Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 22:17
Behavioral task
behavioral1
Sample
NursultanCrack.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
NursultanCrack.exe
Resource
win10v2004-20240709-en
General
-
Target
NursultanCrack.exe
-
Size
1.9MB
-
MD5
9c49f8ab036331a19ab63f9aff82db38
-
SHA1
a27f11d48f1428b8efb5384f779f355271cc8877
-
SHA256
c50ff535a4d6f888019f7865b319658fc35fd9c3ce5734308821641407d91df9
-
SHA512
2a61a2bf0bfff8c84f2ba5065b87563edd36b4a8ab34e2354f01e46a9ab7d19677cda9b686f95598921de7c2480da53a5e76965f01733e875033208adf9bfecd
-
SSDEEP
24576:h2G/nvxW3WHj0PhetvJ2pv6zvifbzgs4dGnO1F4R8rDX6ZrnHkBseAa+s:hbA3ZUo6buPaARUDInHkBHR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 7 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\", \"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Public\\Downloads\\smss.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" Hypercommon.exe -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 1928 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 1928 schtasks.exe -
Processes:
upfc.exeHypercommon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe dcrat behavioral2/memory/3412-13-0x0000000000780000-0x00000000008F0000-memory.dmp dcrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NursultanCrack.exeWScript.exeHypercommon.exeupfc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation NursultanCrack.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Hypercommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation upfc.exe -
Executes dropped EXE 2 IoCs
Processes:
Hypercommon.exeupfc.exepid process 3412 Hypercommon.exe 4152 upfc.exe -
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
Hypercommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Downloads\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\upfc.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft.NET\\smss.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" Hypercommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\"" Hypercommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\SysWOW64\\AppLocker\\backgroundTaskHost.exe\"" Hypercommon.exe -
Processes:
Hypercommon.exeupfc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe -
Drops file in System32 directory 2 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe Hypercommon.exe File created C:\Windows\SysWOW64\AppLocker\eddb19405b7ce1 Hypercommon.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\smss.exe Hypercommon.exe File created C:\Program Files (x86)\Microsoft.NET\69ddcba757bf72 Hypercommon.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe Hypercommon.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\ea1d8f6d871115 Hypercommon.exe -
Drops file in Windows directory 2 IoCs
Processes:
Hypercommon.exedescription ioc process File created C:\Windows\ShellExperiences\System.exe Hypercommon.exe File created C:\Windows\ShellExperiences\27d1bcfc3c54e0 Hypercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
NursultanCrack.exeupfc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings NursultanCrack.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings upfc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1744 schtasks.exe 2740 schtasks.exe 3196 schtasks.exe 688 schtasks.exe 4040 schtasks.exe 1688 schtasks.exe 1364 schtasks.exe 2436 schtasks.exe 1736 schtasks.exe 1308 schtasks.exe 1752 schtasks.exe 2956 schtasks.exe 660 schtasks.exe 2408 schtasks.exe 3280 schtasks.exe 2808 schtasks.exe 2624 schtasks.exe 1920 schtasks.exe 4932 schtasks.exe 1000 schtasks.exe 1616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Hypercommon.exeupfc.exepid process 3412 Hypercommon.exe 3412 Hypercommon.exe 3412 Hypercommon.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe 4152 upfc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
upfc.exepid process 4152 upfc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Hypercommon.exeupfc.exedescription pid process Token: SeDebugPrivilege 3412 Hypercommon.exe Token: SeDebugPrivilege 4152 upfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NursultanCrack.exeWScript.execmd.exeHypercommon.exeupfc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2008 wrote to memory of 4620 2008 NursultanCrack.exe WScript.exe PID 2008 wrote to memory of 4620 2008 NursultanCrack.exe WScript.exe PID 2008 wrote to memory of 4620 2008 NursultanCrack.exe WScript.exe PID 4620 wrote to memory of 1996 4620 WScript.exe cmd.exe PID 4620 wrote to memory of 1996 4620 WScript.exe cmd.exe PID 4620 wrote to memory of 1996 4620 WScript.exe cmd.exe PID 1996 wrote to memory of 3412 1996 cmd.exe Hypercommon.exe PID 1996 wrote to memory of 3412 1996 cmd.exe Hypercommon.exe PID 3412 wrote to memory of 4152 3412 Hypercommon.exe upfc.exe PID 3412 wrote to memory of 4152 3412 Hypercommon.exe upfc.exe PID 4152 wrote to memory of 3248 4152 upfc.exe WScript.exe PID 4152 wrote to memory of 3248 4152 upfc.exe WScript.exe PID 4152 wrote to memory of 1992 4152 upfc.exe WScript.exe PID 4152 wrote to memory of 1992 4152 upfc.exe WScript.exe PID 4152 wrote to memory of 2484 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 2484 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 1632 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 1632 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 1664 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 1664 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 400 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 400 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 772 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 772 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4840 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4840 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 3940 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 3940 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 2228 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 2228 4152 upfc.exe cmd.exe PID 1632 wrote to memory of 2460 1632 cmd.exe notepad.exe PID 1632 wrote to memory of 2460 1632 cmd.exe notepad.exe PID 4152 wrote to memory of 3060 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 3060 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4972 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4972 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 2580 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 2580 4152 upfc.exe cmd.exe