dcrat | d2e73b6112b25f6d4aac7ab6fbebecddbe4042cbad85f3926dc298c871c017e2

Analysis

max time kernel
131s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRawwwftBuild.exe
Size

1.1MB
MD5

fc1382653001e36943a5a487aa04083e
SHA1

48e471cccc1894f6581d7a19daaf46ac9c219995
SHA256

d2e73b6112b25f6d4aac7ab6fbebecddbe4042cbad85f3926dc298c871c017e2
SHA512

d0d6740d5cb26876ee0f89d9bab8ee7dddaa18ae8899db236a48ab577f7d41b09a5418801fc1ee26bcf90af37116d5dc0a3254dc79e33871fe03192ab54774d8
SSDEEP

24576:U2G/nvxW3Ww0tRCSZnPWLTNL6sHH6Jr3W2QGJqE+s:UbA30RCcGNT6JTW9c

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	5036	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\bridgeMsPerfcrt\agentDhcp.exe	dcrat
C:\bridgeMsPerfcrt\agentDhcp.exe	dcrat
behavioral2/memory/2356-145-0x0000000000CA0000-0x0000000000D76000-memory.dmp	dcrat
C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe	dcrat
C:\bridgeMsPerfcrt\agentDhcp.exe	dcrat
C:\Recovery\WindowsRE\taskhostw.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

agentDhcp.exeagentDhcp.exeDCRawwwftBuild.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	agentDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	agentDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	DCRawwwftBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

agentDhcp.exeagentDhcp.exeRuntimeBroker.exe

pid process

2356 agentDhcp.exe
3580 agentDhcp.exe
3084 RuntimeBroker.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io
36 ipinfo.io

flow	ioc
35	ipinfo.io
36	ipinfo.io

Drops file in Program Files directory 8 IoCs

Processes:

agentDhcp.exeagentDhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\088424020bedd6	agentDhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	agentDhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	agentDhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	agentDhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\55b276f4edf653	agentDhcp.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe	agentDhcp.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\088424020bedd6	agentDhcp.exe
File created	C:\Program Files (x86)\MSBuild\conhost.exe	agentDhcp.exe

Drops file in Windows directory 10 IoCs

Processes:

agentDhcp.exeagentDhcp.exe

description	ioc	process
File created	C:\Windows\Resources\Ease of Access Themes\e6c9b481da804f	agentDhcp.exe
File created	C:\Windows\Vss\Writers\backgroundTaskHost.exe	agentDhcp.exe
File created	C:\Windows\Cursors\ea9f0e6c9e2dcd	agentDhcp.exe
File created	C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe	agentDhcp.exe
File created	C:\Windows\CbsTemp\TrustedInstaller.exe	agentDhcp.exe
File created	C:\Windows\CbsTemp\04c1e7795967e4	agentDhcp.exe
File created	C:\Windows\Vss\Writers\eddb19405b7ce1	agentDhcp.exe
File created	C:\Windows\it-IT\upfc.exe	agentDhcp.exe
File created	C:\Windows\it-IT\ea1d8f6d871115	agentDhcp.exe
File created	C:\Windows\Cursors\taskhostw.exe	agentDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
456	schtasks.exe
796	schtasks.exe
1468	schtasks.exe
632	schtasks.exe
3336	schtasks.exe
3912	schtasks.exe
3632	schtasks.exe
3916	schtasks.exe
1908	schtasks.exe
2816	schtasks.exe
2908	schtasks.exe
1280	schtasks.exe
1332	schtasks.exe
2224	schtasks.exe
4396	schtasks.exe
1520	schtasks.exe
1764	schtasks.exe
3136	schtasks.exe
4276	schtasks.exe
5060	schtasks.exe
4112	schtasks.exe
2076	schtasks.exe
4572	schtasks.exe
4792	schtasks.exe
1856	schtasks.exe
3012	schtasks.exe
1084	schtasks.exe
1896	schtasks.exe
1168	schtasks.exe
2792	schtasks.exe
1808	schtasks.exe
1508	schtasks.exe
2792	schtasks.exe
3140	schtasks.exe
4716	schtasks.exe
3552	schtasks.exe
2128	schtasks.exe
1444	schtasks.exe
1956	schtasks.exe
2128	schtasks.exe
3476	schtasks.exe
2444	schtasks.exe
4124	schtasks.exe
3184	schtasks.exe
1092	schtasks.exe
3676	schtasks.exe
3752	schtasks.exe
1744	schtasks.exe
2348	schtasks.exe
1512	schtasks.exe
5056	schtasks.exe
2636	schtasks.exe
376	schtasks.exe
1900	schtasks.exe
1200	schtasks.exe
3696	schtasks.exe
1900	schtasks.exe
1276	schtasks.exe
2500	schtasks.exe
4224	schtasks.exe
4684	schtasks.exe
5092	schtasks.exe
440	schtasks.exe
1832	schtasks.exe

