory of 5704 5472 cmd.exe 153 PID 5704 wrote to memory of 5812 5704 dllhost.exe 154 PID 5704 wrote to memory of 5812 5704 dllhost.exe 154 PID 5812 wrote to memory of 5868 5812 cmd.exe 156 PID 5812 wrote to memory of 5868 5812 cmd.exe 156 PID 5812 wrote to memory of 5888 5812 cmd.exe 157 PID 5812 wrote to memory of 5888 5812 cmd.exe 157 PID 5888 wrote to memory of 5996 5888 dllhost.exe 158 PID 5888 wrote to memory of 5996 5888 dllhost.exe 158 PID 5996 wrote to memory of 6052 5996 cmd.exe 160 PID 5996 wrote to memory of 6052 5996 cmd.exe 160 PID 5996 wrote to memory of 6072 5996 cmd.exe 161 PID 5996 wrote to memory of 6072 5996 cmd.exe 161 PID 6072 wrote to memory of 5200 6072 dllhost.exe 162 PID 6072 wrote to memory of 5200 6072 dllhost.exe 162 PID 5200 wrote to memory of 5260 5200 cmd.exe 164 PID 5200 wrote to memory of 5260 5200 cmd.exe 164
Processes
-
C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe"C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\taskhostw.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5528
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5868
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:5996 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:6052
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:5260
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"13⤵
- Executes dropped EXE
- Modifies registry class
PID:5276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"14⤵PID:4716
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:5344
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"15⤵
- Executes dropped EXE
- Modifies registry class
PID:5536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"16⤵PID:1464
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4448
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"17⤵
- Executes dropped EXE
- Modifies registry class
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"18⤵PID:3212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:4732
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"19⤵
- Executes dropped EXE
- Modifies registry class
PID:5600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"20⤵PID:4076
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:388
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"21⤵
- Executes dropped EXE
- Modifies registry class
PID:4676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"22⤵PID:5012
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4904
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"23⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"24⤵PID:696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3904
-
-
C:\providercommon\dllhost.exe"C:\providercommon\dllhost.exe"25⤵
- Executes dropped EXE
- Modifies registry class
PID:3076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"26⤵PID:4544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:5068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD584f0ee796ef63ebeb2840c0319b52514
SHA11cbe24f52959c91056b27e69dade88d59995f39e
SHA2566dd0a6bf4fc0aae88b19eda65013b4852ed0366322b6e5ffb9032309f1838ed5
SHA51268595ba944477478b2d87a4d4f630f71452423f688594c65330a3df2693c4b41a4b4c61a17744cedaa7c4f99dbfa019a1040edc30111c0701d6cf626ed742c87
-
Filesize
1KB
MD50254001c1d00e45465706c1ea9ba803f
SHA1dcb753772f1c27fceb06a17ea7204dcca1d84663
