dcrat | 6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

Resubmissions

13-01-2025 04:16

250113-ev3jsaxrdj 10

12-01-2025 13:52

250112-q6sz9sxmfp 10

Analysis

max time kernel
853s
max time network
846s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Size

1.7MB
MD5

0624cb81236f6a0e8d0487a766458088
SHA1

36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA256

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512

742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2912	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2912	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4860-1-0x0000000000670000-0x0000000000830000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b73-30.dat	dcrat
behavioral2/files/0x000d000000023b77-174.dat	dcrat
behavioral2/files/0x000d000000023b7f-191.dat	dcrat
behavioral2/memory/4876-641-0x0000000000A30000-0x0000000000BF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
4732	powershell.exe
4368	powershell.exe
4228	powershell.exe
4912	powershell.exe
2036	powershell.exe
2684	powershell.exe
3528	powershell.exe
1492	powershell.exe
1852	powershell.exe
1988	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Checks computer location settings 2 TTPs 49 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 63 IoCs

pid	Process
408	fontdrvhost.exe
2548	fontdrvhost.exe
1484	fontdrvhost.exe
4052	fontdrvhost.exe
2660	fontdrvhost.exe
3540	fontdrvhost.exe
3776	fontdrvhost.exe
1596	fontdrvhost.exe
2388	fontdrvhost.exe
1904	fontdrvhost.exe
5056	fontdrvhost.exe
1140	fontdrvhost.exe
3428	fontdrvhost.exe
4432	fontdrvhost.exe
1872	fontdrvhost.exe
4324	fontdrvhost.exe
4644	fontdrvhost.exe
1168	spoolsv.exe
4620	fontdrvhost.exe
3508	explorer.exe
2232	dllhost.exe
3836	explorer.exe
4816	explorer.exe
1152	explorer.exe
4448	explorer.exe
3992	explorer.exe
2732	explorer.exe
2200	explorer.exe
1180	lsass.exe
5092	smss.exe
4876	upfc.exe
3528	explorer.exe
2152	explorer.exe
1312	explorer.exe
4420	explorer.exe
3472	explorer.exe
2824	explorer.exe
4712	explorer.exe
404	spoolsv.exe
1920	RuntimeBroker.exe
392	fontdrvhost.exe
4968	explorer.exe
1048	SppExtComObj.exe
2152	SppExtComObj.exe
4204	SppExtComObj.exe
228	SppExtComObj.exe
4376	SppExtComObj.exe
4372	explorer.exe
3544	dllhost.exe
3096	backgroundTaskHost.exe
5044	SppExtComObj.exe
624	SppExtComObj.exe
2660	SppExtComObj.exe
1412	SppExtComObj.exe
4720	SppExtComObj.exe
3948	SppExtComObj.exe
4300	SppExtComObj.exe
888	SppExtComObj.exe
1712	SppExtComObj.exe
3668	SppExtComObj.exe
4876	SppExtComObj.exe
1464	spoolsv.exe
4448	SppExtComObj.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\eddb19405b7ce1	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX9236.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9DE9.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Mail\SppExtComObj.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Mail\e1ef82546f0b02	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXA07B.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\7a0fd90576e088	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXA06B.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX9237.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9DE8.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Mail\SppExtComObj.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Speech\5940a34987c991	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\IME\en-US\eddb19405b7ce1	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\ShellExperiences\RCX96CE.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Speech\RCX9BD3.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Speech\RCX9BE3.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\Logs\Telephony\f3b6ecef712a24	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\Tasks\6203df4a6bafc7	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\ShellExperiences\69ddcba757bf72	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\IME\en-US\RCXA280.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\ShellExperiences\RCX96CF.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\ShellExperiences\smss.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Tasks\RCX9020.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Tasks\lsass.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Speech\dllhost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\IME\en-US\RCXA281.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\Logs\Telephony\spoolsv.