Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:44
Behavioral task
behavioral1
Sample
6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe
Resource
win10-20220812-en
General
-
Target
6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe
-
Size
1.3MB
-
MD5
0a12af65a0d42853f839dc34b246ee34
-
SHA1
2f79d5d3f5a25c7a74ed84c6eb43073efa68a4fd
-
SHA256
6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c
-
SHA512
19fb8d4e8394f6d8ca85a46cbad1d00da0aa80a55ef34ac83641ab576db9614965460318f84a44d8b02b1196cdb13f4d3e12ae10e258c08f76d6d3f8c6661bf8
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 508 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 416 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 3720 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 3720 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001abe0-279.dat dcrat behavioral1/files/0x000800000001abe0-280.dat dcrat behavioral1/memory/2512-281-0x0000000000C10000-0x0000000000D20000-memory.dmp dcrat behavioral1/files/0x000800000001abe0-304.dat dcrat behavioral1/files/0x000600000001ac1e-802.dat dcrat behavioral1/files/0x000600000001ac1e-803.dat dcrat behavioral1/files/0x000600000001ac1e-851.dat dcrat behavioral1/files/0x000600000001ac1e-858.dat dcrat behavioral1/files/0x000600000001ac1e-861.dat dcrat behavioral1/files/0x000600000001ac1e-867.dat dcrat behavioral1/files/0x000600000001ac1e-872.dat dcrat behavioral1/files/0x000600000001ac1e-877.dat dcrat behavioral1/files/0x000600000001ac1e-882.dat dcrat behavioral1/files/0x000600000001ac1e-887.dat dcrat behavioral1/files/0x000600000001ac1e-893.dat dcrat behavioral1/files/0x000600000001ac1e-898.dat dcrat behavioral1/files/0x000600000001ac1e-904.dat dcrat behavioral1/files/0x000600000001ac1e-910.dat dcrat -
Executes dropped EXE 15 IoCs
pid Process 2512 DllCommonsvc.exe 5052 DllCommonsvc.exe 4752 Idle.exe 3284 Idle.exe 2476 Idle.exe 1108 Idle.exe 2136 Idle.exe 4660 Idle.exe 4088 Idle.exe 2448 Idle.exe 2072 Idle.exe 5108 Idle.exe 4552 Idle.exe 1492 Idle.exe 4044 Idle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files\Java\conhost.exe DllCommonsvc.exe File created C:\Program Files\Java\088424020bedd6 DllCommonsvc.exe File created C:\Program Files\Common Files\microsoft shared\VC\powershell.exe DllCommonsvc.exe File created C:\Program Files\Common Files\microsoft shared\VC\e978f868350d50 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\it-IT\SearchUI.exe DllCommonsvc.exe File created C:\Windows\AppPatch\conhost.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\en-US\56085415360792 DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\System.exe DllCommonsvc.exe File created C:\Windows\DigitalLocker\en-US\wininit.exe DllCommonsvc.exe File opened for modification C:\Windows\DigitalLocker\en-US\wininit.exe DllCommonsvc.exe File created C:\Windows\Branding\ShellBrd\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Windows\it-IT\dab4d89cac03ec DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\dllhost.exe DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\5940a34987c991 DllCommonsvc.exe File created C:\Windows\AppPatch\088424020bedd6 