dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
96s
max time network
116s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29/10/2024, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	dllhost.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4008	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4008	schtasks.exe	86

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0029000000045041-6.dat	dcrat
behavioral3/files/0x002800000004504b-29.dat	dcrat
behavioral3/memory/4100-31-0x00000000006B0000-0x0000000000786000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	XBinderOutput(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	kendalcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	reviewDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	reviewDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 4 IoCs

pid	Process
4716	kendalcp.exe
4100	reviewDll.exe
3744	reviewDll.exe
2940	dllhost.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\121e5b5079f7c0	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\886983d96e3d3e	reviewDll.exe
File created	C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe	reviewDll.exe
File created	C:\Program Files\MSBuild\Microsoft\dllhost.exe	reviewDll.exe
File created	C:\Program Files\MSBuild\Microsoft\5940a34987c991	reviewDll.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\SearchApp.exe	reviewDll.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\38384e6a620884	reviewDll.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\29c1c3cc0f7685	reviewDll.exe
File created	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	reviewDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe	reviewDll.exe
File created	C:\Program Files\VideoLAN\csrss.exe	reviewDll.exe
File created	C:\Program Files\WindowsApps\MovedPackages\explorer.exe	reviewDll.exe
File created	C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\csrss.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe	reviewDll.exe
File created	C:\Program Files (x86)\Common Files\Services\e1ef82546f0b02	reviewDll.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\cc11b995f2a76d	reviewDll.exe
File created	C:\Program Files\VideoLAN\886983d96e3d3e	reviewDll.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\886983d96e3d3e	reviewDll.exe
File created	C:\Windows\Web\sysmon.exe	reviewDll.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\3256e997418c6c8793821826317b9b9c\RuntimeBroker.exe	reviewDll.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\3256e997418c6c8793821826317b9b9c\9e8d7a4ca61bd9	reviewDll.exe
File created	C:\Windows\InputMethod\7a0fd90576e088	reviewDll.exe
File created	C:\Windows\LiveKernelReports\WmiPrvSE.exe	reviewDll.exe
File created	C:\Windows\LiveKernelReports\24dbde2999530e	reviewDll.exe
File created	C:\Windows\Web\121e5b5079f7c0	reviewDll.exe
File created	C:\Windows\Sun\Java\csrss.exe	reviewDll.exe
File created	C:\Windows\InputMethod\explorer.exe	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	kendalcp.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	reviewDll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe
2360	schtasks.exe
1540	schtasks.exe
1068	schtasks.exe
3960	schtasks.exe
1048	schtasks.exe
240	schtasks.exe
3464	schtasks.exe
988	schtasks.exe
1920	schtasks.exe
1416	schtasks.exe
644	schtasks.exe
440	schtasks.exe
3888	schtasks.exe
2832	schtasks.exe
1224	schtasks.exe
4940	schtasks.exe
2160	schtasks.exe
2524	schtasks.exe
1220	schtasks.exe
1204	schtasks.exe
1384	schtasks.exe
2236	schtasks.exe
2940	schtasks.exe
4896	schtasks.exe
4564	schtasks.exe
2400	schtasks.exe
1580	schtasks.exe
4644	schtasks.exe
884	schtasks.exe
1516	schtasks.exe
3552	schtasks.exe
2736	schtasks.exe
2612	schtasks.exe
4948	schtasks.exe
4668	schtasks.exe
5016	schtasks.exe
880	schtasks.exe
3728	schtasks.exe
2304	schtasks.exe
1472	schtasks.exe
4012	schtasks.exe
4828	schtasks.exe
4952	schtasks.exe
3116	schtasks.exe
1960	schtasks.exe
3548	schtasks.exe
392	schtasks.exe
4760	schtasks.exe
224	schtasks.exe
1992	schtasks.exe
3320	schtasks.exe
1764	schtasks.exe
456	schtasks.exe
2124	schtasks.exe
3372	schtasks.exe
236	schtasks.exe
1644	schtasks.exe
2828	schtasks.exe
3128	schtasks.exe
4448	schtasks.exe
1732	schtasks.exe
5032	schtasks.exe
784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
4100	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
3744	reviewDll.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe
2940	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	reviewDll.exe
Token: SeDebugPrivilege	3744	reviewDll.exe
Token: SeDebugPrivilege	2940	dllhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4716	392	XBinderOutput(1).exe	81
PID 392 wrote to memory of 4716	392	XBinderOutput(1).exe	81
PID 392 wrote to memory of 4716	392	XBinderOutput(1).exe	81
PID 4716 wrote to memory of 1304	4716	kendalcp.exe	82
PID 4716 wrote to memory of 1304	4716	kendalcp.exe	82
PID 4716 wrote to memory of 1304	4716	kendalcp.exe	82
PID 1304 wrote to memory of 3588	1304	WScript.exe	83
PID 1304 wrote to memory of 3588	1304	WScript.exe	83
PID 1304 wrote to memory of 3588	1304	WScript.exe	83
PID 3588 wrote to memory of 4100	3588	cmd.exe	85
PID 3588 wrote to memory of 4100	3588	cmd.exe	85
PID 4100 wrote to memory of 3744	4100	reviewDll.exe	126
PID 4100 wrote to memory of 3744	4100	reviewDll.exe	126
PID 3744 wrote to memory of 1944	3744	reviewDll.exe	175
PID 3744 wrote to memory of 1944	3744	reviewDll.exe	175
PID 1944 wrote to memory of 2320	1944	cmd.exe	177
PID 1944 wrote to memory of 2320	1944	cmd.exe	177
PID 1944 wrote to memory of 2940	1944	cmd.exe	178
PID 1944 wrote to memory of 2940	1944	cmd.exe	178
PID 2940 wrote to memory of 3408	2940	dllhost.exe	216
PID 2940 wrote to memory of 3408	2940	dllhost.exe	216
PID 3408 wrote to memory of 4560	3408	cmd.exe	218
PID 3408 wrote to memory of 4560	3408	cmd.exe	218

