Analysis
-
max time kernel
32s -
max time network
101s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-10-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Crypt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Crypt.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
Crypt.exe
Resource
win11-20241007-en
General
-
Target
Crypt.exe
-
Size
6.9MB
-
MD5
d047cd9c503a1b062486d0425688fd16
-
SHA1
dee8b8024a66ffdf3502a9827fef45493f2644ed
-
SHA256
8b114ae5d486948a5f4078f2e724d55e0a56014320af07f0f9228e0e77ae6be0
-
SHA512
5c986ee4c367b8288a7e1ba18d6695b4e8afc40d88d9a4c257f301f38b405ec1d7771efabb189f583be979a02093d841ae510d5f002e3684ae7a8225d27bef28
-
SSDEEP
196608:hsXGMtKkuX5P62xscItG5gPxioJEhslCM19l+RDIk:hsXGMIkuX5XmcI45gPkgpz1eZIk
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7756158094:AAEpUpUPcNX1ZlZzM558SewExaq3m8CuOnA/sendPhot
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\Videos\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\Videos\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\OfficeClickToRun.exe\", \"C:\\BrowserSvc\\csrss.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\WmiPrvSE.exe.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\Videos\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\OfficeClickToRun.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\Videos\\dllhost.exe\", \"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Mail\\OfficeClickToRun.exe\", \"C:\\BrowserSvc\\csrss.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\", \"C:\\Program Files\\Windows Media Player\\sppsvc.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\BrowserSvc\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\", \"C:\\BrowserSvc\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\BrowserSvc\\msAgentreviewCommon.exe\", \"C:\\BrowserSvc\\PING.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Users\\Admin\\SearchHost.exe\", \"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\", \"C:\\Users\\Default\\Videos\\dllhost.exe\"" WmiPrvSE.exe.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 2560 schtasks.exe 80 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 2560 schtasks.exe 80 -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3628 powershell.exe 4844 powershell.exe 2840 powershell.exe 4852 powershell.exe 2828 powershell.exe 3836 powershell.exe 3108 powershell.exe 2892 powershell.exe 3596 powershell.exe 2920 powershell.exe 3116 powershell.exe 3916 powershell.exe 2300 powershell.exe 4636 powershell.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3340 attrib.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 43 IoCs
pid Process 3040 WinSFX.exe 2776 Checker.exe 3180 RunShell.exe 1992 msAgentreviewCommon.exe 3040 SppExtComObj.exe 4596 WmiPrvSE.exe 344 SppExtComObj.exe.exe 1940 WmiPrvSE.exe 2992 WmiPrvSE.exe.exe 3100 WmiPrvSE.exe 4412 WmiPrvSE.exe.exe 3136 WmiPrvSE.exe 3892 WmiPrvSE.exe.exe 2352 WmiPrvSE.exe 4856 WmiPrvSE.exe.exe 2360 WmiPrvSE.exe 3584 WmiPrvSE.exe.exe 440 WmiPrvSE.exe 764 WmiPrvSE.exe.exe 3168 WmiPrvSE.exe 3628 WmiPrvSE.exe.exe 4024 WmiPrvSE.exe.exe 3748 WmiPrvSE.exe 1992 WmiPrvSE.exe 792 WmiPrvSE.exe.exe 1884 WmiPrvSE.exe 3116 WmiPrvSE.exe.exe 3184 WmiPrvSE.exe.exe 2440 WmiPrvSE.exe 3612 WmiPrvSE.exe.exe 4876 WmiPrvSE.exe 1088 WmiPrvSE.exe 2168 WmiPrvSE.exe.exe 5068 WmiPrvSE.exe 3540 WmiPrvSE.exe.exe 1924 WmiPrvSE.exe 4344 WmiPrvSE.exe.exe 3268 WmiPrvSE.exe.exe 4992 WmiPrvSE.exe 584 WmiPrvSE.exe 1288 WmiPrvSE.exe.exe 4904 WmiPrvSE.exe 2936 WmiPrvSE.exe.exe -
Loads dropped DLL 1 IoCs
pid Process 3616 javaw.exe -
Adds Run key to start application 2 TTPs 44 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Mail\\OfficeClickToRun.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Users\\Admin\\SearchHost.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\BrowserSvc\\csrss.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Users\\Admin\\SearchHost.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE.exe = "\"C:\\Program Files\\Google\\Chrome\\Application\\WmiPrvSE.exe.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\All Users\\ssh\\SppExtComObj.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Google\\Update\\sihost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msAgentreviewCommon = "\"C:\\BrowserSvc\\msAgentreviewCommon.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Searches\\fontdrvhost.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Mail\\OfficeClickToRun.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\sppsvc.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\DiagTrack\\Settings\\lsass.