Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 18:41
Behavioral task
behavioral1
Sample
RustUpdater.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
RustUpdater.exe
Resource
win10v2004-20240709-en
General
-
Target
RustUpdater.exe
-
Size
2.3MB
-
MD5
50d955b49b2a8878cdd683365c83e183
-
SHA1
9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244
-
SHA256
528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78
-
SHA512
6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2
-
SSDEEP
49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4052 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 4476 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 4476 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe dcrat behavioral2/memory/4864-16-0x0000000000200000-0x000000000030A000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3324 powershell.exe 860 powershell.exe 1276 powershell.exe 332 powershell.exe 532 powershell.exe 4764 powershell.exe 3756 powershell.exe 2060 powershell.exe 4544 powershell.exe 4496 powershell.exe 1552 powershell.exe -
Checks computer location settings 2 TTPs 21 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
unsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.execomponentdriver.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeRustUpdater.exeWScript.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation componentdriver.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation RustUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation unsecapp.exe -
Executes dropped EXE 19 IoCs
Processes:
componentdriver.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exepid process 4864 componentdriver.exe 1096 unsecapp.exe 5472 unsecapp.exe 5736 unsecapp.exe 5976 unsecapp.exe 1520 unsecapp.exe 5252 unsecapp.exe 4812 unsecapp.exe 5812 unsecapp.exe 4876 unsecapp.exe 4660 unsecapp.exe 4616 unsecapp.exe 5212 unsecapp.exe 4932 unsecapp.exe 2580 unsecapp.exe 2524 unsecapp.exe 2784 unsecapp.exe 3692 unsecapp.exe 4344 unsecapp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs
Processes:
flow ioc 35 pastebin.com 65 pastebin.com 85 pastebin.com 91 pastebin.com 31 pastebin.com 36 pastebin.com 79 pastebin.com 83 pastebin.com 96 pastebin.com 32 pastebin.com 63 pastebin.com 67 pastebin.com 68 pastebin.com 75 pastebin.com 77 pastebin.com 87 pastebin.com 89 pastebin.com 93 pastebin.com 94 pastebin.com -
Drops file in System32 directory 1 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Windows\SysWOW64\WinMetadata\conhost.exe componentdriver.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
RustUpdater.exepid process 1440 RustUpdater.exe -
Drops file in Program Files directory 9 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe componentdriver.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe componentdriver.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\5b884080fd4f94 componentdriver.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9 componentdriver.exe File created C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e componentdriver.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe componentdriver.exe File created C:\Program Files\Windows Mail\backgroundTaskHost.exe componentdriver.exe File created C:\Program Files\Windows Mail\eddb19405b7ce1 componentdriver.exe File created C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe componentdriver.exe -
Drops file in Windows directory 4 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Windows\Speech_OneCore\spoolsv.exe componentdriver.exe File created C:\Windows\Speech_OneCore\f3b6ecef712a24 componentdriver.exe File created C:\Windows\IME\IMEJP\help\dwm.exe componentdriver.exe File created C:\Windows\IME\IMEJP\help\6cb0b6c459d5d3 componentdriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
Processes:
unsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeRustUpdater.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings RustUpdater.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings unsecapp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3608 schtasks.exe 776 schtasks.exe 4188 schtasks.exe 3984 schtasks.exe 1592 schtasks.exe 2908 schtasks.exe 4956 schtasks.exe 5080 schtasks.exe 1456 schtasks.exe 60 schtasks.exe 316 schtasks.exe 4716 schtasks.exe 1196 schtasks.exe 784 schtasks.exe 1168 schtasks.exe 1964 schtasks.exe 3760 schtasks.exe 4052 schtasks.exe 1404 schtasks.exe 2084 schtasks.exe 3672 schtasks.exe 4808 schtasks.exe 4540 schtasks.exe 2100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeunsecapp.exepid process 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 4864 componentdriver.exe 1552 powershell.exe 1552 powershell.exe 532 powershell.exe 532 powershell.exe 860 powershell.exe 860 powershell.exe 4764 powershell.exe 4764 powershell.exe 4544 powershell.exe 4544 powershell.exe 3756 powershell.exe 3756 powershell.exe 3324 powershell.exe 3324 powershell.exe 4496 powershell.exe 4496 powershell.exe 1276 powershell.exe 1276 powershell.exe 332 powershell.exe 332 powershell.exe 2060 powershell.exe 2060 powershell.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 3756 powershell.exe 532 powershell.exe 1552 powershell.exe 860 powershell.exe 332 powershell.exe 3324 powershell.exe 4544 powershell.exe 4496 powershell.exe 4764 powershell.exe 1276 powershell.exe 1096 unsecapp.exe 2060 powershell.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe 1096 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeunsecapp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exeunsecapp.exedescription pid process Token: SeDebugPrivilege 4864 componentdriver.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 3324 powershell.exe Token: SeDebugPrivilege 332 powershell.exe Token: SeDebugPrivilege 1096 unsecapp.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 5472 unsecapp.exe Token: SeDebugPrivilege 5736 unsecapp.exe Token: SeDebugPrivilege 5976 unsecapp.exe Token: SeDebugPrivilege 1520 unsecapp.exe Token: SeDebugPrivilege 5252 unsecapp.exe Token: SeDebugPrivilege 4812 unsecapp.exe Token: SeDebugPrivilege 5812 unsecapp.exe Token: SeDebugPrivilege 4876 unsecapp.exe Token: SeDebugPrivilege 4660 unsecapp.exe Token: SeDebugPrivilege 4616 unsecapp.exe Token: SeDebugPrivilege 5212 unsecapp.exe Token: SeDebugPrivilege 4932 unsecapp.exe Token: SeDebugPrivilege 2580 unsecapp.exe Token: SeDebugPrivilege 2524 unsecapp.exe Token: SeDebugPrivilege 2784 unsecapp.exe Token: SeDebugPrivilege 3692 unsecapp.exe Token: SeDebugPrivilege 4344 unsecapp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RustUpdater.exepid process 1440 RustUpdater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RustUpdater.exeWScript.execmd.execomponentdriver.exeunsecapp.exeWScript.exeunsecapp.exeWScript.exeunsecapp.exeWScript.exeunsecapp.exeWScript.exeunsecapp.exeWScript.exeunsecapp.exedescription pid process target process PID 1440 wrote to memory of 5000 1440 RustUpdater.exe WScript.exe PID 1440 wrote to memory of 5000 1440 RustUpdater.exe WScript.exe PID 1440 wrote to memory of 5000 1440 RustUpdater.exe WScript.exe PID 5000 wrote to memory of 212 5000 WScript.exe cmd.exe PID 5000 wrote to memory of 212 5000 WScript.exe cmd.exe PID 5000 wrote to memory of 212 5000 WScript.exe cmd.exe PID 212 wrote to memory of 4864 212 cmd.exe componentdriver.exe PID 212 wrote to memory of 4864 212 cmd.exe componentdriver.exe PID 4864 wrote to memory of 332 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 332 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 532 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 532 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 2060 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 2060 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4764 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4764 