dcrat | 3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd

Analysis

max time kernel
115s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Size

1.7MB
MD5

7a2f8094d8034feeebb4b6eaa3fde100
SHA1

07938320b644032d9955e95234f0abed26ea675c
SHA256

3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd
SHA512

cb967bd15df2ed22bd2e74a00a603e3fe98b043cce3587aaef0054d5f44fb34718a361fb0c758b3c93071fb8992515f6aff75603cf2535488712c41a5750c06a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2520	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2520	schtasks.exe	83

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3076-1-0x0000000000C20000-0x0000000000DE0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b81-30.dat	dcrat
behavioral2/files/0x000e000000023bac-105.dat	dcrat
behavioral2/files/0x000d000000023bad-153.dat	dcrat
behavioral2/files/0x000c000000023b8c-165.dat	dcrat
behavioral2/files/0x000c000000023bae-201.dat	dcrat
behavioral2/files/0x000c000000023b9b-212.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe
3296	powershell.exe
4368	powershell.exe
4136	powershell.exe
5084	powershell.exe
4048	powershell.exe
1456	powershell.exe
4820	powershell.exe
752	powershell.exe
1580	powershell.exe
4380	powershell.exe
3160	powershell.exe
544	powershell.exe
544	powershell.exe
1152	powershell.exe
4100	powershell.exe
2688	powershell.exe
3992	powershell.exe
2528	powershell.exe
1804	powershell.exe
3736	powershell.exe
4212	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 8 IoCs

