Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:44
Behavioral task
behavioral1
Sample
ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe
Resource
win10-20220901-en
General
-
Target
ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe
-
Size
1.3MB
-
MD5
00f072b7583feca960966f047ba7739c
-
SHA1
a8e568a2684fc83dfd03c488f373e8e366db17d0
-
SHA256
ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f
-
SHA512
7fcd53ae8af8a923ec0bf0cc3d88b8c06c4ee0dd872b26ecfee8d916ee0e0101f6e1163847e34c15b2face2fc19c84007e9b74a5f7497965c32e3338039163e0
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 32 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 5084 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 5084 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001abc2-284.dat dcrat behavioral1/files/0x000800000001abc2-285.dat dcrat behavioral1/memory/3152-286-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/files/0x000600000001abf7-586.dat dcrat behavioral1/files/0x000600000001abf7-587.dat dcrat behavioral1/files/0x000600000001abf7-917.dat dcrat behavioral1/files/0x000600000001abf7-923.dat dcrat behavioral1/files/0x000600000001abf7-928.dat dcrat behavioral1/files/0x000600000001abf7-933.dat dcrat behavioral1/files/0x000600000001abf7-938.dat dcrat behavioral1/files/0x000600000001abf7-943.dat dcrat behavioral1/files/0x000600000001abf7-948.dat dcrat behavioral1/files/0x000600000001abf7-953.dat dcrat behavioral1/files/0x000600000001abf7-958.dat dcrat -
Executes dropped EXE 11 IoCs
pid Process 3152 DllCommonsvc.exe 1808 spoolsv.exe 5408 spoolsv.exe 5596 spoolsv.exe 5772 spoolsv.exe 5944 spoolsv.exe 6124 spoolsv.exe 4332 spoolsv.exe 1884 spoolsv.exe 4460 spoolsv.exe 4956 spoolsv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94 DllCommonsvc.exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\dab4d89cac03ec DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\sppsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\5b884080fd4f94 DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\sihost.exe DllCommonsvc.exe File created C:\Windows\Logs\HomeGroup\66fc9ff0ee96c2 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1180 schtasks.exe 5028 schtasks.exe 4440 schtasks.exe 4468 schtasks.exe 620 schtasks.exe 1204 schtasks.exe 4452 schtasks.exe 3768 schtasks.exe 1640 schtasks.exe 4884 schtasks.exe 4868 schtasks.exe 3828 schtasks.exe 460 schtasks.exe 3172 schtasks.exe 4424 schtasks.exe 2780 schtasks.exe 4432 schtasks.exe 672 schtasks.exe 1536 schtasks.exe 328 schtasks.exe 4620 schtasks.exe 1892 schtasks.exe 4856 schtasks.exe 4708 schtasks.exe 1368 schtasks.exe 2736 schtasks.exe 4684 schtasks.exe 4688 schtasks.exe 32 schtasks.exe 224 schtasks.exe 448 schtasks.exe 1680 schtasks.exe 920 schtasks.exe 4796 schtasks.exe 1076 schtasks.exe 208 schtasks.exe 4760 schtasks.exe 4844 schtasks.exe 1920 schtasks.exe 536 schtasks.exe 1648 schtasks.exe 4908 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3152 DllCommonsvc.exe 2832 powershell.exe 2832 powershell.exe 2236 powershell.exe 2236 powershell.exe 2200 powershell.exe 2200 powershell.exe 2172 powershell.exe 2172 powershell.exe 816 powershell.exe 816 powershell.exe 4836 powershell.exe 4836 powershell.exe 2776 powershell.exe 2776 powershell.exe 2608 powershell.exe 2608 powershell.exe 2356 powershell.exe 2356 powershell.exe 3800 powershell.exe 3800 powershell.exe 2132 powershell.exe 2132 powershell.exe 4948 powershell.exe 4948 powershell.exe 4264 powershell.exe 4264 powershell.exe 972 powershell.exe 972 powershell.exe 1848 powershell.exe 1848 powershell.exe 2132 powershell.exe 2832 powershell.exe 2236 powershell.exe 2200 powershell.exe 2172 powershell.exe 4836 powershell.exe 816 powershell.exe 4948 powershell.exe 3800 powershell.exe 2356 powershell.exe 2776 powershell.exe 2608 powershell.exe 972 powershell.exe 4264 powershell.exe 1848 powershell.exe 2132 powershell.exe 2832 powershell.exe 2832 powershell.exe 2236 powershell.exe 2236 powershell.exe 2200 powershell.exe 2200 powershell.exe 2172 powershell.exe 2172 powershell.exe 972 powershell.exe 3800 powershell.exe 1848 powershell.exe 4264 powershell.exe 816 powershell.exe 816 powershell.exe 4836 powershell.exe 4948 powershell.exe 2356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3152 DllCommonsvc.