SHA256e36f91375f5774c5b0e62006fba90699e60b8c20676cb4955cf97cf245049c27
SHA512f0b9870df6ec5c3a644685d36066409dfaa7db628b2db5f74965f961734bded2324340065fdc7e5719122bbecf22c5f90a46f2f83de1350cade1d6372bf35095
-
Filesize
1KB
MD5b533160f31dbbb5a1826bc88d206d05b
SHA1fa44f7b545ea8fcbdabc014b9a8c8e43637872a5
SHA2567fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26
SHA512583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53
-
Filesize
1KB
MD5b533160f31dbbb5a1826bc88d206d05b
SHA1fa44f7b545ea8fcbdabc014b9a8c8e43637872a5
SHA2567fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26
SHA512583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53
-
Filesize
1KB
MD551b27223e327ca9e2c267cc869b6f5b1
SHA1becbb554e2305e818331a7ba1e4703ffa12913f2
SHA256c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad
SHA512f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb
-
Filesize
1KB
MD551b27223e327ca9e2c267cc869b6f5b1
SHA1becbb554e2305e818331a7ba1e4703ffa12913f2
SHA256c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad
SHA512f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb
-
Filesize
1KB
MD524cafba099dbe70d35438be636f9c629
SHA10fa52af1b1c4939d841c2ad37b19cbe692b7fdc7
SHA256d16191dca2e343716f5919a12b2f9403b2949eb93880fd591afccea1575016f3
SHA512df944cec6dfd5f9f2e44f4eeb39bccd42f5f0863df89a6ee110b7d8161fceed9f9a5293af7455d13593ae2d5b01e293c473642267c6f6c7b6dbbf387e645b5be
-
Filesize
1KB
MD5ea8eb4c93b171a1bd8f78c2f8d3c5f91
SHA1c974b8f55f8e9523e09efcca15e98bbc3fdaecf9
SHA256c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa
SHA512842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878
-
Filesize
1KB
MD5ea8eb4c93b171a1bd8f78c2f8d3c5f91
SHA1c974b8f55f8e9523e09efcca15e98bbc3fdaecf9
SHA256c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa
SHA512842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878
-
Filesize
1KB
MD513f2c453c15b89b97f1acb91f3534286
SHA1b242be1472270a92e1e2d9301ddbf8381cdfcbad
SHA256bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41
SHA512e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766
-
Filesize
1KB
MD513f2c453c15b89b97f1acb91f3534286
SHA1b242be1472270a92e1e2d9301ddbf8381cdfcbad
SHA256bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41
SHA512e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766
-
Filesize
1KB
MD5763149d014a7ddf2ad863a0e819bd1c2
SHA1f5de8a47c4f472156c9cf2074a1b1a29e47b1540
SHA25691caad5c7b34eccb86cbb5b2b8b7f528f57b734613b0968d0789d8f56ff26dda
SHA5127affb43ca2e83e785846365f62a5333ca4c4b7adb0983637705e88f20e6b37551610d6b0280197729d995089fd9480f849fc287d4eb93160e7e19157bfd86a3c
-
Filesize
1KB
MD54fa1a5ed0b5a4405fd738cee04ab3ddc
SHA129aea989663d67ce25316f6c1ef2a7f827b919c7
SHA256e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4
SHA5120e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035
-
Filesize
1KB
MD54fa1a5ed0b5a4405fd738cee04ab3ddc
SHA129aea989663d67ce25316f6c1ef2a7f827b919c7
SHA256e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4
SHA5120e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035
-
Filesize
1KB
MD5374f110164d9beec260f38b402a46831
SHA12395c7f81b95b2e7869e3fd661327609e791ddb5
SHA256ce6caa88628ce18c4bf6cc51c359eba292555a300f65e097b3127b392f2fe16c
SHA51225215a37ef2208e9fc40814c3e9c65fe6e6cb4d08dbb0ae60688cc74fd90ac2424af55121a7d48057dd4e9d905cee30641c8d39ada6b5ca1d7a79728f0066381
-
Filesize
194B
MD52fec1a154b940e9c344f90e0ed3213ec