pid	Process
1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3144	dllhost.exe
3720	dllhost.exe
4008	dllhost.exe
3620	dllhost.exe
4016	dllhost.exe
4344	dllhost.exe
1388	dllhost.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\e978f868350d50	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Defender\de-DE\csrss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\69ddcba757bf72	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Idle.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\smss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX8D1C.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCX9D85.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Mail\sppsvc.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\5940a34987c991	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Defender\de-DE\886983d96e3d3e	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Java\jdk-1.8\csrss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX81E8.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCX83FD.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCX847B.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Defender\27d1bcfc3c54e0	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Media Player\unsecapp.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Media Player\29c1c3cc0f7685	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\smss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RCX7FE3.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Idle.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\powershell.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Defender\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\csrss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX965B.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Defender\System.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\6ccacd8608530f	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Java\jdk-1.8\886983d96e3d3e	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Common Files\DESIGNER\f84bab991c027c	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RCX7FE2.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCX9D86.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Mail\0a1fd5f707cd16	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows Defender\088424020bedd6	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Defender\System.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Common Files\DESIGNER\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX8D1B.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\unsecapp.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX966B.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX81E9.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\csrss.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\powershell.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Mail\sppsvc.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\121e5b5079f7c0	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\LanguageOverlayCache\sihost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\9e8d7a4ca61bd9	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Sun\Java\RCX868F.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Sun\Java\sysmon.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\Lexicon\RCX9B02.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Microsoft.NET\authman\5940a34987c991	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\en-US\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\en-US\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Fonts\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Fonts\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Sun\Java\sysmon.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Sun\Java\RCX8690.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\Lexicon\RCX9B70.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Microsoft.NET\authman\dllhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Fonts\f84bab991c027c	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Fonts\RCX7DBD.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Fonts\RCX7DDE.tmp	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\en-US\5940a34987c991	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1852	schtasks.exe
4864	schtasks.exe
4216	schtasks.exe
1180	schtasks.exe
1832	schtasks.exe
3764	schtasks.exe
4012	schtasks.exe
964	schtasks.exe
1396	schtasks.exe
4600	schtasks.exe
2728	schtasks.exe
1704	schtasks.exe
3268	schtasks.exe
1984	schtasks.exe
1720	schtasks.exe
4020	schtasks.exe
2860	schtasks.exe
5112	schtasks.exe
1648	schtasks.exe
4764	schtasks.exe
2212	schtasks.exe
2380	schtasks.exe
3404	schtasks.exe
3336	schtasks.exe
4416	schtasks.exe
2276	schtasks.exe
3700	schtasks.exe
1268	schtasks.exe
812	schtasks.exe
2388	schtasks.exe
3780	schtasks.exe
2716	schtasks.exe
1456	schtasks.exe
2712	schtasks.exe
2860	schtasks.exe
1388	schtasks.exe
2536	schtasks.exe
1336	schtasks.exe
3260	schtasks.exe
3860	schtasks.exe
1492	schtasks.exe
4084	schtasks.exe
5012	schtasks.exe
1532	schtasks.exe
3000	schtasks.exe
2336	schtasks.exe
3692	schtasks.exe
388	schtasks.exe
1432	schtasks.exe
5092	schtasks.exe
2612	schtasks.exe
2728	schtasks.exe
1528	schtasks.exe
2412	schtasks.exe
684	schtasks.exe
4568	schtasks.exe
3080	schtasks.exe
4016	schtasks.exe
3424	schtasks.exe
4468	schtasks.exe
220	schtasks.exe
4784	schtasks.exe
4448	schtasks.exe
3900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
4820	powershell.exe
4820	powershell.exe
4136	powershell.exe
4136	powershell.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1804	powershell.exe
1804	powershell.exe
544	powershell.exe
544	powershell.exe
4048	powershell.exe
4048	powershell.exe
3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	3144	dllhost.exe
Token: SeDebugPrivilege	4008	dllhost.exe
Token: SeDebugPrivilege	3620	dllhost.exe
Token: SeDebugPrivilege	4016	dllhost.exe
Token: SeDebugPrivilege	4344	dllhost.exe
Token: SeDebugPrivilege	1388	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4048	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	146
PID 3076 wrote to memory of 4048	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	146
PID 3076 wrote to memory of 1456	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	147
PID 3076 wrote to memory of 1456	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	147
PID 3076 wrote to memory of 4820	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	148
PID 3076 wrote to memory of 4820	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	148
PID 3076 wrote to memory of 3860	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	149
PID 3076 wrote to memory of 3860	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	149
PID 3076 wrote to memory of 1804	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	150
PID 3076 wrote to memory of 1804	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	150
PID 3076 wrote to memory of 3736	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	151
PID 3076 wrote to memory of 3736	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	151
PID 3076 wrote to memory of 4212	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	152
PID 3076 wrote to memory of 4212	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	152
PID 3076 wrote to memory of 544	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	153
PID 3076 wrote to memory of 544	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	153
PID 3076 wrote to memory of 3296	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	154
PID 3076 wrote to memory of 3296	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	154
PID 3076 wrote to memory of 4368	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	155
PID 3076 wrote to memory of 4368	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	155
PID 3076 wrote to memory of 4136	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	156
PID 3076 wrote to memory of 4136	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	156
PID 3076 wrote to memory of 1704	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	168
PID 3076 wrote to memory of 1704	3076	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	168
PID 1704 wrote to memory of 2688	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	200
PID 1704 wrote to memory of 2688	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	200
PID 1704 wrote to memory of 3992	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	201
PID 1704 wrote to memory of 3992	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	201
PID 1704 wrote to memory of 5084	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	202
PID 1704 wrote to memory of 5084	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	202
PID 1704 wrote to memory of 544	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	203
PID 1704 wrote to memory of 544	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	203
PID 1704 wrote to memory of 1580	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	204
PID 1704 wrote to memory of 1580	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	204
PID 1704 wrote to memory of 4380	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	205
PID 1704 wrote to memory of 4380	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	205
PID 1704 wrote to memory of 3160	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	206
PID 1704 wrote to memory of 3160	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	206
PID 1704 wrote to memory of 1152	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	207
PID 1704 wrote to memory of 1152	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	207
PID 1704 wrote to memory of 4100	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	208
PID 1704 wrote to memory of 4100	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	208
PID 1704 wrote to memory of 2528	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	209
PID 1704 wrote to memory of 2528	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	209
PID 1704 wrote to memory of 752	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	210
PID 1704 wrote to memory of 752	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	210
PID 1704 wrote to memory of 3144	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	222
PID 1704 wrote to memory of 3144	1704	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	222
PID 3144 wrote to memory of 3524	3144	dllhost.exe	224
PID 3144 wrote to memory of 3524	3144	dllhost.exe	224
PID 3144 wrote to memory of 2428	3144	dllhost.exe	225
PID 3144 wrote to memory of 2428	3144	dllhost.exe	225
PID 3524 wrote to memory of 3720	3524	WScript.exe	228
PID 3524 wrote to memory of 3720	3524	WScript.exe	228
PID 1312 wrote to memory of 4008	1312	WScript.exe	233
PID 1312 wrote to memory of 4008	1312	WScript.exe	233
PID 4008 wrote to memory of 2536	4008	dllhost.exe	235
PID 4008 wrote to memory of 2536	4008	dllhost.exe	235
PID 4008 wrote to memory of 552	4008	dllhost.exe	236
PID 4008 wrote to memory of 552	4008	dllhost.exe	236
PID 2536 wrote to memory of 3620	2536	WScript.exe	237
PID 2536 wrote to memory of 3620	2536	WScript.exe	237
PID 3620 wrote to memory of 544	3620	dllhost.exe	239
PID 3620 wrote to memory of 544	3620	dllhost.exe	239