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\BrowserSvc\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PING = "\"C:\\BrowserSvc\\PING.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\BrowserSvc\\dllhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Pictures\\RuntimeBroker.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\BrowserSvc\\WmiPrvSE.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Videos\\dllhost.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\Videos\\dllhost.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\BrowserSvc\\csrss.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE.exe = "\"C:\\Program Files\\Google\\Chrome\\Application\\WmiPrvSE.exe.exe\"" WmiPrvSE.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" msAgentreviewCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\PING = "\"C:\\BrowserSvc\\PING.exe\"" SppExtComObj.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" SppExtComObj.exe.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 8 raw.githubusercontent.com 1 raw.githubusercontent.com 3 discord.com 5 discord.com 6 discord.com -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 2 api.ipify.org 3 ipinfo.io 9 ipinfo.io 11 ipinfo.io 1 api.ipify.org 1 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC855A58C4837543688A549B4B955955D.TMP csc.exe File created \??\c:\Windows\System32\pf6bhg.exe csc.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Google\Update\sihost.exe csc.exe File created C:\Program Files\7-Zip\Lang\csrss.exe WmiPrvSE.exe.exe File created C:\Program Files\Windows Media Player\0a1fd5f707cd16 RunShell.exe File created C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe.exe WmiPrvSE.exe.exe File created C:\Program Files\Windows Mail\e6c9b481da804f WmiPrvSE.exe.exe File created C:\Program Files (x86)\Google\Update\66fc9ff0ee96c2 RunShell.exe File created \??\c:\Program Files (x86)\Google\Update\CSCA3C664DB3AB040E999FFE4DA5A53487B.TMP csc.exe File opened for modification C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe.exe WmiPrvSE.exe.exe File created C:\Program Files\Windows Mail\OfficeClickToRun.exe WmiPrvSE.exe.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\AppxMetadata\SppExtComObj.exe WmiPrvSE.exe.exe File created C:\Program Files\7-Zip\Lang\886983d96e3d3e WmiPrvSE.exe.exe File created C:\Program Files\Windows Media Player\sppsvc.exe RunShell.exe File created \??\c:\Program Files\Windows Media Player\CSC686C5E87554D4A6BA8A15439D192E3C8.TMP csc.exe File created \??\c:\Program Files\Windows Media Player\sppsvc.exe csc.exe File created C:\Program Files\Google\Chrome\Application\3004918263aa23 WmiPrvSE.exe.exe File created C:\Program Files (x86)\Google\Update\sihost.exe RunShell.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\DiagTrack\Settings\lsass.exe msAgentreviewCommon.exe File created C:\Windows\DiagTrack\Settings\6203df4a6bafc7 msAgentreviewCommon.exe File created \??\c:\Windows\DiagTrack\Settings\CSCB1D00D1D5AE64F36875EB685C87C622.TMP csc.exe File created \??\c:\Windows\DiagTrack\Settings\lsass.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Checker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4284 PING.EXE 2256 PING.EXE 3724 PING.exe 4140 PING.EXE 3732 PING.EXE 4756 PING.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings Checker.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings msAgentreviewCommon.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4016 reg.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4756 PING.exe 4284 PING.EXE 2256 PING.EXE 3724 PING.exe 4140 PING.EXE 3732 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe 4940 schtasks.exe 3460 schtasks.exe 4092 schtasks.exe 2632 schtasks.exe 956 schtasks.exe 1016 schtasks.exe 552 schtasks.exe 3500 schtasks.exe 2744 schtasks.exe 4412 schtasks.exe 1424 schtasks.exe 5092 schtasks.exe 3152 schtasks.exe 3340 schtasks.exe 1332 schtasks.exe 2272 schtasks.exe 2372 schtasks.exe 4204 schtasks.exe 4100 schtasks.exe 3596 schtasks.exe 1608 schtasks.exe 4488 schtasks.exe 4532 schtasks.exe 2992 schtasks.exe 1476 schtasks.exe 3160 schtasks.exe 4696 schtasks.exe 2144 schtasks.exe 1608 schtasks.exe 3544 schtasks.exe 3544 schtasks.exe 4552 schtasks.exe 1520 schtasks.exe 1884 schtasks.exe 2840 schtasks.exe 2440 schtasks.exe 2096 schtasks.exe 1996 schtasks.exe 3896 schtasks.exe 2500 schtasks.exe 3508 schtasks.exe 4536 schtasks.exe 4580 schtasks.exe 3764 schtasks.exe 3612 schtasks.exe 3160 schtasks.exe 2008 schtasks.exe 5068 schtasks.exe 3560 schtasks.exe 3168 schtasks.exe 3176 schtasks.exe 2308 schtasks.exe 2440 schtasks.exe 3048 schtasks.exe 1540 schtasks.exe 5112 schtasks.exe 748 schtasks.exe 840 schtasks.exe 3348 schtasks.exe 4576 schtasks.exe 3844 schtasks.exe 4860 schtasks.exe 896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3616 javaw.exe 3628 powershell.exe 4844 powershell.exe 3628 powershell.exe 4844 powershell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe 3180 RunShell.