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 3800 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 4948 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 972 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 1808 spoolsv.exe Token: SeIncreaseQuotaPrivilege 2832 powershell.exe Token: SeSecurityPrivilege 2832 powershell.exe Token: SeTakeOwnershipPrivilege 2832 powershell.exe Token: SeLoadDriverPrivilege 2832 powershell.exe Token: SeSystemProfilePrivilege 2832 powershell.exe Token: SeSystemtimePrivilege 2832 powershell.exe Token: SeProfSingleProcessPrivilege 2832 powershell.exe Token: SeIncBasePriorityPrivilege 2832 powershell.exe Token: SeCreatePagefilePrivilege 2832 powershell.exe Token: SeBackupPrivilege 2832 powershell.exe Token: SeRestorePrivilege 2832 powershell.exe Token: SeShutdownPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeSystemEnvironmentPrivilege 2832 powershell.exe Token: SeRemoteShutdownPrivilege 2832 powershell.exe Token: SeUndockPrivilege 2832 powershell.exe Token: SeManageVolumePrivilege 2832 powershell.exe Token: 33 2832 powershell.exe Token: 34 2832 powershell.exe Token: 35 2832 powershell.exe Token: 36 2832 powershell.exe Token: SeIncreaseQuotaPrivilege 2132 powershell.exe Token: SeSecurityPrivilege 2132 powershell.exe Token: SeTakeOwnershipPrivilege 2132 powershell.exe Token: SeLoadDriverPrivilege 2132 powershell.exe Token: SeSystemProfilePrivilege 2132 powershell.exe Token: SeSystemtimePrivilege 2132 powershell.exe Token: SeProfSingleProcessPrivilege 2132 powershell.exe Token: SeIncBasePriorityPrivilege 2132 powershell.exe Token: SeCreatePagefilePrivilege 2132 powershell.exe Token: SeBackupPrivilege 2132 powershell.exe Token: SeRestorePrivilege 2132 powershell.exe Token: SeShutdownPrivilege 2132 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeSystemEnvironmentPrivilege 2132 powershell.exe Token: SeRemoteShutdownPrivilege 2132 powershell.exe Token: SeUndockPrivilege 2132 powershell.exe Token: SeManageVolumePrivilege 2132 powershell.exe Token: 33 2132 powershell.exe Token: 34 2132 powershell.exe Token: 35 2132 powershell.exe Token: 36 2132 powershell.exe Token: SeIncreaseQuotaPrivilege 2236 powershell.exe Token: SeSecurityPrivilege 2236 powershell.exe Token: SeTakeOwnershipPrivilege 2236 powershell.exe Token: SeLoadDriverPrivilege 2236 powershell.exe Token: SeSystemProfilePrivilege 2236 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 1980 2652 ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe 66 PID 2652 wrote to memory of 1980 2652 ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe 66 PID 2652 wrote to memory of 1980 2652 ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe 66 PID 1980 wrote to memory of 4556 1980 WScript.exe 67 PID 1980 wrote to memory of 4556 1980 WScript.exe 67 PID 1980 wrote to memory of 4556 1980 WScript.exe 67 PID 4556 wrote to memory of 3152 4556 cmd.exe 69 PID 4556 wrote to memory of 3152 4556 cmd.exe 69 PID 3152 wrote to memory of 2236 3152 DllCommonsvc.exe 113 PID 3152 wrote to memory of 2236 3152 DllCommonsvc.exe 113 PID 3152 wrote to memory of 2200 3152 DllCommonsvc.exe 142 PID 3152 wrote to memory of 2200 3152 