dcrat | 05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Size

1.7MB
MD5

2bbbc1024834e5eb4880e044608e8c9c
SHA1

d45b4eccb435a91acff766f0a61bb33cf43c9b2e
SHA256

05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080
SHA512

e275f0a84ce60d5b5c446d77728a3f04679df3b22f7440b4db81e9aed5234b9f0b89d130bf2ca622d69d57148ef78e20089ec0bf6fd5c8d5151228588c9e30c9
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3948	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3948	schtasks.exe	82

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5056-1-0x00000000008E0000-0x0000000000AA0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b92-30.dat	dcrat
behavioral2/files/0x000c000000023c14-83.dat	dcrat
behavioral2/files/0x000e000000023b8c-117.dat	dcrat
behavioral2/files/0x000c000000023b9b-139.dat	dcrat
behavioral2/files/0x000b000000023bb4-163.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
840	powershell.exe
1632	powershell.exe
4436	powershell.exe
3084	powershell.exe
4448	powershell.exe
3392	powershell.exe
3036	powershell.exe
3800	powershell.exe
1548	powershell.exe
3472	powershell.exe
2484	powershell.exe
2752	powershell.exe
3400	powershell.exe
3588	powershell.exe
4016	powershell.exe
400	powershell.exe
4384	powershell.exe
2964	powershell.exe
872	powershell.exe
2724	powershell.exe
1532	powershell.exe
3200	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Executes dropped EXE 11 IoCs