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oaXsBrErV1.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2320
        
        C:\blocksavesperfMonitorDll\dllhost.exe
        
        "C:\blocksavesperfMonitorDll\dllhost.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\blocksavesperfMonitorDll\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Web\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\3256e997418c6c8793821826317b9b9c\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\3256e997418c6c8793821826317b9b9c\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\3256e997418c6c8793821826317b9b9c\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\InputMethod\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blocksavesperfMonitorDll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\SearchApp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
1⤵
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /f
1⤵
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "System" /f
1⤵
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SystemS" /f
1⤵
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogon" /f
1⤵
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogonw" /f
1⤵
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihost" /f
1⤵
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihosts" /f
1⤵
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SppExtComObj" /f
1⤵
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SppExtComObjS" /f
1⤵
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\e1ef82546f0b02

Filesize
163B

MD5
ef930d1581e345a43135cea91c4b4d85

SHA1
d8ec87bbcfd21ea5e706a8680e1443ce5119b8db

SHA256
d651f26002f915dfc04bb2000c6733dfc4a8350f14e338d2ccdcfca955aa1f9d

SHA512
320a1dbd282be84ba0588f7735ecc6527dee301fd90de821f9151190d5a63d8829621742b7ad746774afc3ca6cef9a1747bcb3964c68b8859114a43d78cc8092

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\886983d96e3d3e

Filesize
620B

MD5
7cb385933e19b0a26962350bfdac20ae

SHA1
29228f0540613010a61bc467ecf476069f208f55

SHA256
23b4b0a4cae6e6a021870596486876dd49ae7ca992a64d7660604b5b757b5ab6

SHA512
850497de211dbcd0e51201233504cd46d4e796027085389f601ed686cc430296a8abf6b9eabc5b9a2d2de37729fe923ecf67e3dda2cffd0826ae093b39988161

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\cc11b995f2a76d

Filesize
338B

MD5
25d29c46328c5f9d0881fd52fe369bf2

SHA1
865754a40191831651a824b7104d08e583b8f93c

SHA256
bae61b485d9c3d37a31f785401b6160ce77fa2baca20c84ab0eb453e7aec00b5

SHA512
78d37c90d6462eaf9bacd10b8933f0feddf7abf760d6f321ac74529a0a51b799561e42a7fc03ae19dceb31f94a14f331eaa3bfe7f833d17b9281ca69f394d6e1

Download Submit
C:\Program Files\MSBuild\Microsoft\5940a34987c991

Filesize
792B

MD5
85c74026020413c685e054e3f2bbec3c

SHA1
def187e2a80df146bf980e46613dec3d5ea0e46e

SHA256
43d231d51ac7e8fd2e9449791f34a1d30521aa1c6b2dab03b7073ef195df0e6e

SHA512
976caf2f73f4abcf39a069ab442834a31b65114e86e2ed4ff99306e97b9b16b390347901aa2356364d51db669e4f3b9ecc625d546d73018428c724116c8d99f9