DllCommonsvc.exe 142 PID 3152 wrote to memory of 2832 3152 DllCommonsvc.exe 141 PID 3152 wrote to memory of 2832 3152 DllCommonsvc.exe 141 PID 3152 wrote to memory of 4836 3152 DllCommonsvc.exe 140 PID 3152 wrote to memory of 4836 3152 DllCommonsvc.exe 140 PID 3152 wrote to memory of 2172 3152 DllCommonsvc.exe 116 PID 3152 wrote to memory of 2172 3152 DllCommonsvc.exe 116 PID 3152 wrote to memory of 816 3152 DllCommonsvc.exe 127 PID 3152 wrote to memory of 816 3152 DllCommonsvc.exe 127 PID 3152 wrote to memory of 2776 3152 DllCommonsvc.exe 117 PID 3152 wrote to memory of 2776 3152 DllCommonsvc.exe 117 PID 3152 wrote to memory of 2608 3152 DllCommonsvc.exe 118 PID 3152 wrote to memory of 2608 3152 DllCommonsvc.exe 118 PID 3152 wrote to memory of 2356 3152 DllCommonsvc.exe 120 PID 3152 wrote to memory of 2356 3152 DllCommonsvc.exe 120 PID 3152 wrote to memory of 3800 3152 DllCommonsvc.exe 124 PID 3152 wrote to memory of 3800 3152 DllCommonsvc.exe 124 PID 3152 wrote to memory of 2132 3152 DllCommonsvc.exe 123 PID 3152 wrote to memory of 2132 3152 DllCommonsvc.exe 123 PID 3152 wrote to memory of 4948 3152 DllCommonsvc.exe 128 PID 3152 wrote to memory of 4948 3152 DllCommonsvc.exe 128 PID 3152 wrote to memory of 4264 3152 DllCommonsvc.exe 129 PID 3152 wrote to memory of 4264 3152 DllCommonsvc.exe 129 PID 3152 wrote to memory of 972 3152 DllCommonsvc.exe 130 PID 3152 wrote to memory of 972 3152 DllCommonsvc.exe 130 PID 3152 wrote to memory of 1848 3152 DllCommonsvc.exe 132 PID 3152 wrote to memory of 1848 3152 DllCommonsvc.exe 132 PID 3152 wrote to memory of 4416 3152 DllCommonsvc.exe 143 PID 3152 wrote to memory of 4416 3152 DllCommonsvc.exe 143 PID 4416 wrote to memory of 212 4416 cmd.exe 145 PID 4416 wrote to memory of 212 4416 cmd.exe 145 PID 4416 wrote to memory of 1808 4416 cmd.exe 146 PID 4416 wrote to memory of 1808 4416 cmd.exe 146 PID 1808 wrote to memory of 5128 1808 spoolsv.exe 148 PID 1808 wrote to memory of 5128 1808 spoolsv.exe 148 PID 5128 wrote to memory of 5232 5128 cmd.exe 150 PID 5128 wrote to memory of 5232 5128 cmd.exe 150 PID 5128 wrote to memory of 5408 5128 cmd.exe 151 PID 5128 wrote to memory of 5408 5128 cmd.exe 151 PID 5408 wrote to memory of 5516 5408 spoolsv.exe 152 PID 5408 wrote to memory of 5516 5408 spoolsv.exe 152 PID 5516 wrote to memory of 5572 5516 cmd.exe 154 PID 5516 wrote to memory of 5572 5516 cmd.exe 154 PID 5516 wrote to memory of 5596 5516 cmd.exe 155 PID 5516 wrote to memory of 5596 5516 cmd.exe 155 PID 5596 wrote to memory of 5696 5596 spoolsv.exe 156 PID 5596 wrote to memory of 5696 5596 spoolsv.exe 156 PID 5696 wrote to memory of 5752 5696 cmd.exe 158 PID 5696 wrote to memory of 5752 5696 cmd.exe 158 PID 5696 wrote to memory of 5772 5696 cmd.exe 159 PID 5696 wrote to memory of 5772 5696 cmd.exe 159 PID 5772 wrote to memory of 5868 5772 spoolsv.exe 160 PID 5772 wrote to memory of 5868 5772 spoolsv.exe 160
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\sihost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:212
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:5232
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:5516 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:5572
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:5696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:5752
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"13⤵PID:5868
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:5924
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"14⤵
- Executes dropped EXE
- Modifies registry class
PID:5944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"15⤵PID:6044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:6100
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"16⤵