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\Tasks\lsass.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\Speech\dllhost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Logs\Telephony\RCX8DAE.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Logs\Telephony\spoolsv.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Tasks\RCX9021.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\IME\en-US\backgroundTaskHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\ShellExperiences\smss.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\IME\en-US\backgroundTaskHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\Logs\Telephony\RCX8D9E.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
412	schtasks.exe
3948	schtasks.exe
100	schtasks.exe
2312	schtasks.exe
1092	schtasks.exe
3376	schtasks.exe
1968	schtasks.exe
3508	schtasks.exe
4632	schtasks.exe
3064	schtasks.exe
3544	schtasks.exe
4052	schtasks.exe
3972	schtasks.exe
1428	schtasks.exe
232	schtasks.exe
2024	schtasks.exe
3600	schtasks.exe
808	schtasks.exe
2920	schtasks.exe
532	schtasks.exe
4680	schtasks.exe
3644	schtasks.exe
4500	schtasks.exe
3152	schtasks.exe
2636	schtasks.exe
972	schtasks.exe
1452	schtasks.exe
4012	schtasks.exe
2424	schtasks.exe
4120	schtasks.exe
4760	schtasks.exe
1340	schtasks.exe
2456	schtasks.exe
3896	schtasks.exe
2712	schtasks.exe
1052	schtasks.exe
2152	schtasks.exe
2864	schtasks.exe
1148	schtasks.exe
2260	schtasks.exe
4160	schtasks.exe
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4228	powershell.exe
4228	powershell.exe
4732	powershell.exe
4732	powershell.exe
1988	powershell.exe
1988	powershell.exe
4368	powershell.exe
4368	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	408	fontdrvhost.exe
Token: SeDebugPrivilege	2548	fontdrvhost.exe
Token: SeDebugPrivilege	1484	fontdrvhost.exe
Token: SeDebugPrivilege	4052	fontdrvhost.exe
Token: SeDebugPrivilege	2660	fontdrvhost.exe
Token: SeDebugPrivilege	3540	fontdrvhost.exe
Token: SeDebugPrivilege	3776	fontdrvhost.exe
Token: SeDebugPrivilege	1596	fontdrvhost.exe
Token: SeDebugPrivilege	2388	fontdrvhost.exe
Token: SeDebugPrivilege	1904	fontdrvhost.exe
Token: SeDebugPrivilege	5056	fontdrvhost.exe
Token: SeDebugPrivilege	1140	fontdrvhost.exe
Token: SeDebugPrivilege	3428	fontdrvhost.exe
Token: SeDebugPrivilege	4432	fontdrvhost.exe
Token: SeDebugPrivilege	1872	fontdrvhost.exe
Token: SeDebugPrivilege	4324	fontdrvhost.exe
Token: SeDebugPrivilege	4644	fontdrvhost.exe
Token: SeDebugPrivilege	1168	spoolsv.exe
Token: SeDebugPrivilege	4620	fontdrvhost.exe
Token: SeDebugPrivilege	3508	explorer.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	3836	explorer.exe
Token: SeDebugPrivilege	4816	explorer.exe
Token: SeDebugPrivilege	1152	explorer.exe
Token: SeDebugPrivilege	4448	explorer.exe
Token: SeDebugPrivilege	3992	explorer.exe
Token: SeDebugPrivilege	2732	explorer.exe
Token: SeDebugPrivilege	2200	explorer.exe
Token: SeDebugPrivilege	1180	lsass.exe
Token: SeDebugPrivilege	5092	smss.exe
Token: SeDebugPrivilege	4876	upfc.exe
Token: SeDebugPrivilege	3528	explorer.exe
Token: SeDebugPrivilege	2152	explorer.exe
Token: SeDebugPrivilege	1312	explorer.exe
Token: SeDebugPrivilege	4420	explorer.exe
Token: SeDebugPrivilege	3472	explorer.exe
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	4712	explorer.exe
Token: SeDebugPrivilege	404	spoolsv.exe
Token: SeDebugPrivilege	1920	RuntimeBroker.exe
Token: SeDebugPrivilege	392	fontdrvhost.exe
Token: SeDebugPrivilege	4968	explorer.exe
Token: SeDebugPrivilege	1048	SppExtComObj.exe
Token: SeDebugPrivilege	2152	SppExtComObj.exe
Token: SeDebugPrivilege	4204	SppExtComObj.exe
Token: SeDebugPrivilege	228	SppExtComObj.exe
Token: SeDebugPrivilege	4376	SppExtComObj.exe
Token: SeDebugPrivilege	4372	explorer.exe
Token: SeDebugPrivilege	3544	dllhost.exe
Token: SeDebugPrivilege	3096	backgroundTaskHost.exe
Token: SeDebugPrivilege	5044	SppExtComObj.exe
Token: SeDebugPrivilege	624	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4912	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	127
PID 4860 wrote to memory of 4912	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	127
PID 4860 wrote to memory of 1492	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	128
PID 4860 wrote to memory of 1492	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	128
PID 4860 wrote to memory of 4228	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	129
PID 4860 wrote to memory of 4228	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	129