pid	Process
4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
668	conhost.exe
2620	conhost.exe
2156	conhost.exe
2000	conhost.exe
400	conhost.exe
3776	conhost.exe
4328	conhost.exe
1976	conhost.exe
5088	conhost.exe
4260	conhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\0409\fontdrvhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\System32\0409\5b884080fd4f94	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\System32\0409\RCXBDA7.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\System32\0409\RCXBE15.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\System32\0409\fontdrvhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Reference Assemblies\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Reference Assemblies\e978f868350d50	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\29c1c3cc0f7685	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\66fc9ff0ee96c2	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\e6c9b481da804f	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Java\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\conhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Crashpad\reports\55b276f4edf653	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Java\e978f868350d50	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCXA886.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Reference Assemblies\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXB90F.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXBB93.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCXA887.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXB98D.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXBB92.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Java\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\conhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\088424020bedd6	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\55b276f4edf653	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\AppReadiness\StartMenuExperienceHost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\LanguageOverlayCache\csrss.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\SKB\LanguageModels\56085415360792	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\tracing\RCXC29E.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\tracing\OfficeClickToRun.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\AppReadiness\StartMenuExperienceHost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\DigitalLocker\en-US\sppsvc.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\tracing\OfficeClickToRun.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB40A.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\tracing\RCXC22F.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\Provisioning\Packages\e978f868350d50	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\Provisioning\Packages\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\SKB\LanguageModels\wininit.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB488.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\SKB\LanguageModels\wininit.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\InputMethod\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\Provisioning\Packages\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\InputMethod\e978f868350d50	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\InputMethod\powershell.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\DigitalLocker\en-US\0a1fd5f707cd16	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Windows\tracing\e6c9b481da804f	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\sppsvc.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC01A.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC01B.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe
4112	schtasks.exe
1708	schtasks.exe
4772	schtasks.exe
2948	schtasks.exe
4576	schtasks.exe
1152	schtasks.exe
4268	schtasks.exe
2884	schtasks.exe
4940	schtasks.exe
4856	schtasks.exe
4500	schtasks.exe
1252	schtasks.exe
712	schtasks.exe
4112	schtasks.exe
3664	schtasks.exe
652	schtasks.exe
2124	schtasks.exe
3012	schtasks.exe
2120	schtasks.exe
2996	schtasks.exe
1880	schtasks.exe
1888	schtasks.exe
540	schtasks.exe
1340	schtasks.exe
4584	schtasks.exe
2512	schtasks.exe
1144	schtasks.exe
2148	schtasks.exe
2372	schtasks.exe
4848	schtasks.exe
1920	schtasks.exe
3812	schtasks.exe
2220	schtasks.exe
4828	schtasks.exe
3548	schtasks.exe
1180	schtasks.exe
3096	schtasks.exe
2460	schtasks.exe
1764	schtasks.exe
4432	schtasks.exe
3028	schtasks.exe
2476	schtasks.exe
2188	schtasks.exe
1668	schtasks.exe
4308	schtasks.exe
2820	schtasks.exe
3588	schtasks.exe
4048	schtasks.exe
1752	schtasks.exe
1136	schtasks.exe
4796	schtasks.exe
3272	schtasks.exe
4556	schtasks.exe
2156	schtasks.exe
3776	schtasks.exe
712	schtasks.exe
456	schtasks.exe
1628	schtasks.exe
2240	schtasks.exe
3904	schtasks.exe
844	schtasks.exe
1936	schtasks.exe
5068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
4016	powershell.exe
4016	powershell.exe
2724	powershell.exe
2724	powershell.exe
3400	powershell.exe
3084	powershell.exe
3400	powershell.exe
3084	powershell.exe
872	powershell.exe
872	powershell.exe
4436	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	668	conhost.exe
Token: SeDebugPrivilege	2620	conhost.exe
Token: SeDebugPrivilege	2156	conhost.exe
Token: SeDebugPrivilege	2000	conhost.exe
Token: SeDebugPrivilege	400	conhost.exe
Token: SeDebugPrivilege	3776	conhost.exe
Token: SeDebugPrivilege	4328	conhost.exe
Token: SeDebugPrivilege	1976	conhost.exe
Token: SeDebugPrivilege	5088	conhost.exe
Token: SeDebugPrivilege	4260	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 3392	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	123
PID 5056 wrote to memory of 3392	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	123
PID 5056 wrote to memory of 4448	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	124
PID 5056 wrote to memory of 4448	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	124
PID 5056 wrote to memory of 2724	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	125
PID 5056 wrote to memory of 2724	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	125
PID 5056 wrote to memory of 400	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	126
PID 5056 wrote to memory of 400	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	126
PID 5056 wrote to memory of 3400	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	127
PID 5056 wrote to memory of 3400	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	127
PID 5056 wrote to memory of 3084	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	128
PID 5056 wrote to memory of 3084	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	128
PID 5056 wrote to memory of 2752	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	129
PID 5056 wrote to memory of 2752	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	129
PID 5056 wrote to memory of 872	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	130
PID 5056 wrote to memory of 872	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	130
PID 5056 wrote to memory of 2484	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	131
PID 5056 wrote to memory of 2484	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	131
PID 5056 wrote to memory of 4436	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	132
PID 5056 wrote to memory of 4436	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	132
PID 5056 wrote to memory of 4016	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	133
PID 5056 wrote to memory of 4016	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	133
PID 5056 wrote to memory of 4260	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	145
PID 5056 wrote to memory of 4260	5056	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	145
PID 4260 wrote to memory of 3588	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	207
PID 4260 wrote to memory of 3588	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	207
PID 4260 wrote to memory of 1532	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	208
PID 4260 wrote to memory of 1532	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	208
PID 4260 wrote to memory of 3036	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	209
PID 4260 wrote to memory of 3036	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	209
PID 4260 wrote to memory of 3800	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	210
PID 4260 wrote to memory of 3800	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	210
PID 4260 wrote to memory of 3200	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	211
PID 4260 wrote to memory of 3200	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	211
PID 4260 wrote to memory of 1548	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	212
PID 4260 wrote to memory of 1548	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	212
PID 4260 wrote to memory of 840	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	213
PID 4260 wrote to memory of 840	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	213
PID 4260 wrote to memory of 2964	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	214
PID 4260 wrote to memory of 2964	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	214
PID 4260 wrote to memory of 1632	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	215
PID 4260 wrote to memory of 1632	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	215
PID 4260 wrote to memory of 3472	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	216
PID 4260 wrote to memory of 3472	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	216
PID 4260 wrote to memory of 4384	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	217
PID 4260 wrote to memory of 4384	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	217
PID 4260 wrote to memory of 668	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	229
PID 4260 wrote to memory of 668	4260	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	229
PID 668 wrote to memory of 1584	668	conhost.exe	230
PID 668 wrote to memory of 1584	668	conhost.exe	230
PID 668 wrote to memory of 2184	668	conhost.exe	231
PID 668 wrote to memory of 2184	668	conhost.exe	231
PID 1584 wrote to memory of 2620	1584	WScript.exe	234
PID 1584 wrote to memory of 2620	1584	WScript.exe	234
PID 2620 wrote to memory of 2484	2620	conhost.exe	235
PID 2620 wrote to memory of 2484	2620	conhost.exe	235
PID 2620 wrote to memory of 3084	2620	conhost.exe	236
PID 2620 wrote to memory of 3084	2620	conhost.exe	236
PID 2484 wrote to memory of 2156	2484	WScript.exe	237
PID 2484 wrote to memory of 2156	2484	WScript.exe	237
PID 2156 wrote to memory of 4480	2156	conhost.exe	238
PID 2156 wrote to memory of 4480	2156	conhost.exe	238
PID 2156 wrote to memory of 4496	2156	conhost.exe	239
PID 2156 wrote to memory of 4496	2156	conhost.exe	239