- Executes dropped EXE
- Modifies registry class
PID:6124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"17⤵PID:5140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:5264
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"18⤵
- Executes dropped EXE
- Modifies registry class
PID:4332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"19⤵PID:4924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:4256
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"20⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"21⤵PID:2832
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:5308
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"22⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"23⤵PID:5332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:4808
-
-
C:\providercommon\spoolsv.exe"C:\providercommon\spoolsv.exe"24⤵
- Executes dropped EXE
- Modifies registry class
PID:4956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"25⤵PID:1528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:3684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD5794bca7499c793c4f621ad8df8fd78de
SHA1191a45fd0dd64e2e8225e80769943cfde11a4a77
SHA2563ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1
SHA512fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c
-
Filesize
1KB
MD5794bca7499c793c4f621ad8df8fd78de
SHA1191a45fd0dd64e2e8225e80769943cfde11a4a77
SHA2563ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1
SHA512fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c
-
Filesize
1KB
MD51a7edda8e497deac257bc67f5912be8b
SHA1af575ca7a97a8d280561477785692b406b7bf5ea
SHA256cce496f7be83e77e6f56c2861348b6b4e1cd5029fc39314c3b4632bf84d2b956
SHA512c543c362e700d12cc9c7d6223e8e168a5470d703f04ba003d44d64971e1f098e924b8c09fb6c9563f68f9890f3efa379ed2999dbc86f7861af38dee6ad3efc29
-
Filesize
1KB
MD55529b0c4372c5381248b8fe5f3c6fa0a
SHA1e4ba3c3974d6938480a9fbba3a9574ce6e42da77
SHA256b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9
SHA5126be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf
-
Filesize
1KB
MD55529b0c4372c5381248b8fe5f3c6fa0a
SHA1e4ba3c3974d6938480a9fbba3a9574ce6e42da77
SHA256b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9
SHA5126be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf
-
Filesize
1KB
MD5055d8ebf26a8add9fb0d763baaf6167e
SHA1c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA5122485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4
-
Filesize
1KB
MD5055d8ebf26a8add9fb0d763baaf6167e
SHA1c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA5122485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4
-
Filesize
1KB
MD5055d8ebf26a8add9fb0d763baaf6167e
SHA1c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA5122485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4
-
Filesize
1KB
MD5055d8ebf26a8add9fb0d763baaf6167e
SHA1c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA5122485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4
-
Filesize
1KB
MD5478e53f46a69a899ea092e5f6462c4e4
SHA1c543c3afd4eb8dc4d6aa0431e774adeef7c2b297
SHA2569ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319
SHA512f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc
-
Filesize
1KB
MD5478e53f46a69a899ea092e5f6462c4e4
SHA1c543c3afd4eb8dc4d6aa0431e774adeef7c2b297
SHA2569ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319
SHA512f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc
-
Filesize
1KB
MD530c35bdc02a952bfb7f292426ff762e0
SHA1aa03b4f58529f4edfc0e59b927ee783396a1cdbf
SHA25660ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7
SHA512860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d
-
Filesize
1KB
MD530c35bdc02a952bfb7f292426ff762e0
SHA1aa03b4f58529f4edfc0e59b927ee783396a1cdbf