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeBackupPrivilege 3616 javaw.exe Token: SeBackupPrivilege 3616 javaw.exe Token: SeSecurityPrivilege 3616 javaw.exe Token: SeDebugPrivilege 3616 javaw.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeRestorePrivilege 3616 javaw.exe Token: SeDebugPrivilege 3180 RunShell.exe Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 1992 msAgentreviewCommon.exe Token: SeDebugPrivilege 344 SppExtComObj.exe.exe Token: SeDebugPrivilege 2992 WmiPrvSE.exe.exe Token: SeDebugPrivilege 4412 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3892 WmiPrvSE.exe.exe Token: SeDebugPrivilege 4856 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3584 WmiPrvSE.exe.exe Token: SeDebugPrivilege 764 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3628 WmiPrvSE.exe.exe Token: SeDebugPrivilege 4024 WmiPrvSE.exe.exe Token: SeDebugPrivilege 792 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3116 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3184 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3612 WmiPrvSE.exe.exe Token: SeDebugPrivilege 2168 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3540 WmiPrvSE.exe.exe Token: SeDebugPrivilege 4344 WmiPrvSE.exe.exe Token: SeDebugPrivilege 3268 WmiPrvSE.exe.exe Token: SeDebugPrivilege 1288 WmiPrvSE.exe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3616 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 3616 1288 Crypt.exe 77 PID 1288 wrote to memory of 3616 1288 Crypt.exe 77 PID 3616 wrote to memory of 4016 3616 javaw.exe 78 PID 3616 wrote to memory of 4016 3616 javaw.exe 78 PID 3616 wrote to memory of 3628 3616 javaw.exe 81 PID 3616 wrote to memory of 3628 3616 javaw.exe 81 PID 3616 wrote to memory of 4844 3616 javaw.exe 82 PID 3616 wrote to memory of 4844 3616 javaw.exe 82 PID 3616 wrote to memory of 3040 3616 javaw.exe 85 PID 3616 wrote to memory of 3040 3616 javaw.exe 85 PID 3616 wrote to memory of 3040 3616 javaw.exe 85 PID 3040 wrote to memory of 4672 3040 WinSFX.exe 86 PID 3040 wrote to memory of 4672 3040 WinSFX.exe 86 PID 3040 wrote to memory of 4672 3040 WinSFX.exe 86 PID 3040 wrote to memory of 2776 3040 WinSFX.exe 87 PID 3040 wrote to memory of 2776 3040 WinSFX.exe 87 PID 3040 wrote to memory of 2776 3040 WinSFX.exe 87 PID 3616 wrote to memory of 4456 3616 javaw.exe 90 PID 3616 wrote to memory of 4456 3616 javaw.exe 90 PID 4456 wrote to memory of 3340 4456 cmd.exe 92 PID 4456 wrote to memory of 3340 4456 cmd.exe 92 PID 2776 wrote to memory of 1316 2776 Checker.exe 93 PID 2776 wrote to memory of 1316 2776 Checker.exe 93 PID 2776 wrote to memory of 1316 2776 Checker.exe 93 PID 4672 wrote to memory of 568 4672 WScript.exe 94 PID 4672 wrote to memory of 568 4672 WScript.exe 94 PID 4672 wrote to memory of 568 4672 WScript.exe 94 PID 568 wrote to memory of 3180 568 cmd.exe 96 PID 568 wrote to memory of 3180 568 cmd.exe 96 PID 3180 wrote to memory of 2272 3180 RunShell.exe 100 PID 3180 wrote to memory of 2272 3180 RunShell.exe 100 PID 2272 wrote to memory of 4996 2272 csc.exe 102 PID 2272 wrote to memory of 4996 2272 csc.exe 102 PID 3180 wrote to memory of 3916 3180 RunShell.exe 118 PID 3180 wrote to memory of 3916 3180 RunShell.exe 118 PID 3180 wrote to memory of 3116 3180 RunShell.exe 119 PID 3180 wrote to memory of 3116 3180 RunShell.exe 119 PID 3180 wrote to memory of 3108 3180 RunShell.exe 120 PID 3180 wrote to memory of 3108 3180 RunShell.exe 120 PID 3180 wrote to memory of 2920 3180 RunShell.exe 121 PID 3180 wrote to memory of 2920 3180 RunShell.exe 121 PID 3180 wrote to memory of 2840 3180 RunShell.exe 122 PID 3180 wrote to memory of 2840 3180 RunShell.exe 122 PID 3180 wrote to memory of 3836 3180 RunShell.exe 123 PID 3180 wrote to memory of 3836 3180 RunShell.exe 123 PID 3180 wrote to memory of 4084 3180 RunShell.exe 130 PID 3180 wrote to memory of 4084 3180 RunShell.exe 130 PID 4084 wrote to memory of 3256 4084 cmd.exe 132 PID 4084 wrote to memory of 3256 4084 cmd.exe 132 PID 4084 wrote to memory of 4284 4084 cmd.exe 133 PID 4084 wrote to memory of 4284 4084 cmd.exe 133 PID 1316 wrote to memory of 4016 1316 WScript.exe 134 PID 1316 wrote to memory of 4016 1316 WScript.exe 134 PID 1316 wrote to memory of 4016 1316 WScript.exe 134 PID 4016 wrote to memory of 1992 4016 cmd.exe 136 PID 4016 wrote to memory of 1992 4016 cmd.exe 136 PID 1992 wrote to memory of 4660 1992 msAgentreviewCommon.exe 140 PID 1992 wrote to memory of 4660 1992 msAgentreviewCommon.exe 140 PID 4660 wrote to memory of 3184 4660 csc.exe 142 PID 4660 wrote to memory of 3184 4660 csc.exe 142 PID 1992 wrote to memory of 4100 1992 msAgentreviewCommon.exe 143 PID 1992 wrote to memory of 4100 1992 msAgentreviewCommon.exe 143 PID 4100 wrote to memory of 2308 4100 csc.exe 145 PID 4100 wrote to memory of 2308 4100 csc.