Modifies registry class 2 IoCs

Processes:

DCRawwwftBuild.exeagentDhcp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	DCRawwwftBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	agentDhcp.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

agentDhcp.exeagentDhcp.exeRuntimeBroker.exe

pid	process
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
2356	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3580	agentDhcp.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe
3084	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3084 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

agentDhcp.exeagentDhcp.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 2356 agentDhcp.exe
Token: SeDebugPrivilege 3580 agentDhcp.exe
Token: SeDebugPrivilege 3084 RuntimeBroker.exe

pid	process
3084	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2356	agentDhcp.exe
Token: SeDebugPrivilege	3580	agentDhcp.exe
Token: SeDebugPrivilege	3084	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

DCRawwwftBuild.exeWScript.execmd.exeagentDhcp.exeagentDhcp.execmd.exe

description	pid	process	target process
PID 1444 wrote to memory of 1988	1444	DCRawwwftBuild.exe	WScript.exe
PID 1444 wrote to memory of 1988	1444	DCRawwwftBuild.exe	WScript.exe
PID 1444 wrote to memory of 1988	1444	DCRawwwftBuild.exe	WScript.exe
PID 1988 wrote to memory of 2264	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 2264	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 2264	1988	WScript.exe	cmd.exe
PID 2264 wrote to memory of 2356	2264	cmd.exe	agentDhcp.exe
PID 2264 wrote to memory of 2356	2264	cmd.exe	agentDhcp.exe
PID 2356 wrote to memory of 3580	2356	agentDhcp.exe	agentDhcp.exe
PID 2356 wrote to memory of 3580	2356	agentDhcp.exe	agentDhcp.exe
PID 3580 wrote to memory of 4500	3580	agentDhcp.exe	cmd.exe
PID 3580 wrote to memory of 4500	3580	agentDhcp.exe	cmd.exe
PID 4500 wrote to memory of 548	4500	cmd.exe	w32tm.exe
PID 4500 wrote to memory of 548	4500	cmd.exe	w32tm.exe
PID 4500 wrote to memory of 3084	4500	cmd.exe	RuntimeBroker.exe
PID 4500 wrote to memory of 3084	4500	cmd.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRawwwftBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRawwwftBuild.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeMsPerfcrt\lHsGbUd.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgeMsPerfcrt\eTvovo7nc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\bridgeMsPerfcrt\agentDhcp.exe
"C:\bridgeMsPerfcrt\agentDhcp.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\bridgeMsPerfcrt\agentDhcp.exe
"C:\bridgeMsPerfcrt\agentDhcp.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eyzcSfx42K.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:548