SHA25660ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7
SHA512860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d
-
Filesize
911B
MD59af189021b6c1fd7fb611a18bd968f46
SHA190218c5aa530c2cd88b87fc39469826b9da83fe1
SHA2566c5daaf568c6b52d1a6f8072a748828c27ca7c738843fd7251022f29be68b902
SHA512f25392cee1f2c3780104c801525aa4980074a1cdcecea365911a812f9247ea01fc4465268acc383c936c14e8b4f72182715c0677aeac70e8e226727d187f259b
-
Filesize
194B
MD5c6b53e81cd21621deb98acbcbb2e21ce
SHA172cc01701237745c5b3298e063c2083b214a3a09
SHA256424c4da5e8e3371470d3493f662424bb722cca6fbe6d659e58665cd25c63d6f9
SHA512e8f61e983cc822d67b4c3ac09db5a2bc9d36ca6ae3fe2630592599731ed9888bafe8511346b70de913747dc30e058990be7bcf9493983f184da1d6be1684920a
-
Filesize
194B
MD51858f84b7b73cfc217a383938d8a8150
SHA1f2d4f39c94b0536ce58c66de2907c4907d5bb56f
SHA256605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd
SHA512ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7
-
Filesize
194B
MD57dd00e66241426450b56f1f115ceb80e
SHA198639aed96f54eac569e89a9c6f6286d9a18d4d6
SHA25660605d1ab886e82cc1c7705da9d448cca3f4acb08370f6d38d061c28015716be
SHA5120de20b247eeffc29c61f2ec8fb1184276c6f5d0863bfdf77be6c689447cf81873f15388b5d45077b455d2c15829b51c2800035c695337e064c39eea90eef7895
-
Filesize
194B
MD588a7ce9cd7b544d05a86f94cba9a27b5
SHA19cdfc5303b2a7fb2101c7f37519f8258bc0772aa
SHA25616759d19c55967e95a37d2b0bc5c78ec841a61c6b011d76587ba57897d89420b
SHA512a372fe26342b481c25aa3de7d0901b79a5839ae6a9a82e99d268d2d53ca7c25512f07ca7caba6817f99e2691b757f623d313e2b1f1c2d95b7c8322acfbf17740
-
Filesize
194B
MD5974f032b9d4985b67e238195836760e7
SHA1073aca2817e08e9c304ffeb5b524444c7eb59ea3
SHA25626cac475cdc07dbc12d05abcae35165229395fdee157ef0d871b270d0e2844f4
SHA5128d84cc61e33d4fdc7e7a4c697ea2347e5f93c22ff4bf6d3ff22cbfea4cc5e6d1ab091cf4249cc805074d3c2fcd269887cd47d7844cde5e7e7fdd32aae49d669e
-
Filesize
194B
MD59a559e7e3fd0255348066cf199bfaa33
SHA155d131797dc7e954565c003c96b3f4a75f68ca7c
SHA25679fb6f577c6b26c855324e950aa519ebf202546c7c16c210732f026477fb6d39
SHA512dc7f4c160c24424fe1333663b31d9c2044dd8894fb1306c70748703059e538c2f159cab88f559e8f434ee3f2c64dfa0a29bfdd87a9917a5b86142b7bb9ee7858
-
Filesize
194B
MD5abcc3e6cd11705b1229d042deff0f307
SHA19e6470168afd91974bf7ce07f2c56db0391cfb01
SHA256cc2e5af570af0a30d48afaf1155f33c07c7491e694fc14bfd5d52137ac29e339
SHA51296f6411a260f79a31bb2218345801d1890a32ef6d5d485b32ac995791e7b79ddacb2b4aebbfaae7e37fbffa44543be588ff30b311e3e325b159428a23d0c9995
-
Filesize
194B
MD5a498e97d8b84c0d44a3b50ca3119ffd3
SHA1aac60788bcb3c383c901c0ab4230fa1dba29ff08
SHA2562ec5126271d8505e5bbf20e60c560b07443fec630ce5456cdba331382fa4badd
SHA512b7e5bf0ca5e2fb2601e35f1c7b90dfb78cb16ffb537e4e8d5fc335cd7d1f548988ddee69beb547aa2e338355bf9c2f5be7614b1e289effea08d03f2ca6009736
-
Filesize
194B
MD52d8f36700eed18cb19b066e809dc5e21
SHA16dacd20c8575597da12d3e0b4415a2c286c17384
SHA2569c4ccc086bd6a026697a748d7016e04ffa27e03d4012072da7d9ae417ff91b29
SHA512a85ae8df30a374232279eb355cd4aeb8437db8b2887b6a51c692ad1f905ed846095c2146eb046c325c7cb23de24733bcc1bd996b4344e7eede30fc7b275c19e5
-
Filesize
194B
MD5c69e1cb69599953c63b0855d2975ae88
SHA1d13695216683f0db9be9b7284083f083fc0641d0
SHA2566f9bd18d43d08998d864fd62b2ee3b28810e6247fd089ee3cfa4bc0e9eefa1ab
SHA5129e59973f752014c4350c9a9bfbf6b919199390dc67dfa46012a05554af1a55f2e25e226f6926fcf6c6412cb6855e3a03b438598525f52b50c61cc4da3806e294
-
Filesize
194B
MD56cdd9f3084064e977cf457d9c97cac40
SHA1403b28699e84605a3491b212bf0b345af9ee4952
SHA2561b1f4d1f551db1e69dfe6eedc81f0a542f4efd7eb86958b18beec0c65b4c0867
SHA51299e4d63e74f8a7738ea998ab52194be0e2bab62d36e05153e33e29844dbf23c61d5d404bebf8d10816caff1200b3a429f4ab66919d852e2f6a2b165b24a56f9b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478