Analysis
-
max time kernel
119s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
Resource
win10v2004-20241007-en
General
-
Target
b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
-
Size
1.1MB
-
MD5
b8da80bdfe6252c354345441684b6151
-
SHA1
040dcd00ac82eb3add9bd49bc9c2c773093cdd07
-
SHA256
b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9
-
SHA512
da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6
-
SSDEEP
24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdD:EPkVXFGDQoP7FRCZRonh4hfewhmpdD
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 276 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2668 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 2668 schtasks.exe 33 -
resource yara_rule behavioral1/memory/2856-18-0x0000000000400000-0x000000000052E000-memory.dmp dcrat behavioral1/memory/2856-16-0x0000000000400000-0x000000000052E000-memory.dmp dcrat behavioral1/memory/2856-14-0x0000000000400000-0x000000000052E000-memory.dmp dcrat behavioral1/memory/2856-11-0x0000000000400000-0x000000000052E000-memory.dmp dcrat behavioral1/memory/2856-10-0x0000000000400000-0x000000000052E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2756 powershell.exe 2752 powershell.exe 1548 powershell.exe 2848 powershell.exe 2128 powershell.exe 1612 powershell.exe 2860 powershell.exe 3048 powershell.exe 2844 powershell.exe 2396 powershell.exe 2208 powershell.exe 2152 powershell.exe 2600 powershell.exe 776 powershell.exe 3032 powershell.exe 2012 powershell.exe 2780 powershell.exe 1132 powershell.exe 1804 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 1560 explorer.exe 1248 explorer.exe 1652 explorer.exe -
Loads dropped DLL 3 IoCs
pid Process 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 1104 WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1764 set thread context of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1560 set thread context of 1248 1560 explorer.exe 127 -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX849E.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX93C7.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9E3C.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Uninstall Information\dwm.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\6ccacd8608530f b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Reference Assemblies\Microsoft\smss.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Common Files\System\ado\fr-FR\b75386f1303e64 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9DFD.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Uninstall Information\RCXA767.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Uninstall Information\dwm.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Uninstall Information\RCXA768.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX91C4.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\RCX9B9B.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX9445.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\smss.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Reference Assemblies\Microsoft\69ddcba757bf72 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX848D.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX91B3.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\RCX9B1D.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Uninstall Information\6cb0b6c459d5d3 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\Vss\f3b6ecef712a24 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\security\logs\RCX86B2.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\security\logs\winlogon.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\Vss\RCX8F80.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\tracing\RCXA2D1.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Windows\security\logs\winlogon.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Windows\tracing\Idle.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\security\logs\RCX86A1.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\Vss\spoolsv.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\tracing\RCXA2E2.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Windows\Vss\spoolsv.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Windows\tracing\6ccacd8608530f b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\tracing\Idle.exe b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File created C:\Windows\security\logs\cc11b995f2a76d b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe File opened for modification C:\Windows\Vss\RCX8F12.tmp b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1708 schtasks.exe 2116 schtasks.exe 1752 schtasks.exe 3008 schtasks.exe 2780 schtasks.exe 2556 schtasks.exe 2480 schtasks.exe 752 schtasks.exe 3004 schtasks.exe 1744 schtasks.exe 2496 schtasks.exe 1952 schtasks.exe 1056 schtasks.exe 664 schtasks.exe 2216 schtasks.exe 276 schtasks.exe 2808 schtasks.exe 952 schtasks.exe 700 schtasks.exe 2968 schtasks.exe 1720 schtasks.exe 1484 schtasks.exe 2088 schtasks.exe 2188 schtasks.exe 1068 schtasks.exe 