PID 400 wrote to memory of 2096 400 cmd.exe notepad.exe PID 400 wrote to memory of 2096 400 cmd.exe notepad.exe PID 772 wrote to memory of 4848 772 cmd.exe notepad.exe PID 772 wrote to memory of 4848 772 cmd.exe notepad.exe PID 4152 wrote to memory of 916 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 916 4152 upfc.exe cmd.exe PID 2484 wrote to memory of 1752 2484 cmd.exe notepad.exe PID 2484 wrote to memory of 1752 2484 cmd.exe notepad.exe PID 4152 wrote to memory of 4724 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4724 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4156 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 4156 4152 upfc.exe cmd.exe PID 2580 wrote to memory of 4860 2580 cmd.exe notepad.exe PID 2580 wrote to memory of 4860 2580 cmd.exe notepad.exe PID 2228 wrote to memory of 1040 2228 cmd.exe notepad.exe PID 2228 wrote to memory of 1040 2228 cmd.exe notepad.exe PID 3940 wrote to memory of 3304 3940 cmd.exe notepad.exe PID 3940 wrote to memory of 3304 3940 cmd.exe notepad.exe PID 4152 wrote to memory of 1420 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 1420 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 456 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 456 4152 upfc.exe cmd.exe PID 3060 wrote to memory of 2284 3060 cmd.exe notepad.exe PID 3060 wrote to memory of 2284 3060 cmd.exe notepad.exe PID 4152 wrote to memory of 712 4152 upfc.exe cmd.exe PID 4152 wrote to memory of 712 4152 upfc.exe cmd.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
Hypercommon.exeupfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hypercommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\portwebdll\fn8HNHVgHWFLApRQ1mH.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\portwebdll\CedH0gOYji0h1dJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"C:\Users\Admin\AppData\Roaming\portwebdll\Hypercommon.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412 -
C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e504b270-d752-417e-ba5b-c827ec2e8b2d.vbs"6⤵PID:3248
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6666fe6-b4a5-4216-a5fe-39494f39044c.vbs"6⤵PID:1992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1664
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:4840
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:4972
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:916
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:4724
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:4156
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1420
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:456
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:712
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:776
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:3796
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:2664
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1904
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1888
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:3852
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1008
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5232
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5268
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5340
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5428
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5508
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5568
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5620
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5744
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6024
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6096
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5648
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5888
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6216
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6328
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:6724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6412
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6464
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6552
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6608
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6648
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6716
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6788
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6880
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6996
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7064
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7136
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6260
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6576
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:6892
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7200
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7452
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7532
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7612
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7668
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:7580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:7756
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8096
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8184
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8196
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8256
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8296
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8344
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8404
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8480
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8560
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8608
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8672
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8776
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8848
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:8796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8952
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9064
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9176
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:5972
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8384
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8820
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:8692
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9272