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4940 schtasks.exe 2544 schtasks.exe 4556 schtasks.exe 3084 schtasks.exe 1140 schtasks.exe 4692 schtasks.exe 4796 schtasks.exe 4960 schtasks.exe 4376 schtasks.exe 5076 schtasks.exe 3712 schtasks.exe 3952 schtasks.exe 508 schtasks.exe 2212 schtasks.exe 4276 schtasks.exe 4892 schtasks.exe 2552 schtasks.exe 4976 schtasks.exe 416 schtasks.exe 4556 schtasks.exe 4860 schtasks.exe 3148 schtasks.exe 1544 schtasks.exe 1164 schtasks.exe 4184 schtasks.exe 1564 schtasks.exe 4268 schtasks.exe 2000 schtasks.exe 4288 schtasks.exe 4512 schtasks.exe 4640 schtasks.exe 4712 schtasks.exe 4052 schtasks.exe 4660 schtasks.exe 3380 schtasks.exe 1656 schtasks.exe 972 schtasks.exe 4484 schtasks.exe 4664 schtasks.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 DllCommonsvc.exe 4896 powershell.exe 4904 powershell.exe 4820 powershell.exe 5084 powershell.exe 820 powershell.exe 4896 powershell.exe 908 powershell.exe 4820 powershell.exe 908 powershell.exe 5052 DllCommonsvc.exe 4896 powershell.exe 908 powershell.exe 4820 powershell.exe 5084 powershell.exe 4904 powershell.exe 820 powershell.exe 5084 powershell.exe 4904 powershell.exe 820 powershell.exe 5052 DllCommonsvc.exe 5052 DllCommonsvc.exe 5052 DllCommonsvc.exe 5052 DllCommonsvc.exe 3824 powershell.exe 3824 powershell.exe 4000 powershell.exe 4000 powershell.exe 2140 powershell.exe 2140 powershell.exe 780 powershell.exe 780 powershell.exe 1564 powershell.exe 1564 powershell.exe 4040 powershell.exe 4040 powershell.exe 2140 powershell.exe 1336 powershell.exe 1336 powershell.exe 1280 powershell.exe 1280 powershell.exe 1304 powershell.exe 1304 powershell.exe 780 powershell.exe 1304 powershell.exe 2140 powershell.exe 3824 powershell.exe 1304 powershell.exe 4000 powershell.exe 780 powershell.exe 1564 powershell.exe 4040 powershell.exe 1336 powershell.exe 1280 powershell.exe 3824 powershell.exe 4000 powershell.exe 1564 powershell.exe 4040 powershell.exe 1336 powershell.exe 1280 powershell.exe 4752 Idle.exe 4752 Idle.exe 3284 Idle.exe 1108 Idle.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2512 DllCommonsvc.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 5052 DllCommonsvc.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeIncreaseQuotaPrivilege 908 powershell.exe Token: SeSecurityPrivilege 908 powershell.exe Token: SeTakeOwnershipPrivilege 908 powershell.exe Token: SeLoadDriverPrivilege 908 powershell.exe Token: SeSystemProfilePrivilege 908 powershell.exe Token: SeSystemtimePrivilege 908 powershell.exe Token: SeProfSingleProcessPrivilege 908 powershell.exe Token: SeIncBasePriorityPrivilege 908 powershell.exe Token: SeCreatePagefilePrivilege 908 powershell.exe Token: SeBackupPrivilege 908 powershell.exe Token: SeRestorePrivilege 908 powershell.exe Token: SeShutdownPrivilege 908 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeSystemEnvironmentPrivilege 908 powershell.exe Token: SeRemoteShutdownPrivilege 908 powershell.exe Token: SeUndockPrivilege 908 powershell.exe Token: SeManageVolumePrivilege 908 powershell.exe Token: 33 908 powershell.exe Token: 34 908 powershell.exe Token: 35 