Download Submit
C:\Program Files\VideoLAN\886983d96e3d3e

Filesize
582B

MD5
1d3d86e96a137a3b06c0367ae9538bd1

SHA1
c821d4f720005c205d9d7157df00b341fe0fe8f5

SHA256
7fc5fbb3c0889334be1ef4de78b0cdd7a59ee0c8f486284870cd1bd8bc507cab

SHA512
835acec40cc7ff016e57cf1ec0a674d37a3f2c73cd19496b57e6c888b039241d7443975fa0f2dcabad49ad9563340c955ea70b79e3eb830633fe28fa63ca7a39

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\38384e6a620884

Filesize
15B

MD5
c9025ee3b840b45969f68af48719a22d

SHA1
14fb2976f9f94b037e09cb4990764fbe8afd5668

SHA256
b1baccba38992918e3526a2cc63881523e376b70803bf3d25fcf07e963625429

SHA512
4f1c9872d5bb9d74d38a0cc708291796d987e66ed729eedfb12939d1289d2efe59e653f592d8018572fabb009d9d8ea2b094662a2bff2437514d0f69ed13d843

Download Submit
C:\Recovery\WindowsRE\27d1bcfc3c54e0

Filesize
816B

MD5
de6f2ddfba81fb9b30646aea1a944130

SHA1
45f68cb1dfd44a5c877ea63cb251482703084cbd

SHA256
ff8c4059861ade6e4a678a19ea0dd52f94dc54583af43e67309cca5f00f4fe1f

SHA512
5c2c61612cb35c851e292d8f381ec17ec6df772eaa19f73c8453a43174f44e16539b86462443b0bcfd60b955f5854a1582821630ab40c0cea22a560838c94b80

Download Submit
C:\Recovery\WindowsRE\56085415360792

Filesize
938B

MD5
29a3e5b2e51e50d1bdcd17041b75594c

SHA1
6223f95c85e51031db696bb438511cae44129729

SHA256
a791a89e030c2f7bab6b2202b13daf4735e05da5cb76be986846fa38edfe9bb5

SHA512
9a205659e350a8c6418645f7db1047b791a271e5274f4aff9f74d305d592dbd926227957243aa42c6bf6f65d8633fd645ae922fdcb76ce52f1263e9f428b1670

Download Submit
C:\Recovery\WindowsRE\66fc9ff0ee96c2

Filesize
858B

MD5
5f862eb4a8f4ba116bec4777410f0078

SHA1
fba56b95435db40a51c77bea71820aae829cd4ff

SHA256
9d50a661012e877ad6a71917f931340bb288a52c75fea9b558c117c0385825b1

SHA512
9e13a8ccff7107e1adee6647f0441a5c3d243161f6c269cd843c48ae581024668c1d63005d3b12ba9106f9e0a557103f2a8e57dca8f597a90fe5e557d5639371

Download Submit
C:\Recovery\WindowsRE\6ccacd8608530f

Filesize
501B

MD5
e46448787fd100813d6dfe385cc57cd6

SHA1
71c7d0d8454190bbcf11fd6abe0b657c932ea98f

SHA256
c4afd6ae55989dcfd7aced41c0591ac04f4275218f13ef29777a899b463b4780

SHA512
0214a31a0f6ec5676ca0b8a255e4df0b88a4ec6866dc23286a61aa2a9eb40c0042a2c4ab14554cb36dce6c6a5bf797232ea4c0d0e5b2ea747a92586da3da8e69

Download Submit
C:\Users\Admin\5b884080fd4f94

Filesize
405B

MD5
c6ddbdbe4937d05e2f86dde9ab201ee5

SHA1
33f25f0fd1798569b0d164a660eb1d2f427e6495

SHA256
e66c80f95b0c1d6ed097b5e528bedb9e10daaa30aa82d18ac98c97a596c3fb6a

SHA512
a82ad1ab9ced475adc847a2124f7ee9d793e0fb8dc5e41a73f3ac635cb47d7c25de40b80454d8b7b3a8b9deb261d67d5967b6ae66010e90a1c9ead968d876fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewDll.exe.log

Filesize
1KB

MD5
fcbbff8eeb93ad014bf73143a67cbdce

SHA1
79cd0f544ba90184d14911c68dc2314f2225a020

SHA256
4f3945ae2db9e60f191a1dc16b1e156710f81037869b5515e0c8ed0b31070d01

SHA512
f5c8342c814d31d561642a0218011b86adcac40a068acdfe1870fd26c0b63927a4bcb53fedacb1bfd8f3ae6fde75ddd66ff5ed49dced4a39bfce575f51603ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaXsBrErV1.bat

