Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 20:36
Behavioral task
behavioral1
Sample
33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
Resource
win10v2004-20241007-en
General
-
Target
33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe
-
Size
1.7MB
-
MD5
9bc6e385c3ed07d8041688367cd4c950
-
SHA1
f33c82f203ce08807d5f4429e6f4c858ec8b8dc6
-
SHA256
33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bc
-
SHA512
57d183506d509d587a998e9a2069f3c0c8ef5cdeb31f8a8fbbfa280c120f5e373f9ff213081fea07f8fa1c55d2d95353cf7a78979703df5eb3a5602126b4e2ad
-
SSDEEP
49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 60 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 1932 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 1932 schtasks.exe 30 -
resource yara_rule behavioral1/memory/1540-1-0x00000000003B0000-0x0000000000570000-memory.dmp dcrat behavioral1/files/0x00080000000120fb-29.dat dcrat behavioral1/files/0x00070000000191ad-48.dat dcrat behavioral1/memory/2500-120-0x0000000000E20000-0x0000000000FE0000-memory.dmp dcrat behavioral1/memory/1796-230-0x00000000010C0000-0x0000000001280000-memory.dmp dcrat behavioral1/memory/2360-324-0x0000000000AA0000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/1852-346-0x0000000001220000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/1840-380-0x0000000001390000-0x0000000001550000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2008 powershell.exe 944 powershell.exe 1444 powershell.exe 1240 powershell.exe 2936 powershell.exe 2628 powershell.exe 668 powershell.exe 2376 powershell.exe 1120 powershell.exe 3024 powershell.exe 2288 powershell.exe 1664 powershell.exe 1960 powershell.exe 1284 powershell.exe 2764 powershell.exe 2564 powershell.exe 1840 powershell.exe 1288 powershell.exe 1844 powershell.exe 544 powershell.exe 2144 powershell.exe 2116 powershell.exe 3056 powershell.exe 1728 powershell.exe 2860 powershell.exe 1688 powershell.exe 1572 powershell.exe 2964 powershell.exe 1584 powershell.exe 2384 powershell.exe 348 powershell.exe 1144 powershell.exe 2308 powershell.exe 1092 powershell.exe 1648 powershell.exe 2992 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe -
Executes dropped EXE 8 IoCs
pid Process 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1796 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2360 explorer.exe 2440 explorer.exe 1852 explorer.exe 2392 explorer.exe 1300 explorer.exe 1840 explorer.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\42af1c969fbb7b 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\7-Zip\Lang\audiodg.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Program Files\7-Zip\Lang\audiodg.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\Uninstall Information\7a0fd90576e088 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\7-Zip\Lang\42af1c969fbb7b 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\Uninstall Information\explorer.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\24dbde2999530e 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Program Files\Uninstall Information\explorer.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Setup\f3b6ecef712a24 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Windows\Setup\spoolsv.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Windows\PolicyDefinitions\System.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Windows\PolicyDefinitions\System.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Windows\PolicyDefinitions\27d1bcfc3c54e0 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Windows\PolicyDefinitions\RCXB0BB.tmp 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File opened for modification C:\Windows\PolicyDefinitions\RCXB0EB.tmp 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe File created C:\Windows\Setup\spoolsv.exe 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1076 schtasks.exe 2768 schtasks.exe 2548 schtasks.exe 2584 schtasks.exe 2836 schtasks.exe 3068 schtasks.exe 1948 schtasks.exe 2480 schtasks.exe 2528 schtasks.exe 2732 schtasks.exe 2796 schtasks.exe 2824 schtasks.exe 2952 schtasks.exe 2212 schtasks.exe 940 schtasks.exe 1396 schtasks.exe 2684 schtasks.exe 2760 schtasks.exe 2676 schtasks.exe 2896 schtasks.exe 1216 schtasks.exe 1248 schtasks.exe 1260 schtasks.exe 2284 schtasks.exe 1952 schtasks.exe 1496 schtasks.exe 2748 schtasks.exe 2572 schtasks.exe 2824 schtasks.exe 