908 powershell.exe Token: 36 908 powershell.exe Token: SeIncreaseQuotaPrivilege 4896 powershell.exe Token: SeSecurityPrivilege 4896 powershell.exe Token: SeTakeOwnershipPrivilege 4896 powershell.exe Token: SeLoadDriverPrivilege 4896 powershell.exe Token: SeSystemProfilePrivilege 4896 powershell.exe Token: SeSystemtimePrivilege 4896 powershell.exe Token: SeProfSingleProcessPrivilege 4896 powershell.exe Token: SeIncBasePriorityPrivilege 4896 powershell.exe Token: SeCreatePagefilePrivilege 4896 powershell.exe Token: SeBackupPrivilege 4896 powershell.exe Token: SeRestorePrivilege 4896 powershell.exe Token: SeShutdownPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeSystemEnvironmentPrivilege 4896 powershell.exe Token: SeRemoteShutdownPrivilege 4896 powershell.exe Token: SeUndockPrivilege 4896 powershell.exe Token: SeManageVolumePrivilege 4896 powershell.exe Token: 33 4896 powershell.exe Token: 34 4896 powershell.exe Token: 35 4896 powershell.exe Token: 36 4896 powershell.exe Token: SeIncreaseQuotaPrivilege 4820 powershell.exe Token: SeSecurityPrivilege 4820 powershell.exe Token: SeTakeOwnershipPrivilege 4820 powershell.exe Token: SeLoadDriverPrivilege 4820 powershell.exe Token: SeSystemProfilePrivilege 4820 powershell.exe Token: SeSystemtimePrivilege 4820 powershell.exe Token: SeProfSingleProcessPrivilege 4820 powershell.exe Token: SeIncBasePriorityPrivilege 4820 powershell.exe Token: SeCreatePagefilePrivilege 4820 powershell.exe Token: SeBackupPrivilege 4820 powershell.exe Token: SeRestorePrivilege 4820 powershell.exe Token: SeShutdownPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeSystemEnvironmentPrivilege 4820 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 4612 3876 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe 66 PID 3876 wrote to memory of 4612 3876 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe 66 PID 3876 wrote to memory of 4612 3876 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe 66 PID 4612 wrote to memory of 4708 4612 WScript.exe 67 PID 4612 wrote to memory of 4708 4612 WScript.exe 67 PID 4612 wrote to memory of 4708 4612 WScript.exe 67 PID 4708 wrote to memory of 2512 4708 cmd.exe 69 PID 4708 wrote to memory of 2512 4708 cmd.exe 69 PID 2512 wrote to memory of 4896 2512 DllCommonsvc.exe 86 PID 2512 wrote to memory of 4896 2512 DllCommonsvc.exe 86 PID 2512 wrote to memory of 5084 2512 DllCommonsvc.exe 91 PID 2512 wrote to memory of 5084 2512 DllCommonsvc.exe 91 PID 2512 wrote to memory of 4904 2512 DllCommonsvc.exe 87 PID 2512 wrote to memory of 4904 2512 DllCommonsvc.exe 87 PID 2512 wrote to memory of 4820 2512 DllCommonsvc.exe 88 PID 2512 wrote to memory of 4820 2512 DllCommonsvc.exe 88 PID 2512 wrote to memory of 820 2512 DllCommonsvc.exe 92 PID 2512 wrote to memory of 820 2512 DllCommonsvc.exe 92 PID 2512 wrote to memory of 908 2512 DllCommonsvc.exe 94 PID 2512 wrote to memory of 908 2512 DllCommonsvc.exe 94 PID 2512 wrote to memory of 5052 2512 DllCommonsvc.exe 98 PID 2512 wrote to memory of 5052 2512 DllCommonsvc.exe 98 PID 5052 wrote to memory of 4000 5052 DllCommonsvc.exe 124 PID 5052 wrote to memory of 4000 5052 