SHA1e1132b2f9f9bdc18d0ea3ca4103bf2fa7dc4e09e
SHA2562c1abba318dabe3a3d9a843e6c0deb8a864e28875de07c1a137195102d01365e
SHA512f8ec89a5fc6aabab4f547c6b78fd0fc44cf12eeeeb1e8d5b4e44f580b3d9c486f80dd4ec515090ed7f422dc2b2ae9fb661c8e93779cd2914189eee0e36a6e64f
-
Filesize
194B
MD5b7aaae1a89ba2fbdfa88a27ea4df1eb7
SHA16b7de573a630a6f38a8466d514f2e426ba1e1b1c
SHA256ea41674c77b4126cefcc79ea00521a1357a0c634c01ac3a20cd89ee9e234e550
SHA51269994803c116affd5123f29a640cee4d6b6eec4baab73aca904115f0a2fc93ab0c04930e750c13ada8730a03f75a05d9ad052a8d5c9c9ba37dd76007c87cfbd2
-
Filesize
194B
MD5045ba6530ca6e9b502dc6645a47ee518
SHA129b76f83a95a42fe8c04633447dd7b1eea29211c
SHA2561406bbfdcde2c6d608884b289ba7c55eb3f76cdd0ade2a0c4dae6b1f21f98970
SHA512842551a34556c1d3b2228aab1755bf0e4ffb6354ef167924f59cb5a27fb4af73ab15269bce327accc6755409ebec97e6032093cc72f021e8460a7f3e594cd2e4
-
Filesize
194B
MD5b3cfbde2503a29d1c22bfeb58f72e377
SHA17c7138eb99515dbd35f5e2cb81878ca9cb74395b
SHA25623e4b04f51326bb8b9bc9facc29d0d21e98f4b040381e09aad4134a9d5df4bcb
SHA512e53d3b83337e6c4f1138c5c6b5a945114fe50b2e209f46a317ee0a22442decb26aab4c41c462e0cd25abaabce4676de3e6bf0a4baca27ff9ec0dbf07c89cb13d
-
Filesize
194B
MD526ee6df37223b5dc5dab7058ed3493d1
SHA143d7c938037168ab9fbc27903569da9bee42ed8b
SHA2565159b4ed7cdf6fac09f16d09be7af42dc151fe0bface7530261fc72483bc7305
SHA51227ff69be18258da1421a40020f012448519b36d9cdd096df1bbd2a0a0f1ca295b7ee07816cda412cb604bcecf75e15affabf36ec4ef1401c30d5ca340b6f39e0
-
Filesize
194B
MD592f2df47aebdf101a031bc9165034f7b
SHA104939ec7074e06e13aeb635108f4f636f65881c6
SHA25601269acbbb58419d195e7d880a65af9182f1a93f75816088131e7810269aae0e
SHA5126b629e9278fb94ccc93933b51b188ee8a9d5815b816a7d8f787d28a3ea5173b4fb07c855c91ffe67e66c117d85cdc61eb076cdda814e12f962c1df265f203277
-
Filesize
194B
MD55bb71e5aaeb8cb4b887ba0d7571c4e4c
SHA11fb0be7d8b6b0b848fa027b9b5a2e9959dd07ec8
SHA2563f3c7968e8328abe7aa2112acbb2c2d5d370b19a52c6127db38ad23e4253883a
SHA512f9260a50991f9bb3f0c90673afc1f529f1335268cb081199a9378e62bf16f387935641f8079de89c59ffcd294b75dc4de3b21cb10a77572b8ea76f9db14e961a
-
Filesize
194B
MD546253a1aade2967e02dd198fccaa7515
SHA172e8fa18f1b286c06eaa5e8809ad3c57be87b263
SHA25624488651f168fddec4e341787288784df99fe548fc45d8b213e67da3ed5cc495
SHA512560621708567a94eb4498f8ff7b8d698cc6d539d34827775b01a1811b2a85282815f4b0d05cd63aa7f5eafc0d3d36ea1f0725214a2b1a3bbdedff31e06409d45
-
Filesize
194B
MD5df52fc6ab41da3949bb7d2fbe457d77f
SHA189a55fdb9cadbe7119c5fdfde3a22d60ca78dfff
SHA25645644411eb5a0081800a1efb1bc0b3a2d297423b485e7f9813cd4b1f57ae0918
SHA5126706f55e765ccb60b25f562823b434c8465c3ceb8f243a8644ce7deca40880ada52dfecc1e83257a391a6890b2e7b356edca06a2fa746dcee6a7de1ec48bf1c7
-
Filesize
194B
MD5524ba7d1f241d0ebc81dc96458de1cae
SHA148a8031332e17dcd42a7c083262891c13fcf9bc4
SHA256ae0ed97eae4ee407c38e43f74fed33b50fa392dbcf36030d807d46862f3416ff
SHA5123397be6ad91aa3b381178b46016394018f09f6cd63cb5b9231a16ccb1f91845f605a80ec4d0bea77567debeabd80cb2065554fe83bad765492a120c3d7d80435
-
Filesize
194B
MD5288065600cb3e759be3df0543f2f8a16
SHA10d13e4a688106f01221ac2b0a9b0d1576a7afde3
SHA25677bf94a48f3fb56b0360ab1a7cd0714d8b4f7e312414b3c73f18db5cd697dfc3
SHA512c925a784071172963f4eebd94dffade9f845c48b1ad0bbcc597b5f3fd4da643027eba81ae7023eba2733d115b97b3e8ee8ccaed0da3855bf2b9c23042210ba54
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478