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
"C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
  "C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\en-US\dllhost.exe
    "C:\Windows\en-US\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dce5c31-0f21-42ea-86f7-03b0eecf1108.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22a71d25-fb7c-46d8-98b7-a571a951a9f6.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c717dfa-fba7-471c-8783-43b073417c94.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f161ea74-3c40-451a-9e36-29f18d6b9617.vbs"
        10⤵
        
        PID:544
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aaf7a4e-0897-450a-a166-219bb814b47a.vbs"
        12⤵
        
        PID:4372
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7000284b-e484-40ca-9283-1beb010b053c.vbs"
        14⤵
        
        PID:4300
        
        C:\Windows\en-US\dllhost.exe
        
        C:\Windows\en-US\dllhost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f47528e2-5516-4f3e-a721-7ff1acc44066.vbs"
        16⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba34d2c2-471a-4f57-b0ab-26c4cd52de4f.vbs"
        16⤵
        
        PID:3420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fab1514-9ec1-4760-8508-c535bcbe97f3.vbs"
        14⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6856f5f-c8b7-415e-93d8-ad9ffd152255.vbs"
        12⤵
        
        PID:4292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed38b329-e048-45ab-a1e8-744fb06a58cc.vbs"
        10⤵
        
        PID:392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86cd9249-bc0f-4a68-8c67-dc52dbfc7905.vbs"
        8⤵
        
        PID:552
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90f0b06a-ab56-424e-9f15-e6e776b1fb92.vbs"
        6⤵
        
        PID:3708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50f1d853-9d74-4656-b1ee-dc3c751e393a.vbs"
      4⤵
      PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN3" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN" /sc ONLOGON /tr "'C:\Windows\Fonts\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN3" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Sun\Java\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN3" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN3" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\authman\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /f
1⤵
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\csrss.exe

Filesize
1.7MB

MD5
b5f9bd18d81bfc1e9359bc77efae7cfa

SHA1
62bc19478b13fb8d8f106aa89183fa451d82862c

SHA256
b00f38089fb1a8bc25246990bfe15e256ad39a104853a74571e8daf45634d020

SHA512
19539a3d86a0038c0b5bec9651411e8844f1d8e88b8827078af81c0263cd18810c75326abe72f1a3fedf9eb93488cd8cc1488f385a942e21f2c9a74fce88a712

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
ab1c82ea84f729b556c6eac335c8a043

SHA1
7175c0cc030a9dc298924e695a312b876e94d8f3

SHA256
5bfe832b93e112e5246990e542ddd45523ec227111bc14b8c0edf611040c4d45

SHA512
24a6630de2ec27efc19c448acbb5643ffc5e8fed9ab557c8efcb2cfbe8e457fbf5af527edf9b15f227606ef8b3c2eeaa6d51c01a6ceae79f8f0a0433e810149b

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.7MB

MD5
aa244f042815616c14f4a9614aff661c

SHA1
0d2042502393efffe17d2a66d0632fd295f6b85b

SHA256
4be4d1ad03b4ecff3d21ce1811f54afb55e3a1b12a93d5f194d07e0dc80ec26e

SHA512
8c9edd191fe46427c72c4e6415491fe64f1a12cbfc8834be1240bfcc504f876cbdb31ccf45df32dece66873f630a1e1158e64a45a4995e6725f496b51514e95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2326ec693faaa2f848f043ebcdf59997