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 3756 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 3756 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4544 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4544 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4496 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 4496 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 3324 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 3324 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 860 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 860 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 1552 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 1552 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 1276 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 1276 4864 componentdriver.exe powershell.exe PID 4864 wrote to memory of 1096 4864 componentdriver.exe unsecapp.exe PID 4864 wrote to memory of 1096 4864 componentdriver.exe unsecapp.exe PID 1096 wrote to memory of 452 1096 unsecapp.exe WScript.exe PID 1096 wrote to memory of 452 1096 unsecapp.exe WScript.exe PID 1096 wrote to memory of 1640 1096 unsecapp.exe WScript.exe PID 1096 wrote to memory of 1640 1096 unsecapp.exe WScript.exe PID 452 wrote to memory of 5472 452 WScript.exe unsecapp.exe PID 452 wrote to memory of 5472 452 WScript.exe unsecapp.exe PID 5472 wrote to memory of 5580 5472 unsecapp.exe WScript.exe PID 5472 wrote to memory of 5580 5472 unsecapp.exe WScript.exe PID 5472 wrote to memory of 5624 5472 unsecapp.exe WScript.exe PID 5472 wrote to memory of 5624 5472 unsecapp.exe WScript.exe PID 5580 wrote to memory of 5736 5580 WScript.exe unsecapp.exe PID 5580 wrote to memory of 5736 5580 WScript.exe unsecapp.exe PID 5736 wrote to memory of 5840 5736 unsecapp.exe WScript.exe PID 5736 wrote to memory of 5840 5736 unsecapp.exe WScript.exe PID 5736 wrote to memory of 5888 5736 unsecapp.exe WScript.exe PID 5736 wrote to memory of 5888 5736 unsecapp.exe WScript.exe PID 5840 wrote to memory of 5976 5840 WScript.exe unsecapp.exe PID 5840 wrote to memory of 5976 5840 WScript.exe unsecapp.exe PID 5976 wrote to memory of 6088 5976 unsecapp.exe WScript.exe PID 5976 wrote to memory of 6088 5976 unsecapp.exe WScript.exe PID 5976 wrote to memory of 6132 5976 unsecapp.exe WScript.exe PID 5976 wrote to memory of 6132 5976 unsecapp.exe WScript.exe PID 6088 wrote to memory of 1520 6088 WScript.exe unsecapp.exe PID 6088 wrote to memory of 1520 6088 WScript.exe unsecapp.exe PID 1520 wrote to memory of 2780 1520 unsecapp.exe WScript.exe PID 1520 wrote to memory of 2780 1520 unsecapp.exe WScript.exe PID 1520 wrote to memory of 4664 1520 unsecapp.exe WScript.exe PID 1520 wrote to memory of 4664 1520 unsecapp.exe WScript.exe PID 2780 wrote to memory of 5252 2780 WScript.exe unsecapp.exe PID 2780 wrote to memory of 5252 2780 WScript.exe unsecapp.exe PID 5252 wrote to memory of 3808 5252 unsecapp.exe WScript.exe PID 5252 wrote to memory of 3808 5252 unsecapp.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Recovery\WindowsRE\unsecapp.exe"C:\Recovery\WindowsRE\unsecapp.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ac3c2a-f314-4710-b981-84eb51ef3a3e.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\095f2e49-acdd-4e6c-a1e6-037f20500a3c.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:5580 -
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c51665ca-a737-431b-8bb0-00ad60c59b0e.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee2bb53-6c3c-4b42-a51d-fdb66ddca660.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e15135f3-62af-4f55-bd90-6295a6463c8a.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ec5dab-ec83-46d2-aeae-3a11613e2bd5.vbs"16⤵PID:3808
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d4b2bb3-c7b8-4232-aa3d-95bfbb08a5dd.vbs"18⤵PID:5488
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735ac258-4e1e-4761-960d-8aa02da7749c.vbs"20⤵PID:5844