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
"C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
  "C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc97a1e6-7ac9-4906-90f2-108dde602bc4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f89ce6-4b5f-43af-b325-b8bf8adb18f0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4724a7d5-45e4-418a-9cd9-18c362a55855.vbs"
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697470b0-e3bb-478f-83b6-43b0b1a01f0c.vbs"
        10⤵
        
        PID:2040
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09cf7e18-755c-4af7-a173-768829ffd37c.vbs"
        12⤵
        
        PID:652
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\284437b4-80f4-4bbe-aa60-5206dd6f06dc.vbs"
        14⤵
        
        PID:4088
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc9b4c8d-75a8-4cda-a8b6-fb8d14395d86.vbs"
        16⤵
        
        PID:4824
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7820f397-07f5-425b-9eca-9f86d671bfdf.vbs"
        18⤵
        
        PID:4268
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\149148de-d18c-417c-a573-9c7fd729c137.vbs"
        20⤵
        
        PID:4656
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd74ece1-9828-4736-a74b-bb099c1f6bf9.vbs"
        22⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31de0cb7-4e9a-4180-ab40-15ca82ee6632.vbs"
        22⤵
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c96a5a-a7b9-481a-acce-b741b8ef8eb8.vbs"
        20⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eca96562-577c-4ad2-8015-214dc722fbdb.vbs"
        18⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b30598a-5cd8-437a-9bd2-b8a89d64a0c7.vbs"
        16⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d744ee90-86f1-465d-b60d-447c19dfbec2.vbs"
        14⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\789288a8-ec56-49bd-9d19-2a6d26df7440.vbs"
        12⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f479beb-9cd0-4587-8d78-fa985284f9fa.vbs"
        10⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7523a1ee-7306-4cfb-b6cc-b8c9bb0dfb6d.vbs"
        8⤵
        
        PID:4496
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb454152-1ef3-43b6-8401-31c384922035.vbs"
        6⤵
        
        PID:3084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5769be5-2f52-4bb4-861d-e218dba015ed.vbs"
      4⤵
      PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\0409\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\0409\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\0409\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Java\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\InputMethod\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /f
1⤵
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Public\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /f
1⤵
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\uninstall\OfficeClickToRun.exe