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crypt.exe"C:\Users\Admin\AppData\Local\Temp\Crypt.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:4016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\yjJlDaeiCtZ3rPY3voT8EfypAtNWVOHqwTO.vbe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\zHxvwMPtXsd9EflNyF6bR38DTMh313hvK806W5p8W9mTT85g.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbeajrn5\sbeajrn5.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7E4.tmp" "c:\Windows\System32\CSC855A58C4837543688A549B4B955955D.TMP"8⤵PID:4996
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\SppExtComObj.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\sihost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\WmiPrvSE.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\dllhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OK7SgCAb6z.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4284
-
-
C:\Users\All Users\ssh\SppExtComObj.exe"C:\Users\All Users\ssh\SppExtComObj.exe"8⤵
- Executes dropped EXE
PID:3040 -
C:\Users\All Users\ssh\SppExtComObj.exe.exe"C:\Users\All Users\ssh\SppExtComObj.exe.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:344 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vk0gdtyo\vk0gdtyo.cmdline"10⤵PID:4396
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF944.tmp" "c:\Recovery\WindowsRE\CSCE8CB98E7E41949C9B52F6953DB9B397.TMP"11⤵PID:3800
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vicdkjva\vicdkjva.cmdline"10⤵PID:132
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAAC.tmp" "c:\Recovery\WindowsRE\CSC2228CC447CDC4F0A9F25A0F86F627355.TMP"11⤵PID:2384
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3trmu5g\f3trmu5g.cmdline"10⤵PID:2524
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD3C.tmp" "c:\Recovery\WindowsRE\CSCF76B28A16214310BCC023716BA1C5A.TMP"11⤵PID:4756
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\PING.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:3596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\fontdrvhost.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:4636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\RuntimeBroker.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BrowserSvc\csrss.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\SppExtComObj.exe.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:2300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DwT4kFmzdl.bat"10⤵PID:4816
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:3928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4140
-
-
C:\BrowserSvc\PING.exe"C:\BrowserSvc\PING.exe"11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4756
-
-
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"9⤵
- Executes dropped EXE
PID:4596 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"10⤵
- Executes dropped EXE
PID:1940 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"11⤵
- Executes dropped EXE
PID:3100 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"12⤵
- Executes dropped EXE
PID:3136 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"13⤵
- Executes dropped EXE
PID:2352 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"14⤵
- Executes dropped EXE
PID:2360 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"15⤵
- Executes dropped EXE
PID:440 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"16⤵
- Executes dropped EXE
PID:3168 -
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"17⤵
- Executes dropped EXE
PID:3748 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"18⤵
- Executes dropped EXE
PID:1992 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"19⤵
- Executes dropped EXE
PID:1884 -
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"20⤵
- Executes dropped EXE
PID:2440 -
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"21⤵
- Executes dropped EXE
PID:4876 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"22⤵
- Executes dropped EXE
PID:1088 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"23⤵