DllCommonsvc.exe 124 PID 5052 wrote to memory of 3824 5052 DllCommonsvc.exe 125 PID 5052 wrote to memory of 3824 5052 DllCommonsvc.exe 125 PID 5052 wrote to memory of 2140 5052 DllCommonsvc.exe 126 PID 5052 wrote to memory of 2140 5052 DllCommonsvc.exe 126 PID 5052 wrote to memory of 1564 5052 DllCommonsvc.exe 127 PID 5052 wrote to memory of 1564 5052 DllCommonsvc.exe 127 PID 5052 wrote to memory of 4040 5052 DllCommonsvc.exe 128 PID 5052 wrote to memory of 4040 5052 DllCommonsvc.exe 128 PID 5052 wrote to memory of 780 5052 DllCommonsvc.exe 129 PID 5052 wrote to memory of 780 5052 DllCommonsvc.exe 129 PID 5052 wrote to memory of 1336 5052 DllCommonsvc.exe 132 PID 5052 wrote to memory of 1336 5052 DllCommonsvc.exe 132 PID 5052 wrote to memory of 1304 5052 DllCommonsvc.exe 133 PID 5052 wrote to memory of 1304 5052 DllCommonsvc.exe 133 PID 5052 wrote to memory of 1280 5052 DllCommonsvc.exe 134 PID 5052 wrote to memory of 1280 5052 DllCommonsvc.exe 134 PID 5052 wrote to memory of 4520 5052 DllCommonsvc.exe 142 PID 5052 wrote to memory of 4520 5052 DllCommonsvc.exe 142 PID 4520 wrote to memory of 4244 4520 cmd.exe 144 PID 4520 wrote to memory of 4244 4520 cmd.exe 144 PID 4520 wrote to memory of 4752 4520 cmd.exe 145 PID 4520 wrote to memory of 4752 4520 cmd.exe 145 PID 4752 wrote to memory of 400 4752 Idle.exe 146 PID 4752 wrote to memory of 400 4752 Idle.exe 146 PID 400 wrote to memory of 2504 400 cmd.exe 148 PID 400 wrote to memory of 2504 400 cmd.exe 148 PID 400 wrote to memory of 3284 400 cmd.exe 149 PID 400 wrote to memory of 3284 400 cmd.exe 149 PID 3284 wrote to memory of 2848 3284 Idle.exe 150 PID 3284 wrote to memory of 2848 3284 Idle.exe 150 PID 2848 wrote to memory of 1836 2848 cmd.exe 152 PID 2848 wrote to memory of 1836 2848 cmd.exe 152 PID 2848 wrote to memory of 2476 2848 cmd.exe 153 PID 2848 wrote to memory of 2476 2848 cmd.exe 153 PID 640 wrote to memory of 1616 640 cmd.exe 156 PID 640 wrote to memory of 1616 640 cmd.exe 156 PID 640 wrote to memory of 1108 640 cmd.exe 157 PID 640 wrote to memory of 1108 640 cmd.exe 157 PID 1108 wrote to memory of 1548 1108 Idle.exe 158 PID 1108 wrote to memory of 1548 1108 Idle.exe 158
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe"C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\wininit.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\conhost.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\System.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\Idle.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\68z4f957pf.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4244
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2504
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1836
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"11⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1616
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"14⤵PID:1548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1660
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"15⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"16⤵PID:4288
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"17⤵