Filesize
1.7MB

MD5
b262a7589c3303517ebb8a0bd2a7d743

SHA1
4bc378a8b6ca3569a3c7b02943e7eb66226aa37f

SHA256
149c39168261fd4cf823402eadc2cee69da0759a1a9851733a8ff1e570442d8f

SHA512
93c9210b977f754e00759949b9c9ab0f9c2d41cd0ee4455f84ca2db9353abd14263542e4f4a17cf7625e063276eee4269de5a3d929eec1117f51aaa89246c18f

Download Submit
C:\Recovery\WindowsRE\121e5b5079f7c0

Filesize
827B

MD5
515c2bc6b0dabd3e54d63c0242b6b629

SHA1
024da17a89172b4c50c828d4f8a6bc725ef03d4f

SHA256
3855b3fe62e660af695a712e0b5a22a4fa83bad39b1c82b7a7278e0631bce82a

SHA512
5e7212ae8817b13fc17f3d8b6dfe450aca8bba9417e580b399920579be179d765e7ce7347b937e9a9b877471ed23d20484b967acdb183f6623397d21b5bcffee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be95052f298019b83e11336567f385fc

SHA1
556e6abda268afaeeec5e1ee65adc01660b70534

SHA256
ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

SHA512
233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f659389c6e21eb0c627fbae833500c7

SHA1
ae632f1e4af08587934ff168155b30e2b28d7475

SHA256
a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c

SHA512
f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327

Download Submit
C:\Users\Admin\AppData\Local\Temp\09cf7e18-755c-4af7-a173-768829ffd37c.vbs

Filesize
742B

MD5
da3d646bb152508e20ceee757d0a3fe3

SHA1
a22285c5b89279ae58ae160049fcdaa493c023d7

SHA256
7bd684bf8a32ede4959a0cd9005aace969ae60b264e9246804f2b4dc67e1f4be

SHA512
6cb4a3f308c5704493b61463944a00797c6908ea7890d7f4af248b862c3fc73687febc7df97dda4002616c447cdafbb20e1f0bc30a1608fcd3c3737745d223fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\149148de-d18c-417c-a573-9c7fd729c137.vbs

Filesize
743B

MD5
3479a09275b477143525d1980885b63a

SHA1
411c25b2437f49d4b11e982edfc08ca06422b823

SHA256
173cf84fe17ea5a761ecdb3f4520db4657a250c7cc99715304e01e6f7a97b7e1

SHA512
69fc4aa086e619b28c91efcccd34b269ee0388d30045a326e2ba7e66543eb79ace70a5a50dfc955a0dc64a642a4ac6744e486451a96f877142f6a3a511075f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\284437b4-80f4-4bbe-aa60-5206dd6f06dc.vbs

Filesize
743B

MD5
560362d805fc04e9a266c31e770b0854

SHA1
67ef7485f5b02ff37af9250961af9595d8d92b36

SHA256
20945f08656e19fce09ceeeac6b5b3f2a057734a25e63978f178a73bd958f3fb

SHA512
c8992196179325fb63f413786e7867339d3d55f05e5a2bb7ae7dbd8610736343302041ef33576739381b6bd4a590c507f86964414cd3b4590a36ff3e72c0de09

Download Submit
C:\Users\Admin\AppData\Local\Temp\4724a7d5-45e4-418a-9cd9-18c362a55855.vbs

Filesize
743B

MD5
d542c1c4b13a8268bb96b4f5182c4cc6

SHA1
f0c2eb9c4651dd026b46b51455450966e6647c43

SHA256
1146c66bb6195dfcbbb631dbee60de2ffc6fc0b51dfb20fa9e4c0da93f240355

SHA512
fb56a7cd441e972c2fe4336f360b231e4239034410086ef3384a5888953a0848020c609849ecdd877db089034c7e85f2e6fea2e77cd068c46e3696d91268e4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\697470b0-e3bb-478f-83b6-43b0b1a01f0c.vbs