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9384
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9444
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9496
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9592
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9696
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9768
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9840
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9908
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:9464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10000
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10112
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:9248
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:432
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1844
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10316
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10400
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10464
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10552
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10604
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10692
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10808
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10968
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11064
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11132
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11232
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1932
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:2496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10348
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:10364
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:1572
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11280
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11388
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11496
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11568
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11636
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11688
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11744
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11800
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11836
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11932
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12000
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12088
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:11852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12208
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12268
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:11708
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12116
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12300
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12376
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12428
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12488
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:10568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12540
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12692
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12784
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12856
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12948
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12996
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13036
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13072
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13152
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13204
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13284
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:12800
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:13788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13300
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13436
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:12452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13500
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13560
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13648
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13764
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13956
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:14036
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:14148
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:14224
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:14300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat" "6⤵PID:13916
-
C:\Windows\system32\notepad.exenotepad.exe7⤵PID:14600
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\AppLocker\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508B
MD5d31f9e76571928bc388359489b9e3826
SHA131a159496c595c9c909765219d782e0c4993430d
SHA2564a3aa25d2517f55852055bfa9840e7e54c89d91c46ef44c2fc3cf4fd8d4daf11
SHA512672e32aac11a989f2dd7a09390d9f9475af3e9993a57787545c325a30c4e917a9f9c97e6ee82b6b85953b5bb6a780f9e5a48b533ca57118e846cb96338bdefcc
-
Filesize
732B
MD55d9c8ba8248d4dedddde9c3aac8ff923
SHA17791a191b3eccf9a94a26a1f545a2e2248552d42
SHA25632937131fac7b9a939a10e5afd556595c9c4c66c5ef1d730bb542e37fc447f86
SHA512e6efec5651d745beb1ac573ce86c48904be2e1ee68c8bf079569c33567182278fd8dda2eb22165180ca48ccaeb6549d24bec69cabb1b1adbd6c5fc60748f5d3f
-
Filesize
19B
MD52020ae7235e4ca2d098b2a6acfd6a923
SHA1b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA51213a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa
-
Filesize
38B
MD56c77726beb17fe13c44cbc3312d1ca54
SHA1919076735be5e1c6c9d077b12beadce4470c7bb2
SHA256e8130ea9479e696b38d37edbd700f6f08daf4c85c1758d6b6a9a71e627ce5e03
SHA5125089be432cd1f996f399f4aa03140a7bdb8062304fbf4818351f93090deaa1f2e42fe034307ce542ca5ad7f7484948e7e454b4cfee885815ce402436e573d9c4
-
Filesize
1.4MB
MD5f1ca585436d62720be1c8d7f24fb773f
SHA13687e578f150e45aa5194f9c485b221459f0f454
SHA256dc22e22564f7758fd8179f22aace45dfb9a5fbedcf7203ee71a71bf26435cbc7
SHA5129e56f51802b8de96589dfd51da94c466c70fd320e05a4a574054fac41ffcf5acba2fcbc29f3a655c152560dc13a45cb4f13366ab2db975b3aa7371a041fdaddc
-
Filesize
209B
MD52febca5513bbb1d2fb14b29bd4998314
SHA15fbcf3720fa6200f4dfd67e2d3ec4d91e45b9def
SHA256d92d5826088b6d9e94de6ef772d9283594ee4c51ca03e829c7024b4dd2f74112
SHA51260a6ef94ea1d5c379c330e5c2627a34d33c5d1ed85e03fb01d561aa3ded0cad26f5ff9ef682ad83abc234a9aede970dd902e508556524c135ff3661e60b27e1c