1788 schtasks.exe 2856 schtasks.exe 2332 schtasks.exe 2828 schtasks.exe 2096 schtasks.exe 1940 schtasks.exe 612 schtasks.exe 3028 schtasks.exe 2520 schtasks.exe 744 schtasks.exe 984 schtasks.exe 608 schtasks.exe 2256 schtasks.exe 2692 schtasks.exe 2560 schtasks.exe 2716 schtasks.exe 2840 schtasks.exe 2408 schtasks.exe 2808 schtasks.exe 2868 schtasks.exe 1488 schtasks.exe 2404 schtasks.exe 2068 schtasks.exe 2732 schtasks.exe 2668 schtasks.exe 2392 schtasks.exe 892 schtasks.exe 1704 schtasks.exe 2884 schtasks.exe 2156 schtasks.exe 2268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2384 powershell.exe 1840 powershell.exe 2144 powershell.exe 1444 powershell.exe 1288 powershell.exe 2992 powershell.exe 1572 powershell.exe 2628 powershell.exe 1120 powershell.exe 2116 powershell.exe 2008 powershell.exe 944 powershell.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 668 powershell.exe 1144 powershell.exe 3056 powershell.exe 2964 powershell.exe 1688 powershell.exe 1960 powershell.exe 544 powershell.exe 2860 powershell.exe 348 powershell.exe 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1120 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 348 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1796 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2360 explorer.exe Token: SeDebugPrivilege 2440 explorer.exe Token: SeDebugPrivilege 1852 explorer.exe Token: SeDebugPrivilege 2392 explorer.exe Token: SeDebugPrivilege 1300 explorer.exe Token: SeDebugPrivilege 1840 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2628 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 37 PID 1540 wrote to memory of 2628 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 37 PID 1540 wrote to memory of 2628 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 37 PID 1540 wrote to memory of 1120 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 38 PID 1540 wrote to memory of 1120 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 38 PID 1540 wrote to memory of 1120 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 38 PID 1540 wrote to memory of 2992 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 39 PID 1540 wrote to memory of 2992 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 39 PID 1540 wrote to memory of 2992 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 39 PID 1540 wrote to memory of 2116 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 41 PID 1540 wrote to memory of 2116 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 41 PID 1540 wrote to memory of 2116 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 41 PID 1540 wrote to memory of 2144 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 42 PID 1540 wrote to memory of 2144 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 42 PID 1540 wrote to memory of 2144 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 42 PID 1540 wrote to memory of 2008 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 43 PID 1540 wrote to memory of 2008 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 43 PID 1540 wrote to memory of 2008 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 43 PID 1540 wrote to memory of 1840 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 45 PID 1540 wrote to memory of 1840 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 45 PID 1540 wrote to memory of 1840 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 45 PID 1540 wrote to memory of 2384 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 46 PID 1540 wrote to memory of 2384 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 46 PID 1540 wrote to memory of 2384 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 46 PID 1540 wrote to memory of 1572 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 47 PID 1540 wrote to memory of 1572 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 47 PID 1540 wrote to memory of 1572 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 47 PID 1540 wrote to memory of 1288 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 48 PID 1540 wrote to memory of 1288 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 48 PID 1540 wrote to memory of 1288 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 48 PID 1540 wrote to memory of 944 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 49 PID 1540 wrote to memory of 944 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 