SHA1
2af2fa4a3dd7a774d7869129dca2a692ff684741

SHA256
1e683352c90fae821cae3342b97447e852736002a68d1b4b71ff0d9f9e015645

SHA512
af37916f5887816f4912a68de7f382da4e13d3273cfdd422ed64c193eb782e425837624b4398a06f8e1022e7350f9f78a1fde3c66652d1ea6b562c652ce4fea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf79136142125a14a0d763b303b2effd

SHA1
20c496b9c84ddb9c365d6c59823660768c9dfdf7

SHA256
38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

SHA512
37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aaf7a4e-0897-450a-a166-219bb814b47a.vbs

Filesize
704B

MD5
5f69f9cae081c12d4fe1ea7f58b1da1f

SHA1
5c722ea78933163b1f1de777a8c6aa437aa714e8

SHA256
af90bad8e673da0a1225effb581045979a59dcaa8300e33a485912df02b080e7

SHA512
110052935e1157755422ccbece14aa406fd6d8f226638eb1dcb8d69de2499bacbc2f0b2789505edf6b9446594b91af281c85b50b65e78702ed9f91d135e3005f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c717dfa-fba7-471c-8783-43b073417c94.vbs

Filesize
704B

MD5
1482eccabc8463a5fb63bbed34108425

SHA1
59fa091c607c7b384ac3ccc35351c7e57c5ef603

SHA256
e0994d2eb275c040adc25130eb5d1fc3ac1af9946436b9ac2d7ac4a64b5da463

SHA512
96d61b9fa3061ad699a6278b633e08e148ca4a272bbc59c2433d572e5f7d92b9f56156206ab0dc44c2faa11d4ce878db059429713e0c11c6069ddce2b9d9d848

Download Submit
C:\Users\Admin\AppData\Local\Temp\50f1d853-9d74-4656-b1ee-dc3c751e393a.vbs

Filesize
480B

MD5
32b234430c1da9824feba17011a8df95

SHA1
0a53e12043ca0579bda3acdf103187fecf683220

SHA256
ff896b6a765472dd58d814123d6433414febfdf0727ff17091d59501aa535da4

SHA512
b1495ac29835d74b95867b90ce4b6f0e2ae4a70c91c0d2561036e0bab3cdcbfb4f27b277b02ba29c8a860885f99cf9ba2efe926549f35729142aea6ff8d4bc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dce5c31-0f21-42ea-86f7-03b0eecf1108.vbs

Filesize
704B

MD5
c48f8c2059a4464fd0b7a49c5cb70c18

SHA1
33107624513c93078e29d707cdea4b26c68144f3

SHA256
0821f114ff6ec8614027b09124c98c8c809595561fdb705dfac20f4fea8f554f

SHA512
b303cfba3d345819672f2b8a57efb1315eb1a978c24c5bac085874b552fe01bd9865cd46de555a6f4271d1bd043a37cbe32a635bb055f1b406ea7f37230bd56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7000284b-e484-40ca-9283-1beb010b053c.vbs

Filesize
704B

MD5
b50f46b5d972ec52c47e87edd1c88bd0

SHA1
7ca3b03ca7c533a9b7fb0a93cd6570fd39898b5f

SHA256
379b053c49c375df4641e1eb8b36967f605c5e3080761e028b283f020812a1b8

SHA512
996f5e510989a071d6b5265e7493889555480a99d333dc1174498af92dde4a16ee8b28336e96771817e47d4e31c9cd8d96df72fe6400903091bc4b7b8e2a968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31zkdupe.auu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f161ea74-3c40-451a-9e36-29f18d6b9617.vbs

Filesize
704B

MD5
e6874598f419eb40954cf79995d27ee8

SHA1
8765e91d6691e8d5ed9b943ab27152f97eb73b0e

SHA256
6b1deed49b444c7aa2b884bf0081d4de61193e8786d0d3278aa287dbeeaa2e34

SHA512
34e96f9a786291ad71e4888b40693a880519c6e435771bd6f539c51b89390d7169b41ac16f968173cff73670d83dadb37f9b532ee626dbd525ccba46c96183b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f47528e2-5516-4f3e-a721-7ff1acc44066.vbs