- Executes dropped EXE
- Modifies registry class
PID:4660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"18⤵PID:2696
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:748
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"19⤵
- Executes dropped EXE
- Modifies registry class
PID:4088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"20⤵PID:4828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1900
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"21⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"22⤵PID:3744
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:356
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"23⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"24⤵PID:2424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:3476
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"25⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"26⤵PID:4608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4568
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"27⤵
- Executes dropped EXE
- Modifies registry class
PID:4552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"28⤵PID:1816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:3212
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"29⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"30⤵PID:3748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:4948
-
-
C:\Users\Default\Cookies\Idle.exe"C:\Users\Default\Cookies\Idle.exe"31⤵
- Executes dropped EXE
PID:4044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\it-IT\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:22⤵PID:4356
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4268d8ae66fdd920476b97a1776bf85
SHA1f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA25661d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA51203b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD502a4261a8af36df874e02774ab8034f4
SHA1c2f92d1fb77d7e59d273e169760d2b2a2b73f446
SHA256189ed2a159bc489ef2e2b6aeec37a3a1f87c7a28b5ebf0cc9d8088adb3e05dd1
SHA51283db25c4e10a0984ee40fd8d9c5145c175d870aaa90d433a944f5a0e1d542e87eccc64d47721d24b5a8d5c03583025572f5eede5d8aee0ac1fd4195a04b8d9d8
-
Filesize
1KB
MD502a4261a8af36df874e02774ab8034f4
SHA1c2f92d1fb77d7e59d273e169760d2b2a2b73f446
SHA256189ed2a159bc489ef2e2b6aeec37a3a1f87c7a28b5ebf0cc9d8088adb3e05dd1
SHA51283db25c4e10a0984ee40fd8d9c5145c175d870aaa90d433a944f5a0e1d542e87eccc64d47721d24b5a8d5c03583025572f5eede5d8aee0ac1fd4195a04b8d9d8
-
Filesize
1KB
MD5ab5b2ba825d562e23d6d3bd444c153b3
SHA1bc49c866d905f997ddbe474b394dfc32a2c40785
SHA256083005d87122dd4e22c9db7d5fa131f360092b34525253bf11db19e4dc811fc4
SHA5127efb4c5f24649b92f8044e253c3f96702e0aca8ca0c6e7c5d509eea6bb84516add2adf3614a914d70e9059dfc96bbf68ba0fa5ccc14b62d07d497fb27ca95dec
-
Filesize
1KB
MD59fff42ed123acbcbedb3ae9bc13c7caf
SHA16e8df258957f0313fb88ee8cc3a97cff8c9fd037
SHA256fdea38451043d8ea3b0adc2bac8e5b44b143a03eddc45e4eea1c15206f7c75b1
SHA512f32f2ca014b1e6ea09589a8ebe36512c9e05ecbe7333490c140f33d947496098213b96af959806d81ba9a2781e44477af8765a1d6cbfb6ee6f2a27fc1d7fbb56
-
Filesize
1KB
MD53f5a9e9556cb225386e55eece7c1ef6f