49 PID 1540 wrote to memory of 944 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 49 PID 1540 wrote to memory of 1444 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 50 PID 1540 wrote to memory of 1444 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 50 PID 1540 wrote to memory of 1444 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 50 PID 1540 wrote to memory of 2456 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 61 PID 1540 wrote to memory of 2456 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 61 PID 1540 wrote to memory of 2456 1540 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 61 PID 2456 wrote to memory of 1356 2456 cmd.exe 63 PID 2456 wrote to memory of 1356 2456 cmd.exe 63 PID 2456 wrote to memory of 1356 2456 cmd.exe 63 PID 2456 wrote to memory of 2500 2456 cmd.exe 64 PID 2456 wrote to memory of 2500 2456 cmd.exe 64 PID 2456 wrote to memory of 2500 2456 cmd.exe 64 PID 2500 wrote to memory of 668 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 99 PID 2500 wrote to memory of 668 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 99 PID 2500 wrote to memory of 668 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 99 PID 2500 wrote to memory of 1144 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 100 PID 2500 wrote to memory of 1144 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 100 PID 2500 wrote to memory of 1144 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 100 PID 2500 wrote to memory of 348 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 102 PID 2500 wrote to memory of 348 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 102 PID 2500 wrote to memory of 348 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 102 PID 2500 wrote to memory of 3056 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 103 PID 2500 wrote to memory of 3056 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 103 PID 2500 wrote to memory of 3056 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 103 PID 2500 wrote to memory of 1284 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 104 PID 2500 wrote to memory of 1284 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 104 PID 2500 wrote to memory of 1284 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 104 PID 2500 wrote to memory of 1844 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 105 PID 2500 wrote to memory of 1844 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 105 PID 2500 wrote to memory of 1844 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 105 PID 2500 wrote to memory of 1688 2500 33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEOgu8eF3a.bat"4⤵PID:2956
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"C:\Users\Admin\AppData\Local\Temp\33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bcN.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0hEHdXHWCj.bat"6⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1300
-
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ac2e50-90a3-4706-ab04-e8f19e109c41.vbs"8⤵PID:2396
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc323218-54a1-417d-b530-4fc56d9fe75d.vbs"10⤵PID:864
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb31b9d1-c4bc-4797-8e43-58aa00845752.vbs"12⤵PID:1844
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8754e934-ef94-4704-9e44-a039a878f03a.vbs"14⤵PID:748
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856c19fe-0107-47eb-b61a-938733aaa35e.vbs"16⤵PID:2964
-
C:\Program Files\Uninstall Information\explorer.exe"C:\Program Files\Uninstall Information\explorer.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58ea90ce-a0a7-4118-b853-d2d8432dfb6d.vbs"18⤵PID:1340
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\176436f0-8160-4ecf-8775-efc2209a6e32.vbs"18⤵PID:1528
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\898cc9f0-5218-496b-a7d5-7da2b1087ed2.vbs"16⤵PID:2692
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfe75889-fd18-442c-b3b4-ca7bec20566b.vbs"14⤵PID:1792
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cf0fae-2d71-48d8-93a1-cd12eae58388.vbs"12⤵PID:760
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01232c8-22b5-461f-8a25-dab7cde0ff17.vbs"10⤵PID:2744
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01f97401-0244-4edc-9775-205dde8f8602.vbs"8⤵PID:352
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