644 schtasks.exe 2200 schtasks.exe 1852 schtasks.exe 2948 schtasks.exe 852 schtasks.exe 1760 schtasks.exe 1992 schtasks.exe 2740 schtasks.exe 2984 schtasks.exe 2092 schtasks.exe 844 schtasks.exe 1700 schtasks.exe 1500 schtasks.exe 2920 schtasks.exe 2208 schtasks.exe 1528 schtasks.exe 772 schtasks.exe 2996 schtasks.exe 1092 schtasks.exe 2644 schtasks.exe 2072 schtasks.exe 1548 schtasks.exe 2252 schtasks.exe 1696 schtasks.exe 2392 schtasks.exe 2532 schtasks.exe 2736 schtasks.exe 1624 schtasks.exe 776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 2012 powershell.exe 1804 powershell.exe 2600 powershell.exe 776 powershell.exe 3032 powershell.exe 2396 powershell.exe 2208 powershell.exe 2780 powershell.exe 2752 powershell.exe 1548 powershell.exe 2860 powershell.exe 2848 powershell.exe 2844 powershell.exe 2128 powershell.exe 2152 powershell.exe 2756 powershell.exe 1132 powershell.exe 3048 powershell.exe 1612 powershell.exe 1248 explorer.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe Token: SeDebugPrivilege 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1248 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2816 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 31 PID 1764 wrote to memory of 2816 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 31 PID 1764 wrote to memory of 2816 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 31 PID 1764 wrote to memory of 2816 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 31 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 1764 wrote to memory of 2856 1764 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 32 PID 2856 wrote to memory of 1804 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 88 PID 2856 wrote to memory of 1804 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 88 PID 2856 wrote to memory of 1804 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 88 PID 2856 wrote to memory of 1804 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 88 PID 2856 wrote to memory of 2152 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 89 PID 2856 wrote to memory of 2152 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 89 PID 2856 wrote to memory of 2152 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 89 PID 2856 wrote to memory of 2152 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 89 PID 2856 wrote to memory of 1612 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 91 PID 2856 wrote to memory of 1612 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 91 PID 2856 wrote to memory of 1612 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 91 PID 2856 wrote to memory of 1612 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 91 PID 2856 wrote to memory of 776 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 92 PID 2856 wrote to memory of 776 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 92 PID 2856 wrote to memory of 776 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 92 PID 2856 wrote to memory of 776 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 92 PID 2856 wrote to memory of 2756 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 95 PID 2856 wrote to memory of 2756 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 95 PID 2856 wrote to memory of 2756 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 95 PID 2856 wrote to memory of 2756 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 95 PID 2856 wrote to memory of 2600 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 96 PID 2856 wrote to memory of 2600 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 96 PID 2856 wrote to memory of 2600 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 96 PID 2856 wrote to memory of 2600 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 96 PID 2856 wrote to memory of 2752 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 97 PID 2856 wrote to memory of 2752 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 97 PID 2856 wrote to memory of 2752 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 97 PID 2856 wrote to memory of 2752 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 97 PID 2856 wrote to memory of 2208 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 99 PID 2856 wrote to memory of 2208 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 99 PID 2856 wrote to memory of 2208 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 99 PID 2856 wrote to memory of 2208 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 99 PID 2856 wrote to memory of 3048 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 101 PID 2856 wrote to memory of 3048 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 101 PID 2856 wrote to memory of 3048 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 101 PID 2856 wrote to memory of 3048 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 101 PID 2856 wrote to memory of 3032 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 102 PID 2856 wrote to memory of 3032 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 