- Executes dropped EXE
PID:5068 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"24⤵
- Executes dropped EXE
PID:1924 -
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"25⤵
- Executes dropped EXE
PID:4992 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"26⤵
- Executes dropped EXE
PID:584 -
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"27⤵
- Executes dropped EXE
PID:4904 -
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"28⤵PID:4968
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"28⤵PID:3896
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"29⤵PID:808
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"30⤵PID:4576
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"30⤵PID:3720
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"31⤵PID:2384
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"32⤵PID:2852
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"33⤵PID:2256
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"34⤵PID:964
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"34⤵PID:1540
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"35⤵PID:4016
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"36⤵PID:4596
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"37⤵PID:3024
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"38⤵PID:4864
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"38⤵PID:968
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"39⤵PID:4412
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"39⤵PID:4900
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"40⤵PID:3172
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"41⤵PID:764
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"41⤵PID:1592
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"42⤵PID:2940
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"43⤵PID:236
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"44⤵PID:2784
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"44⤵PID:3620
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"45⤵PID:5088
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"46⤵PID:2456
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"47⤵PID:3892
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"48⤵PID:4856
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"48⤵PID:2444
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"49⤵PID:4448
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"49⤵PID:2064
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"50⤵PID:4900
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"51⤵PID:240
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"52⤵PID:4004
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"52⤵PID:1172
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"53⤵PID:2420
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"53⤵PID:3696
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"54⤵PID:804
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"54⤵PID:1972
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"55⤵PID:4540
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"55⤵PID:1960
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"56⤵PID:4860
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"57⤵PID:2084
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"57⤵PID:3168
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"58⤵PID:2648
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"58⤵PID:4924
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"59⤵PID:5060
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"60⤵PID:3564
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"61⤵PID:1108
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"62⤵PID:3844
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"63⤵PID:4820
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"64⤵PID:4500
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"65⤵PID:4532
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"66⤵PID:876
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"67⤵PID:2352
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"67⤵PID:3460
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"68⤵PID:4644
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"68⤵PID:4900
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"69⤵PID:1972
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"69⤵PID:1100
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"70⤵PID:4636
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"70⤵PID:2300
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"71⤵PID:3276
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"72⤵PID:4500