SHA1c85539e0c0ed7fde087eb605dff480bed5842b19
SHA256f49c273ef57a18027dd159728ea383a0ba75ae3b5d1506634c6bda0a07fe59a8
SHA512aea658dea7fce1d19b7585a5c569a9732091129aa809dd218acb816c3717e89a8da14f320c75002df5016e272cc3f92055ceea1c248c0627309f4ab530130067
-
Filesize
1KB
MD53f5a9e9556cb225386e55eece7c1ef6f
SHA1c85539e0c0ed7fde087eb605dff480bed5842b19
SHA256f49c273ef57a18027dd159728ea383a0ba75ae3b5d1506634c6bda0a07fe59a8
SHA512aea658dea7fce1d19b7585a5c569a9732091129aa809dd218acb816c3717e89a8da14f320c75002df5016e272cc3f92055ceea1c248c0627309f4ab530130067
-
Filesize
1KB
MD568de62fe66f9b492e94e98ced7737bf4
SHA16681849abb88363f3e0cedaec84535faea0221bd
SHA256da45781ef0aad5448310a4a4d5ad8cedb4c72eddba621fd2e111ad8be953c32e
SHA512aec608aa0ef68da637cd021d970b54aa76e071c1441e4ab0239bd7085f2290f10b3e5bc5c0b533e5b06717c5ee307f46c07625ed0398428b9fecbca7ce20186a
-
Filesize
1KB
MD568de62fe66f9b492e94e98ced7737bf4
SHA16681849abb88363f3e0cedaec84535faea0221bd
SHA256da45781ef0aad5448310a4a4d5ad8cedb4c72eddba621fd2e111ad8be953c32e
SHA512aec608aa0ef68da637cd021d970b54aa76e071c1441e4ab0239bd7085f2290f10b3e5bc5c0b533e5b06717c5ee307f46c07625ed0398428b9fecbca7ce20186a
-
Filesize
1KB
MD5249bfe9024d2d7cb744a9549fb266db8
SHA1751e6b891c35a7040f859d8f01eddb02af327520
SHA25680d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA51225968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac
-
Filesize
1KB
MD5249bfe9024d2d7cb744a9549fb266db8
SHA1751e6b891c35a7040f859d8f01eddb02af327520
SHA25680d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA51225968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac
-
Filesize
1KB
MD5249bfe9024d2d7cb744a9549fb266db8
SHA1751e6b891c35a7040f859d8f01eddb02af327520
SHA25680d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA51225968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac
-
Filesize
1KB
MD5445ea5ee8a32a324772fc210036cb6be
SHA15e2890e1a82bd1c89d7ff191fe4d114033f8102f
SHA256e23394a4b7ad709c984a0e4cda8ab6feed82383cd83d761528c5a7b7540f9007
SHA512bf1c02e6b13645f8589e9a77afad9f82dde3c7b805d0414e47530b2af72a0e3de4779439d0ad34b49fd503e386c1642b6ffc739b1753704e69cbecf70469c3c8
-
Filesize
1KB
MD50bdfaa14d7814b541a77f4e97920dfd6
SHA1c239720eee47db7f7136bb78e37c539b9e735c4c
SHA2564c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608
-
Filesize
1KB
MD5500c29a76e740d730a2b04e046b32570
SHA1b2e19fb35f984754aee8777f24e1e8021d940a3a
SHA25683959b24391abc322c13431ce5205c623882fb9cc007535ee2e8e3cf4af61899
SHA5124698c504557a59d97ef163c252dd38db45dbd0c35dcd821397790f80dfc75aa6ae5def5c38682a017a5563acd33b1bdd3e0ca2710ea7f5a048541da4b5a64085
-
Filesize
198B
MD59d756327c5cd9ee8d840f133b057ad4e
SHA170f037706afff7075348897926cd7aa131429ca9
SHA256119da916ddfb55a347f52dd8dc47fa33df20cd78471fdf488b32c4ff3456e509
SHA5128d2dbd228e0753e0a4e8a02d46e17b0a0ffe98bfb3c25b0f4c213a37666655149daaae5607f420f8a4d6664d8257635592c59d80f129b02de390b7c4a95acbb2
-
Filesize
198B
MD5b3deb9099450621accdf0ecaa6ebb320
SHA1aafc5539954aa5613a3013102f975762ced9e7f3
SHA2560268c061d96958b620f0457d6e510e4410d5c87e9eedb579b2c5d1c426f71ea7
SHA512bad5d2a261f854dee47e96b09508b8ced05ee13beaa61117e0b3d59e5736cf760e53a148ecc1be49d825d443498fe434c61f885a7e6b584bac86da952693bcca