Network
- No results found
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5920a04e16bc43b2ce8de7c3c8b87ab19
SHA1352fed4a83e9fa9eac7a9dab71341ba4af87ca2c
SHA2561094dd9e2d0c2429d40edbba6d476433d622215c44afde83224b9ba5542e06c6
SHA5123d94a1d90ff547e8ae7bec8313d1c041752acc83ca73726858474aabc8b93005339634f155e7d0583de6921cce41ca55f793d08f3386be8365ed7821ea531bca
-
Filesize
503B
MD5fdb20532ef16e8035c3f3edab1310f1a
SHA11544242bd20dda96530c34d586289609e052011e
SHA256fc07d6f547a4ffce00bba381ec703aea9383e2be6f14326dc1b002bb995e6954
SHA5127cb9dd4abe3ac81a2cf8f6fe0cea8a1811addc902d7bcfd506d1643e7ed625f665f7ac7c3bd1e40b22ba01beddd7d238b67084b92e98e6b01ef03dae556f2622
-
Filesize
216B
MD5baf0a1963f4bb6afd3ff151bbd2f49ad
SHA139fab5c14e8d6539ae41ce54c93b968d5ca41ef0
SHA256711c1a6a627efddb5a40b3fe571bb492b29fb925b8ac9a4ef9dcbedf59777c8d
SHA51297eacca7362912e5476b19eec52b3b13fe550ad41a61079862af58330cd9cba372f47fc4323f016fcc4d838a6abb213f059ce569e580bb69ed2644de9895ca6a
-
Filesize
727B
MD575f0308a374ebd6979269d1ec30d8690
SHA1f1a651d757960b9f222f42e3ccbee056228729fb
SHA256304ff821a93f5651f61402d4cf29f4146d3fb0d7ca583c8f02b89e3c96d4a92f
SHA5129fee4cddca8f2e84377f00ad5cc41236d5c3927756ceb7bfcaf84c143a05b3cc41b9579f75bc7026b2d8ba9c96f1c37d926c0645744b6318b1ca8666318378a8
-
Filesize
727B
MD57b5d365840707d152226667ef5d15379
SHA17d3b8664f8d462a95d5a2f0f24b29602d0e128fc
SHA25636505821389e2ed3f3e83db507c65ca71d58d0dd0c9f737cdd02c9416ab5ec16
SHA5123f483e0bd86e8af77a06a3021c6f0eac073e469579090c26773ee828178312950c5dacfc8d42b09772cd6f2a0c4fc8883afe9b5607d934cc5749ef2939497968
-
Filesize
727B
MD54fb0ad833d077f474071cbce674d9d37
SHA12fc15efcd1019287bd669966aa793c97c77bdc5a
SHA256f24b280e0c5e5c517cd6e982b92458923247444248f3e9d4dcb1da839cf4384e
SHA512ff7758d468474a2567d7bbb22e9ad58259b58f30566be1cc8d3add4cced17bf1c62bffe1984e82719237681c3a910183c48f43ceb764449be6331c9c785cda09
-
Filesize
727B
MD5b7ad240e8f8c8b8e99f44543d79e46e0
SHA1f42d2770dfb7c688f9b1fa3bb4651c3989dbc9fe
SHA2561d3792d86bad85f469685134bffc95d3a2e7dae9322d075ad8301d855eba58b3
SHA512a184f5d0d7c5798b57cc4aacc8f7a2b9fb6bb056f2d3fa915297c53c5d52fa5c1f1eb19951effb4a96a46a19d42dfc74df1a4dcfd6893d31e30684a266dd5be1
-
Filesize
268B
MD54cb78e3ebdb03b51371698330711726f
SHA18a2101ccbf232510ed128b4b52d41c411318d9f7
SHA2565cb03aac03b964b7209abb8649eae127b229db9962ef2d471d7c815deba8eefe
SHA512195a60ec1f85adda4ffc48ebb29e0e3b1907b90cf0468b32d4c28adddc27187b0a8411127f0856f677712b9c184cd0bb30d8f0db1b54136f2ac622f5dc525312
-
Filesize
268B
MD51979655435834f4ba222716e4e1fb31c
SHA1318acbe6eabe169232ff0e24ff2c2d7a84f6d6c8
SHA2560b22f506f9588f081e16003df228ca9838bf04886951c99498ba266a6d9e9ffb
SHA5129f3acd770250431934ae3b8b7033a28ce354e3e58fb140f4c2d74da8c00491e80fd58c4460707de330bea706369dde622a3a491a3ab495f0517fb2d0ad46ab22
-
Filesize
727B
MD5749f9ed7eaa83862523b73c861a87290
SHA1c01002654a66c81399b46201647ef141baa11d88
SHA2568760cb90b24add4d3180ab7a59509d272ad5eb12ff1ff4de422011bffdadc47c
SHA51228ecb2916afa0013cb18dbbfb13cb6e56975438831f28806287494777632bd9099f52b339cd439a23e1079610e8a758950376f5831698e84c0027c97778ec867
-
Filesize
727B
MD561c4967f2188e999f61f5806609eb734
SHA1482017a0eb5b4fc2751b71b62ba8fa8043bf3afc
SHA256a0b7cc120294b3f7c67bc57038c7c5f286b55bf7f8acaf1b32038cc1e0f5a735
SHA51259b9dd3a6e3e081fad1a2635b9ef571b4bb55d2b658cbbdd201096a08cdfbb63ad80e9684391ab90b6891671cb333750707769863f3cd0b72c65d05d0e0fc702
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c0bead43b0916879b4846463ca73734b
SHA172304d2ec95d1b62f334698f7de69e20b699beae
SHA256905dc62707a3355854df46f3a09622dbdf4103dbba6e730b19533c94e5e48552
SHA512dc815ef145b0682b67289c1f6e7744adcdd36d8cd412c696d867aa4176e6529bd793c7a76569e8173e2a2ae9641dd7572a5b8ba88ddaf4d4b103efef04b21b00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bbb7335eaac75cfb34f4e89debcf6935
SHA1b7fd174455249c3fc4355b920678f8f44604fa91
SHA256590965d1b2d3dc441733798eab709ad0624afc1074afdad3a5116a39de2627d2
SHA5128216718789d9f5cc9a944a23a6bb2cbf247ad04fc24c4ee91b024cdfa275fa13c3cf0734d38c7639180d16e8b0b04e697c769a335859412161f85cb5247b9769
-
Filesize
1.7MB
MD59bc6e385c3ed07d8041688367cd4c950
SHA1f33c82f203ce08807d5f4429e6f4c858ec8b8dc6
SHA25633caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bc
SHA51257d183506d509d587a998e9a2069f3c0c8ef5cdeb31f8a8fbbfa280c120f5e373f9ff213081fea07f8fa1c55d2d95353cf7a78979703df5eb3a5602126b4e2ad