Filesize
743B

MD5
5a5f751b3bb2e7b219ce418ab8923a50

SHA1
7ca68efe2f53e9b06f638c8417ea800c9a7beb38

SHA256
bf21179450411f968e4090c039773ddea0d595bd1d9f66da2c20f41770f06570

SHA512
747ba878fdd1afd283bab385582f2f5f13a8a6a5a6692b91ca85aab3413052bbeb22cf331e83c175449a1c78a6b8d3247d34708de1a98ebce99e1d45e6cbd6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7820f397-07f5-425b-9eca-9f86d671bfdf.vbs

Filesize
743B

MD5
a88bf675f041aaa9d317bea7f3db7a6e

SHA1
845ea00de9c6936f0233899392bf17f5f3e7237e

SHA256
731ae4f070819cb5bdc5154dd234b31c2517080622a97fdcedcc763b2082ad04

SHA512
b44a9d45427d4ebfdb11a5be96ef3568e9bf374ffbef20b528efd6720f550f1362077377c97572081fdbea804b806f67e7331ed4be8cdd02240ab4365ee24b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4yrs33p.fxx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5769be5-2f52-4bb4-861d-e218dba015ed.vbs

Filesize
519B

MD5
7fbeddf02c6764dda604c79b51705229

SHA1
482e65478e61ef147386c22186e97d39e50804e9

SHA256
66491913537b6f533ee2ad7e4b23494dcea7195aa02833c54e529f05c1b15b71

SHA512
cdce6d631a314bb6168e5129fc76340483e288e7f8d16c96b66509710598fb04b1c65775b1f2184ff77edc23597dff752d37f20c2da6734e3de95cf6eea847e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8f89ce6-4b5f-43af-b325-b8bf8adb18f0.vbs

Filesize
743B

MD5
1c6299054e1548e289b308bc97efdc12

SHA1
90923748db80d8e752aac098d9d827c946dfa131

SHA256
b09fe71c40e6ea5f4e0c1445b28efa9bc999281dd5b8cd134f3d45109ac6f75a

SHA512
4ed764400c79d76103ef4b1753b8999d74ece8b94c3769679627ccd8933b5be404f5e25c08ed95087f4755bd3cea77c46125457b5f489491d2d5c9a51c7c7053

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc97a1e6-7ac9-4906-90f2-108dde602bc4.vbs

Filesize
742B

MD5
926d9b052da21195f36e95b591a4817a

SHA1
05d01258e13f0587efdd4d9ba30c8a70c39a55d2

SHA256
b316f5d972cdad163949f3629eac17d3d25e170f4a2e6d53cc3d16af1e1afac2

SHA512
84845f99b52e0c8fef1d2326ff52382c500c96d898ea116a091352834ca3e3ca664976a50aca1bbe41d000966668b88ce0ac2986a600428338c4e1b7d8097b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc9b4c8d-75a8-4cda-a8b6-fb8d14395d86.vbs

Filesize
743B

MD5
852f09a093d9ad7fa26899dc571da7de

SHA1
7fab4db1a0c3154ffd8f9c5cd0c3e6373d69089e

SHA256
fbdab11898bf3180723985fdfbdb648b6f6724514c223a334063b38f21548006

SHA512
a75e776a62703db5705a84467f543f21296ee9cddcc882c73c59785cff0a1de3c4e20526d0532d51856e1911b89a9cb7491e99b22621cac8471845f2d1073f76

Download Submit
C:\Users\Public\Desktop\RuntimeBroker.exe

Filesize
1.7MB

MD5
2bbbc1024834e5eb4880e044608e8c9c

SHA1
d45b4eccb435a91acff766f0a61bb33cf43c9b2e

SHA256
05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080

SHA512
e275f0a84ce60d5b5c446d77728a3f04679df3b22f7440b4db81e9aed5234b9f0b89d130bf2ca622d69d57148ef78e20089ec0bf6fd5c8d5151228588c9e30c9