Filesize
204B

MD5
596153bbcf51581da3250a53ceb665cc

SHA1
2599de3a6c1649bab348607cd6dad77e2bdd85ff

SHA256
a38174135327b106ee9e7e55e9412ea8a5c0b9401b3aecdd946b755af951c1e6

SHA512
77b027063a06004e82bbeff9e48b36e2d690838451a357042ace2b1b64e75b0f2bcdb8afedbc87254832fd23aa3c9af1449aa273e895cb43001c58c2d5a4bcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat

Filesize
267B

MD5
cfdb4cfdd8ca5071bf0cbe0af126b56e

SHA1
07af694169e83b25d46964ab595231d6b154b1a7

SHA256
c91e02acf470edbaa7c2dbf86495e70a118fbc0845e7c0689de3a1f21b540046

SHA512
c0b56386cf8a50f9d24f34a9228c027c4e2b82a603c96bed90649c1c9f974c30f8aa0659152708f2539fa61543631dc1aeb74a5c2bfb4bb1b10cd802c7c24409

Download Submit
C:\Users\Default User\5b884080fd4f94

Filesize
572B

MD5
1fcfea4432e444b043ac72d248a73527

SHA1
3b61801dd5caa3d958b5da1c8af48bfe96bd514a

SHA256
bbebc3ded24415078db4907b4166135831469f7ad82a8059cd4e2ba786687f59

SHA512
5c99aff1b5c7c083439f97420a5fdc2606441338aed4c0fc78428532262cdc12bc4000cf03f8e157519fdc5faa61aeb532d4bc9519fd07ece7a775cb5d1fc382

Download Submit
C:\Users\Public\5b884080fd4f94

Filesize
837B

MD5
0935f17e44bafaea2b843c86e6cf31b9

SHA1
6ed18d2788793147c1b78aa9323d1360b66c61d8

SHA256
4c2918b56aa4cc4e4791202fb665ad963fd9b2b9da6392cf1ecfa2e07b0ea689

SHA512
c20f5b2f241189967f3fca090be911d927278dcf428f0f481745ad4a089398c65aabcc4fc446c70427fec691054e621259daf8a3bb4311f699250ae183970ff9

Download Submit
C:\Windows\LiveKernelReports\24dbde2999530e

Filesize
749B

MD5
fe5ebf2e4fa794b6aac0f339d0e122d8

SHA1
557acfc5db7754a5aeee42ce4cc8573be431dff6

SHA256
fc1176bafd631864c02932aa1a002ff07cf506ef2b86281179fb5e4baf22a6a7

SHA512
32fea8c8f5726abab9b4274052daab75b943a9076b508af97074ba51fd472f1410de4212518e79e608830f13f182f5284510d161a7c1734c4c77de68783d7aac

Download Submit
C:\blocksavesperfMonitorDll\38384e6a620884

Filesize
732B

MD5
f0d6087f4e64ff5bbb500c5faabaa1f2

SHA1
88f28f8b5c5a37a5791cca93abcc134c98441a14

SHA256
d073608120ca131749f0a02566b84d28a8dd731534b6ff423bf467561e267bfd

SHA512
8dc20c6417d1339e3ae1cafc349a83b15c6e718a4397ad0e142369acfdbf930765c1e65325bd289b3765e320b046f0d304b84e113031569d1c0ad6cc34e0fecb

Download Submit
C:\blocksavesperfMonitorDll\5940a34987c991

Filesize
697B

MD5
edc7284677ed8801bff2ef6df41cb9eb

SHA1
acbcd54239848abb31d415fe2ffec05122d92178

SHA256
2c9c28060ee97da719089831bdeabbfdc2899948ec0306af1e881e79640272dc

SHA512
a43a1297efa13e7ba97ab5617d9b5b7acd99973e88a320ca1a8af2ce2b71716a046c01f6ebba72c275665fcee028f8599047f0339979a5afc60533d73e514fdc

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/392-0-0x00007FFCA0783000-0x00007FFCA0785000-memory.dmp

Filesize
8KB

Download
memory/392-1-0x0000000000670000-0x000000000070E000-memory.dmp

Filesize
632KB

Download
memory/392-10-0x00007FFCA0780000-0x00007FFCA1242000-memory.dmp

Filesize
10.8MB

Download
memory/392-14-0x00007FFCA0780000-0x00007FFCA1242000-memory.dmp

Filesize
10.8MB

Download
memory/4100-31-0x00000000006B0000-0x0000000000786000-memory.dmp

Filesize
856KB

Download