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2993e3de-13cf-4cc2-b4ff-325f79dfdfb6.vbs"22⤵PID:5176
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69169b55-ffe5-4530-b6b7-1a8f5fc66b95.vbs"24⤵PID:2040
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa507fb-edac-4700-ae77-d63630b9d52d.vbs"26⤵PID:3616
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5212 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e380bc9b-7ed2-4625-897c-f10fb67e9a5f.vbs"28⤵PID:3556
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a134271c-494a-423e-a638-7a169c72276c.vbs"30⤵PID:2284
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa290b18-e870-4f24-893e-bc4fb911ec15.vbs"32⤵PID:5172
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b8f8b8-d3d2-4e55-b6e4-7463419bcff4.vbs"34⤵PID:5932
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c7538d8-c5f8-4162-bf9c-9edcfb6eb481.vbs"36⤵PID:4916
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d968f471-df42-461e-b513-6f4d0874105a.vbs"38⤵PID:4992
-
C:\Recovery\WindowsRE\unsecapp.exeC:\Recovery\WindowsRE\unsecapp.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c47d7458-7ebc-430a-9291-2f2600279c9a.vbs"40⤵PID:5896
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9fca2f-7506-4ae2-a6df-a358d04a2e5c.vbs"40⤵PID:6064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ee183b-e8bc-41da-97b1-766fb1548059.vbs"38⤵PID:2344
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4362d34-fe4d-4dbd-bb8a-a5dd5028c1d7.vbs"36⤵PID:2432
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33cb9dca-e6f8-4dd2-b52e-faf17f83eb5f.vbs"34⤵PID:2776
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76b26f9-4f73-4645-961c-3de628f04ea6.vbs"32⤵PID:5640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f0b916-1b5b-4159-83ea-931b3ab474e8.vbs"30⤵PID:2780
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e0d53f-0381-4eb1-8700-c88d575b2694.vbs"28⤵PID:3888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9177ea3-c921-4ce0-9f03-42e7d72090e7.vbs"26⤵PID:880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59f4ef6-86a8-4635-95dd-3d9eb961dba3.vbs"24⤵PID:2004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75840b2e-fb4f-468d-9f24-7a6d3e962575.vbs"22⤵PID:984
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bedcbfef-4e6e-458a-ae20-c057aea91f55.vbs"20⤵PID:6056
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c342f0b-4bdb-43f0-b42c-6418a9a707d9.vbs"18⤵PID:5500
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\572c531d-652d-4378-9024-324d5a593f46.vbs"16⤵PID:3856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d34ecb-8fa2-4ceb-9fb6-e5d2818d1ea0.vbs"14⤵PID:4664
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ba544b-bad9-4b2c-82e7-027e40456557.vbs"12⤵PID:6132
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9813e787-cd73-4ae0-bff2-f1509b4ddbe1.vbs"10⤵PID:5888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f0602db-7c4e-47a9-a397-ce1c266e82fc.vbs"8⤵PID:5624
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb94648-9fcc-4c16-99c9-d5bdc26a4a9d.vbs"6⤵PID:1640
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMEJP\help\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
710B
MD583c22793523cc20820e3ecee47204469
SHA1e399ae3808bf007fce43b82927bc7c557e9e0fe8
SHA2564aacfc26e5eb3f9349757663f47e5fe6c3a35b914aa5c7dd4398e6bc23bd9277
SHA51204571619b1ef27e721586b9145ecee16a8045499325c0cc63418b468f123e3b5bdfd78c008c23edb5f8a8ff82acccf49b87e33ca9cdb5d3db86fa32d8da91e0d
-
Filesize
710B
MD548d62bb13887542d56318d4dfd4ae2d4
SHA1dbe495177097e826729f2f7c81b53d7c55be7638
SHA256d52eb67b44662df3bbca3f6ea0c44ab5fc0ff15c82697bec448f21cc42e68779
SHA5128b50655c21c9a7406a4ff16c4ae0be7d461c5fff12e3c60572a50b493fadf79dca3a581270079a437c157118ef97c6971d49c2f49afaa58c5c1269646f8564ff
-
Filesize
710B
MD55a6f446f6dfebf53ce2b8fc5a39bd668
SHA1bda1251f7e1f633f924982e87adb41610b6f07f0
SHA256878d9a03bf0787c6d730d2779f020df16f5ad74c8088febc87720a23edb551dd