Download Submit
C:\Users\Public\Music\dllhost.exe

Filesize
1.7MB

MD5
93c05569efeec97ddbc41287bc4d7170

SHA1
57929b71ff7c7348ca9f05dd5db1e2bc57d93657

SHA256
5f2346540d4a402f5bf9f9425f932c672e8b7b9370192aca5af7631ca0d4a498

SHA512
dc0508ff41dcb2e8b175e68204dabcfb67e6fd5899eafd45e3e4fbe0a8f84c922412ff34e84519814c60e6e28ea445f29fcc96d9149b77a2eb90c3d3fbf3aba9

Download Submit
C:\Windows\DigitalLocker\en-US\sppsvc.exe

Filesize
1.7MB

MD5
7765518460f905c344f53eba2d5028f6

SHA1
eb4c81be7a98dacaad89c4eca6fddf53ee1b76aa

SHA256
4129ebe83a6573e2f7f26a35aa2e10c027898659954017a813ca6e9439041d62

SHA512
57dfa62ae52cabbcf60407692c52bdea9d7f3711a73da8e40882d2237fbb73a1dfc21cc453a1ace1d82edc5a9a3a3776a890338dd6d020bc1b4064b76cdf2638

Download Submit
C:\Windows\System32\0409\fontdrvhost.exe

Filesize
1.7MB

MD5
70a8492bfdc58db45b7fbc7051ff1904

SHA1
5c5148935d0a9ab8337fdf6eb4acfc194e31a94e

SHA256
9d676bb2416b0fdf0c55fff7e8eaa7c1ae7509292d1a6b813b0670781c0204c6

SHA512
8ef5391c4adc60516cbc0c9b676bdd3b1acfe549ca58e9ff6d58fbb146105c8bf15c904d513ec21725e7fe07a320398e6df7580dc59ed91258cd762694bc6919

Download Submit
memory/4016-200-0x000001DD577D0000-0x000001DD577F2000-memory.dmp

Filesize
136KB

Download
memory/4260-295-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

Filesize
72KB

Download
memory/5056-15-0x000000001C030000-0x000000001C03A000-memory.dmp

Filesize
40KB

Download
memory/5056-0-0x00007FF802EA3000-0x00007FF802EA5000-memory.dmp

Filesize
8KB

Download
memory/5056-13-0x000000001C2E0000-0x000000001C808000-memory.dmp

Filesize
5.2MB

Download
memory/5056-12-0x000000001BD30000-0x000000001BD42000-memory.dmp

Filesize
72KB

Download
memory/5056-154-0x00007FF802EA3000-0x00007FF802EA5000-memory.dmp

Filesize
8KB

Download
memory/5056-23-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-22-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-19-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/5056-16-0x000000001C040000-0x000000001C04E000-memory.dmp

Filesize
56KB

Download
memory/5056-17-0x000000001BEC0000-0x000000001BEC8000-memory.dmp

Filesize
32KB

Download
memory/5056-18-0x000000001BED0000-0x000000001BEDC000-memory.dmp

Filesize
48KB

Download
memory/5056-294-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-1-0x00000000008E0000-0x0000000000AA0000-memory.dmp

Filesize
1.8MB

Download
memory/5056-291-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-178-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-10-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/5056-9-0x000000001BD10000-0x000000001BD1C000-memory.dmp

Filesize
48KB

Download
memory/5056-8-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/5056-7-0x000000001BCF0000-0x000000001BD06000-memory.dmp

Filesize
88KB

Download
memory/5056-5-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

Filesize
32KB

Download
memory/5056-6-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/5056-4-0x000000001BD40000-0x000000001BD90000-memory.dmp

Filesize
320KB

Download
memory/5056-3-0x000000001B580000-0x000000001B59C000-memory.dmp

Filesize
112KB

Download
memory/5056-2-0x00007FF802EA0000-0x00007FF803961000-memory.dmp

Filesize
10.8MB

Download
memory/5056-14-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/5088-666-0x000000001B500000-0x000000001B512000-memory.dmp

Filesize
72KB

Download