Filesize
704B

MD5
2ec47f28b361a9d90f191faaa57922e5

SHA1
e610c804378123f49ed5cdc936b5541859c5f717

SHA256
3ce3d160876ea1e03096a02ae5fbaddf99f7fb5e651f1cebffd79e60dc0399a6

SHA512
fcf2ae744d5e81c5a5f58c62142c11161612a054a978c516c71fcf4099938ad84bd5dc85331258decfaa61e1ea1f09e67c1e8703cd5e47794accd3797867f260

Download Submit
C:\Users\Default\Favorites\backgroundTaskHost.exe

Filesize
1.7MB

MD5
b807271f650bd9c6b91982f5bf006f6d

SHA1
f29a7289dbf12f79a9a2b07baf9ef55f6f86806d

SHA256
9893296fb90d84297ef6ab23cfc9c88b3ed5f4a082255e698e8e89d62110d103

SHA512
b76ef7a80291bd0d00e9e1984d3739ebb25e7edc79e24d0fa009293dd3d171379e182a35c5f65220f96f92a972a32727181a23495529c228f2292c166459a0de

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\RuntimeBroker.exe

Filesize
1.7MB

MD5
dc1994a61e5f56418cefc033e8c0ba4d

SHA1
9d66bbea95b3e2e369d3bcf089e8c875fbf6e67e

SHA256
c43944f1fbf18454ed7416ed72707a24ff9151b2143bc3501d1ba349ba3f48bd

SHA512
5ca412ae08951b93c41ca687d3f3fd4af14f4e32cf145c5ee2ddc5cc6bcb5aec76ab063e1ffcdc6b9d751f16c00e3d123b07365f241b7d321f348b5dfb5292cc

Download Submit
C:\Windows\Sun\Java\sysmon.exe

Filesize
1.7MB

MD5
7a2f8094d8034feeebb4b6eaa3fde100

SHA1
07938320b644032d9955e95234f0abed26ea675c

SHA256
3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd

SHA512
cb967bd15df2ed22bd2e74a00a603e3fe98b043cce3587aaef0054d5f44fb34718a361fb0c758b3c93071fb8992515f6aff75603cf2535488712c41a5750c06a

Download Submit
memory/3076-14-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/3076-156-0x00007FFC61BE3000-0x00007FFC61BE5000-memory.dmp

Filesize
8KB

Download
memory/3076-13-0x000000001C660000-0x000000001CB88000-memory.dmp

Filesize
5.2MB

Download
memory/3076-354-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-12-0x000000001BA80000-0x000000001BA92000-memory.dmp

Filesize
72KB

Download
memory/3076-227-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-23-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-22-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-15-0x000000001C360000-0x000000001C36A000-memory.dmp

Filesize
40KB

Download
memory/3076-16-0x000000001C380000-0x000000001C38E000-memory.dmp

Filesize
56KB

Download
memory/3076-19-0x000000001C240000-0x000000001C24C000-memory.dmp

Filesize
48KB

Download
memory/3076-10-0x000000001BA70000-0x000000001BA78000-memory.dmp

Filesize
32KB

Download
memory/3076-18-0x000000001C230000-0x000000001C23C000-memory.dmp

Filesize
48KB

Download
memory/3076-0-0x00007FFC61BE3000-0x00007FFC61BE5000-memory.dmp

Filesize
8KB

Download
memory/3076-180-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-1-0x0000000000C20000-0x0000000000DE0000-memory.dmp

Filesize
1.8MB

Download
memory/3076-17-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/3076-9-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/3076-7-0x0000000003030000-0x0000000003046000-memory.dmp

Filesize
88KB

Download
memory/3076-8-0x000000001BA50000-0x000000001BA60000-memory.dmp

Filesize
64KB

Download
memory/3076-4-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

Filesize
320KB

Download
memory/3076-2-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3076-5-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/3076-3-0x0000000002FF0000-0x000000000300C000-memory.dmp

Filesize
112KB

Download
memory/3076-6-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/3620-599-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/4008-587-0x000000001B650000-0x000000001B662000-memory.dmp

Filesize
72KB

Download
memory/4048-252-0x0000020DC1A30000-0x0000020DC1A52000-memory.dmp

Filesize
136KB

Download
memory/4344-622-0x000000001BAD0000-0x000000001BAE2000-memory.dmp

Filesize
72KB

Download