102 PID 2856 wrote to memory of 3032 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 102 PID 2856 wrote to memory of 3032 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 102 PID 2856 wrote to memory of 1548 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 103 PID 2856 wrote to memory of 1548 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 103 PID 2856 wrote to memory of 1548 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 103 PID 2856 wrote to memory of 1548 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 103 PID 2856 wrote to memory of 2848 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 104 PID 2856 wrote to memory of 2848 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 104 PID 2856 wrote to memory of 2848 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 104 PID 2856 wrote to memory of 2848 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 104 PID 2856 wrote to memory of 2396 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 106 PID 2856 wrote to memory of 2396 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 106 PID 2856 wrote to memory of 2396 2856 b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"{path}"2⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"{path}"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\logs\winlogon.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\smss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\spoolsv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\Idle.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"{path}"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0188f4bb-870b-4299-bf10-22b2001dc962.vbs"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a097a57-80df-40a2-af6f-c2f432e10985.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\security\logs\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\ado\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9b" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9b" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57ea09c9a4b86114d8aab3a82d58ee7c1
SHA1d440f0374e7be38794d5a17b882329c0acea186f
SHA256eb105426f3cbdd1e791709e7f2c36654a40820a73376558840da35b9c5c56c92
SHA5120b1218986f4520889dc7157ce139035be2a1ca1bd6f3d057c56c75a16b53177fb583d66df2c0b6025d9c0c84551071ddf84d247b44963151cf79b112a0c95e0a
-
Filesize
1.1MB
MD52e7e0f18bb6283d0f36762b8ccb7296f
SHA166c48d4bec9a6f926bf0521907a7d018c3c8e8f6
SHA256deae2afc30db6f5c0fa80a742be75e3dcbd6eb19e50700f972be658d9d1927aa
SHA512e71d75827450a863c2a84b7d16b25df654ea49153e502cffb9a530e2112d51026629e032ed28f88ce4520ee06fff52922ab3bdf9fd3fd17fca9604ab2e832039
-
Filesize
1.1MB
MD5c479b0be80d7bed69cd64efaa231e575
SHA1216f49c3751db57a49d8083741fc2d3115b839e3
SHA256981436c685baf6183600168cd0757fa0d06ae888d2e766b089873d8bca0da263
SHA512157ce4cdea7afeada8ae0228629ac9c59ad18f4d6fd7f7bf677c61f13dd8430ec0f16388400f7cf88c4db22255b99ea7087e898c038ea62e99bfba4a3503adf6
-
Filesize
1.1MB
MD5a3fdd29e23d9d4ab8ccba1158e94729f
SHA1e84fe1796b6524b027493c0efaee47eb6c963392
SHA256bbb782aeb66043c4db57872024154954b430fe9c8b7bf39ba7e88ce1c7c976bf
SHA512d6e2faa45fbfe30c05b57f86da97c024ff503c4fe04d7811373353407f1c1a9a21ed69f64421727cd8fd6892656f99d8384e121a763ca1b2dd7fd33a74d9e12e
-
Filesize
1.1MB
MD5b8da80bdfe6252c354345441684b6151
SHA1040dcd00ac82eb3add9bd49bc9c2c773093cdd07
SHA256b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9
SHA512da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6
-
Filesize
1.1MB
MD506f664a34b23a33e2afafe88cf377d6f
SHA1a00646141499391dbbc15b0fa0d675889a427a4d
SHA25690a176c904a28fcaab9b3e4265e05d6edd05d683e9234de7bbb88a50d7feba6f
SHA5121130d8dc7938f9558ed27347eb1ed88a1fc0f05c3a8dbf4ce88fc3d4a60214999061861c9866b01cfc0221fdfd9e5fa992a02ef69434e1c5d35c91758f0f1988
-
Filesize
737B
MD5f11d0f66dec03a96b576970bfbdc770e
SHA11adb60f9dda35472b2cc33d66d91b28c73203b47
SHA256e02fc80ca861ee9f9881e9aca235b440820eb1aded65dace98f90e88b43f2baf
SHA5122ea0e7d56a0ab8a5d8b80a7deb9ffa89832a7328e6b1883fbf5bb871457b90cbb18cbb4edcc46f25ceaa3eb0da2ebf0bff4e5d64c1e857991dc4413fd6ea9cbc
-
Filesize
513B
MD5d99f90ec570dc923710d4575c6e1dbd8
SHA1cda2ac4a3b600ba7ff434b007cb6443264b42547
SHA2565d533b8de1873f7c8a3f30ca2c2662427ab78c91a2ab8397547e846da274b7e3
SHA5121c9dd3997dea322417a63d914c57d01841aafc71c1646d8aaab6e0eeb0187c96d3676609a7705b304441c468758d5868c019995e7af6cf26a5ffdca436754559
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f138c16245380186a5abf99d863465bc
SHA112db3095dbfbc2f0ea87a2b8f6b0918ae446f64b
SHA2561d729b12a0167c90f72bea03fa6df6f033893cc3803bd47077e4485c98a9e816
SHA5127467518102235cdef34a789309649c213c9b500aea6649c7081ff7c03012f20161b2387c381c0652f4ebd3597683f3c496133d8c79bd8784e611124fdeef1601
-
Filesize
1.1MB
MD5b9fff629ee386d8f49a979ad93d35d16
SHA1d623e45eb353de6acef89757667920f991d8a46b
SHA2563d3ff322d111ac2a186118983d3e24d60cc5828909cf50dc9f66f7bdd2ba9238
SHA5128d7a740186ad79c9260735535b3aa1b54f1aebd8f88955ba8136bef81f5ca80618c31d93ad564213ed89860457db7a85730cfc5be7cf779a3c5bd455522439e7