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"73⤵PID:4188
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"73⤵PID:1988
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"74⤵PID:876
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"75⤵PID:132
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"76⤵PID:3216
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"76⤵PID:2632
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"77⤵PID:2528
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"78⤵PID:2880
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"79⤵PID:4712
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"80⤵PID:792
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"81⤵PID:1288
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"82⤵PID:808
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"83⤵PID:2976
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"83⤵PID:4016
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"84⤵PID:744
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"85⤵PID:4448
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"86⤵PID:2600
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"86⤵PID:3396
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"87⤵PID:3176
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"88⤵PID:1820
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"88⤵PID:4852
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"89⤵PID:4584
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"90⤵PID:1480
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"90⤵PID:3516
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"91⤵PID:3900
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"91⤵PID:248
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"92⤵PID:4508
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"93⤵PID:424
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"94⤵PID:2776
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"95⤵PID:4604
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"96⤵PID:2068
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"96⤵PID:3176
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"97⤵PID:1388
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"98⤵PID:1172
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"99⤵PID:4168
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"100⤵PID:248
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"101⤵PID:3180
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"102⤵PID:4660
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"102⤵PID:2648
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"103⤵PID:2096
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"103⤵PID:2776
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"104⤵PID:3144
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"105⤵PID:4864
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"106⤵PID:748
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"107⤵PID:4024
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"107⤵PID:4504
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"108⤵PID:4136
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"108⤵PID:4516
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"109⤵PID:3452
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"109⤵PID:4100
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"110⤵PID:3476
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"111⤵PID:1324
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"112⤵PID:2524
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"112⤵PID:3288
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"113⤵PID:2160
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"113⤵PID:3136
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"114⤵PID:840
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"115⤵PID:4896
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"115⤵PID:792
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"116⤵PID:3732
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"117⤵PID:3156
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"117⤵PID:3204
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"118⤵PID:3120
-
C:\BrowserSvc\WmiPrvSE.exe.exe"C:\BrowserSvc\WmiPrvSE.exe.exe"119⤵PID:3500
-
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"119⤵PID:2324
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"120⤵PID:5072
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"121⤵PID:4456
-
C:\BrowserSvc\WmiPrvSE.exe"C:\BrowserSvc\WmiPrvSE.exe"122⤵PID:3892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-