-
Filesize
198B
MD5b694fbdc9adb3e8f2b988644d1c30521
SHA1189d0970035a7fcc86d4fb55fb7aa6a0d91d2cef
SHA2566a7137f80053b4459eb28e3abf259228186544a5fb607054ce289d2b33215a1b
SHA512d536f6f71d484fe37f977f7fe13593d5573b361668dd962397f84c2aec40b6cfb96932715c91db0f22b5286686c6b29417aa6183adaa1d4afcc6961fcae49606
-
Filesize
198B
MD5a5e5135fb4c1f3d0e82d3efdf74d8e64
SHA136cfcfaa7906e74b2e24d493c07a836cc7bac55c
SHA256d0da0488dbfd810758d3bb9d9a13cc5fef1312e8bf7a7af178b3ff15b6fbe5c9
SHA5124bfd41ce02b9affd309cda1db64f9bc5457b86e10780d1186bfb8e875b22067acfb0cb62f11f5e298d2779ea817b9ee6f7aa274b3ef1abc90f312b542b920866
-
Filesize
198B
MD5a96ccd08e9ced61c0302861adcd61602
SHA1372ff542536d35b7dd11b43717a29a202c936014
SHA25684d4f63c21b705b866ed99a4ecd1de9260ae5bfe22f486ae0f1e87c10f84fd1d
SHA5129e2d661aa80d88d539ae4645f1ef062a5ec611a2df12f0e72d1eea42ab03f4e4648e52495deab396852647f1c1bbc34f487ffce7d07ddad5c088b7f00f55c8dc
-
Filesize
198B
MD5708af0b994311a42f5802541df578a37
SHA1d367764f2f5b126f60de18fb764c306f091c48a0
SHA256e9e2d0fab35fc4c338656db313d5df3ee869dcf567d77dc92fd81b08a47cae5b
SHA51238d97488dbc5d298fe7f8c5a13a42cb568a4a0476f259f29227544ca4d03946fb1e8043f9ff680f72901fdd742f51444cf130753613171d2d52788d03c0ebf7b
-
Filesize
198B
MD55fe2cfe82aeab4c7d7f11eb7f8363a4b
SHA1547ce6988373ac2b2a690e56436a96ec46c1e2f2
SHA25662bd92b911f01acd7cec4a4d245f3647131041f856ed98da6b5202c9e5eb2749
SHA51261c5ece49dfc55e6bec744d5159c7d8ee5436803edea1289b51cef5294645474c993aeb62dfea0f77f4669684fca19df9b5b4b83d58378dfdfdf88d3eb6d3cfd
-
Filesize
198B
MD532c8c7c3bb1a343c8178431dc0912f3d
SHA1243096572de00585d0b8fcd000771cd30379545d
SHA256b81177fff72b5785b3ca343ce76a52d5d61522bfe5aab1574633a5a38e4c1a0b
SHA512a52f86c0e8e42373b63c23c74a7c107b70a7ad6b32c1d92ac7420cfced675679d25ec0bd1735bffc4ae18f34e17592ea2bc7cc185c7e5887de4925c985f78f3c
-
Filesize
198B
MD54860baf62f5c17c1db077e37336ebbdf
SHA19522dae0ec0c180c1c909482c630c9b4a7fed75b
SHA2569e837b2ba2c7864857b20b70e4f1afa3b6afe5a458d370a344475aef6c1910a9
SHA5128336608acaa459453e980b2e6d45043b6cff482ae3e4e1d77416672e5441f125872546508135658fe3d1ecb6f97b6f5b2dd72b1e74aa04d3cfb547f7d422a3f4
-
Filesize
198B
MD54860baf62f5c17c1db077e37336ebbdf
SHA19522dae0ec0c180c1c909482c630c9b4a7fed75b
SHA2569e837b2ba2c7864857b20b70e4f1afa3b6afe5a458d370a344475aef6c1910a9
SHA5128336608acaa459453e980b2e6d45043b6cff482ae3e4e1d77416672e5441f125872546508135658fe3d1ecb6f97b6f5b2dd72b1e74aa04d3cfb547f7d422a3f4
-
Filesize
198B
MD5517eb89cb7f0aa8dc872ce41c9d745c1
SHA130755533c308e8351a9559c7b0215593a6737928
SHA2562d1bce1c2348b1801a1111fbfcced0fd5f6536089c99e0eb057502a136c7c25e
SHA5121bde5d97f2d167a79baf88781a9140aa4d0ec8e36c542243d6eb792ae913bbe70bf67d1ae66f380bddf56676479ca994e5afb069e116e832789ce02f09a72bf3
-
Filesize
198B
MD5233d7e45cddbe720ce52ce0474d9ccf4
SHA18d8418e28859233f9c16d3cafa00182094671fd8
SHA256e8917e4959720ed4f7863fa75f4f42c6a5f6e16668f44a780c74a7dba3ae80eb
SHA5123ca853c01c7deb41e4c11c453561b8e08eb0cf0b8b783661cf172a3380a93000108043c6f1fc567bb3d6b8c4eb2ca751d35945f3f27d299f97dea67020439693
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478