SHA512792b8c4eb1482efe5023691bee17accb260c59b506f9949fcb784388ab58b526c8ea28dd43cb46392f87589d8b159c1bcfadb83800d965a7e6d61f706bd1590d
-
Filesize
710B
MD5ad1939b98c7c21dfb30ea4b4ba1b4d3b
SHA111cbfd5c905d3134e067237d3ad701de37ec6703
SHA256191466c7d19a4309577189d384ff49611dce3612de29476d7ce5e8f214d8aaf7
SHA512392ff69faf99a46ea413700fec0f48fee86eaad1a2d857aaa392726dda97a8f417abf39cd07386623e97307f096792e563760c450057e10b6522f8b1f21965b4
-
Filesize
710B
MD5a58b8ebed29806b58df522f3e6618bf2
SHA1a8af9feb50928bc23f7488a2e92d6004b4430622
SHA25636c99e3cba11f999431cf507d88560336fc2463d65db0a954dfdc6fadcb881b2
SHA5124effc3d5906dab8269553dc3dca2df9a887c9108d8503fc17c565b0740a72f23eb2b1dcaa09cb705627952efb483076775e1fcbb5427d9e1116d19db808c8576
-
Filesize
710B
MD5bd48459dfedef74068de18da8497a6db
SHA1f3b2d5b34d263097a8ed9c88ebad3156e606ba28
SHA256325da944e8c9293d887931aaa4e07666c9160a628eafee9bde0ba22eabf2151c
SHA512852c57c06afea810ae67c43c4e07df9c4b54b7c9d38c7bc0316e33d84eb81352a81f4207ae0c309b2ed97424d634f0af1683dda966bcc71a71baad90af673b89
-
Filesize
710B
MD545adb68c5dffa8cabf470da62f5d1b3b
SHA19c8a85db712c206c8feed2a39c7cd273aa124928
SHA256d95bfc615d3a4b583f380988af80e9c911084de8aca13190c713e3411151093e
SHA512195bd67da80143b667f75407b9da2ec780ad4dfc03345ddaaee28d0e9c43ec2cec2f09f8796974c747589fd10d18745c0f5abf9e895113d8bddc233b8cbc4cd2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
710B
MD582d34c7e3919f3b47f326838aff1b696
SHA1147f33539ec68166a28672cbd97d6ba768a385c6
SHA256b73d0b291698b83e689e5f074ea0edc6998f71db44c35ade9439ac1f941e4c30
SHA51236222f28d37e7f758fea15895b51cc1c95715a30967397fc2ca983f6dae4739f239697f785bf6f4cbd34acd0d8c7cc2daf0ac78a5d949c4c20a1bf650c1699b5
-
Filesize
710B
MD5addad0c7ad925179c2eacffbe6cdb1d9
SHA1928e4fc41804822f85951702a45c158083b2089b
SHA256ceddb55954d7c8e3641c0873c6e236fe5997f768291630241cb12219fff5702d
SHA512f41a268400fab0f86c9d330a2fd502feefb6cc1a5554cdf8fd1557b18ea9b95c8e5ca6453a8fd1510ab9d903680ee27099b876df01b11fd913075b9bab68ff19
-
Filesize
486B
MD526394524fd10807c1b8dd1f388eee584
SHA1c89aa8511a574b57ffac5a219feabb95067a84f9
SHA256f7d1355df334043d7def2ba55f04e20dffb6a3e00d7e7e024b7538be75126cec
SHA5125ffd74e238cc4e382dc749ef12547f38b37780d8869a9028a99a3ce49931493331793a037ff50f5a7bb50cbe0f46870b3ad7fd0c1d79d26f7a192a1d589b2343
-
Filesize
710B
MD5da1b384f56113a1c976aac4474d02416
SHA16bf3b74d370b6079e272aea079449c0f067594b8
SHA2563545617a63ea7102015ce76f1101ad69c93624c4b6501847dbd9a0b7436a5296
SHA5124580b4dddef4c60a216144fad3ae7abe594d352e02c74f7f1f2c4f0e98150d0f287c58202547bce62a836c25efe0a7279b64a309eee3aaa65571dc5313a2b40e
-
Filesize
710B
MD562af778666934a3bcee6bfd82d8801db
SHA17b188db1ad5b37282f8cc364ffadb22f92f584ed
SHA25614c80fa92ee22d36f36b56684482e4714b958e7e8b246c036feb65e6360c8fc0
SHA51298ff9b225c028b8aa098feae2dc913d7b15199e92f7663328a3aeb6a87bf5513c386f6f1d2f422a92eae1e62e08a628266b5d4237b0aab4b50878bf9c5801198
-
Filesize
710B
MD5a82185a84cc513be5ff35a0afec2206f
SHA17c802111c04453add33d2a4bec468536b9b469b5
SHA2565df7db4eacd5270bbb7a89cccf3218bc2a179ea27952886e73fb66f912afe60e
SHA512337a95fb67ac750ed057fe624a0c7d60bc345625e477fee64f37142b7ab0bc71c350c8cebfc333b16eeace7019dc5d8d9506f730cf28de74d19484beb5a9dae6
-
Filesize
48B
MD58f2fe00117d8cf1e8f32eb7bf7c5ab82
SHA1952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9
SHA25602e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba
SHA5126fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077
-
Filesize
1.0MB
MD550c3534dacb3359079f8fca6b702e98e
SHA185cd176c6f7c97017547aaf9b1133ca3d1fb1885
SHA256867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de
SHA512a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750
-
Filesize
222B
MD54dad95df8fa0e085b45537e5be8778f6
SHA1044c0c326db9f180d8c79f7fd7719fac3abc69d3
SHA256b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b
SHA5124a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376