C:\Recovery\WindowsRE\RuntimeBroker.exe
"C:\Recovery\WindowsRE\RuntimeBroker.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\bridgeMsPerfcrt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\bridgeMsPerfcrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\bridgeMsPerfcrt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\bridgeMsPerfcrt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\bridgeMsPerfcrt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\bridgeMsPerfcrt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\bridgeMsPerfcrt\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\bridgeMsPerfcrt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\bridgeMsPerfcrt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\bridgeMsPerfcrt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\bridgeMsPerfcrt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\bridgeMsPerfcrt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\CbsTemp\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\bridgeMsPerfcrt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\bridgeMsPerfcrt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\bridgeMsPerfcrt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\bridgeMsPerfcrt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\bridgeMsPerfcrt\SearchApp.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\bridgeMsPerfcrt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\bridgeMsPerfcrt\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\odt\WaaSMedicAgent.exe'" /f
1⤵
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\odt\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\upfc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Recovery\WindowsRE\ea9f0e6c9e2dcd
Filesize
575B

MD5
93ae7eadfa81d6fb5302c39f770dbcc1

SHA1
b5b6d8055b6fcc3b8c4bf3e01403b60e2e2a9274

SHA256
932b20d0b0a157fded04903d82471db9e08d6185792784fcfab050c605dfdb3e

SHA512
f7a84e6f1ffc5ded5fdc4efd27dd92756992e260c382995a5e0552cbba42a59ec81629525a2ae3c1b8d0c9576a26b7ef5cd846ddcf78adbc3eb68fcc5fc1ee2e

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentDhcp.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyzcSfx42K.bat
Filesize
204B

MD5
9e1d9798c81801305a2c4bd736087f2d

SHA1
38ee3bc25c4840e0756cae896dfc19a8f99c49ff

SHA256
647eaee0d1b7780fad46f09ef32aff6bb7cbb45b8a96e112cbf8cef1282c36c2

SHA512
a38475189d59cc264cfba87cfce32d46e12842e87ffac272ae01a5470dee94e354e05d39eeec66e34878b72307dd09782cdc555a13d9df60c6a79e7ef2dada12

Download Submit
C:\Windows\Resources\Ease of Access Themes\OfficeClickToRun.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\agentDhcp.exe
Filesize
828KB

MD5
bfb3525f361dd6480d70a49dadfe4b87

SHA1
0c16b38c1cb4ebc776780ee8a63682404f89a736

SHA256
2c55a7859a58f35cd4c52fb1c9ad9fc93dc61c3242a5751399f6d4d911a3372c

SHA512
5200e7632112ccef4acc90b524d7c15c2d55c133dea6451eddc0eb381c18d72d6fe10ad17617eed6f2d8927d2657a7891d6ab555a96f131644af0a23fdc7e2d2

Download Submit
C:\bridgeMsPerfcrt\eTvovo7nc.bat
Filesize
34B

MD5
f61f3afffe07a890977d360b99f061ca

SHA1
fbca8ef86b50065fc88e321262970b73241fa0ee

SHA256
4c90ec3fb0e42dbfb4185938ce2eae6827e1372353a074c15d07be49b0978399

SHA512
9d642fb439f9ba6d3163e708dfa2e7f5e1b03b52441abfb985c3811d5d63a5397f319ec5e764ee5ab39648ba4b82ca963b1d067a47eee9f5b421f790be1be06a

Download Submit
C:\bridgeMsPerfcrt\lHsGbUd.vbe
Filesize
201B

MD5
927e9bc687e4c3946aa0e2a9b15f78cf

SHA1
b72aff1ba6dfe509bcef4a8f6ef83ec89128ed01

SHA256
6c02a45cb224d627e67dfcb194cda3ed037a334b14c7b52c3d350c642ac79937

SHA512
2adf5d0d58719d8c653fdc35245ec4f00c93d8940a94ac34965b32cbce04fd5bd5fc21618e9cca2ba4474113166c6161408a5bc6e09b7c478c33a02f630869c7

Download Submit
memory/2356-148-0x0000000001410000-0x0000000001420000-memory.dmp

Filesize
64KB

Download
memory/2356-145-0x0000000000CA0000-0x0000000000D76000-memory.dmp

Filesize
856KB

Download
memory/3580-192-0x000000001AD50000-0x000000001AD60000-memory.dmp

Filesize
64KB

Download