PID 4860 wrote to memory of 4368	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	130
PID 4860 wrote to memory of 4368	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	130
PID 4860 wrote to memory of 3528	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	131
PID 4860 wrote to memory of 3528	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	131
PID 4860 wrote to memory of 1988	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	132
PID 4860 wrote to memory of 1988	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	132
PID 4860 wrote to memory of 4732	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	133
PID 4860 wrote to memory of 4732	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	133
PID 4860 wrote to memory of 1968	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	134
PID 4860 wrote to memory of 1968	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	134
PID 4860 wrote to memory of 2684	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	136
PID 4860 wrote to memory of 2684	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	136
PID 4860 wrote to memory of 2036	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	137
PID 4860 wrote to memory of 2036	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	137
PID 4860 wrote to memory of 1852	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	141
PID 4860 wrote to memory of 1852	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	141
PID 4860 wrote to memory of 408	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	149
PID 4860 wrote to memory of 408	4860	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	149
PID 408 wrote to memory of 216	408	fontdrvhost.exe	153
PID 408 wrote to memory of 216	408	fontdrvhost.exe	153
PID 408 wrote to memory of 4296	408	fontdrvhost.exe	154
PID 408 wrote to memory of 4296	408	fontdrvhost.exe	154
PID 216 wrote to memory of 2548	216	WScript.exe	163
PID 216 wrote to memory of 2548	216	WScript.exe	163
PID 2548 wrote to memory of 4204	2548	fontdrvhost.exe	165
PID 2548 wrote to memory of 4204	2548	fontdrvhost.exe	165
PID 2548 wrote to memory of 3324	2548	fontdrvhost.exe	166
PID 2548 wrote to memory of 3324	2548	fontdrvhost.exe	166
PID 4204 wrote to memory of 1484	4204	WScript.exe	170
PID 4204 wrote to memory of 1484	4204	WScript.exe	170
PID 1484 wrote to memory of 1792	1484	fontdrvhost.exe	172
PID 1484 wrote to memory of 1792	1484	fontdrvhost.exe	172
PID 1484 wrote to memory of 3648	1484	fontdrvhost.exe	173
PID 1484 wrote to memory of 3648	1484	fontdrvhost.exe	173
PID 1792 wrote to memory of 4052	1792	WScript.exe	174
PID 1792 wrote to memory of 4052	1792	WScript.exe	174
PID 4052 wrote to memory of 1844	4052	fontdrvhost.exe	176
PID 4052 wrote to memory of 1844	4052	fontdrvhost.exe	176
PID 4052 wrote to memory of 1100	4052	fontdrvhost.exe	177
PID 4052 wrote to memory of 1100	4052	fontdrvhost.exe	177
PID 1844 wrote to memory of 2660	1844	WScript.exe	179
PID 1844 wrote to memory of 2660	1844	WScript.exe	179
PID 2660 wrote to memory of 2292	2660	fontdrvhost.exe	181
PID 2660 wrote to memory of 2292	2660	fontdrvhost.exe	181
PID 2660 wrote to memory of 3620	2660	fontdrvhost.exe	182
PID 2660 wrote to memory of 3620	2660	fontdrvhost.exe	182
PID 2292 wrote to memory of 3540	2292	WScript.exe	183
PID 2292 wrote to memory of 3540	2292	WScript.exe	183
PID 3540 wrote to memory of 2204	3540	fontdrvhost.exe	185
PID 3540 wrote to memory of 2204	3540	fontdrvhost.exe	185
PID 3540 wrote to memory of 1632	3540	fontdrvhost.exe	186
PID 3540 wrote to memory of 1632	3540	fontdrvhost.exe	186
PID 2204 wrote to memory of 3776	2204	WScript.exe	187
PID 2204 wrote to memory of 3776	2204	WScript.exe	187
PID 3776 wrote to memory of 2820	3776	fontdrvhost.exe	189
PID 3776 wrote to memory of 2820	3776	fontdrvhost.exe	189
PID 3776 wrote to memory of 3512	3776	fontdrvhost.exe	190
PID 3776 wrote to memory of 3512	3776	fontdrvhost.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8827f228-5aad-4736-a399-95d34fd26a16.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5cb073-b950-46fb-83dc-10e4667cb415.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f035ea5f-8796-4936-afc9-d256bc2bdbe1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fd6470f-5c17-4cd8-82ab-7958a7b5835a.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8fc28a7-657e-44ba-96f8-de2072e53ae0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e61f918-e651-436b-af4f-f52e36c7a562.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f42f7a24-974f-436c-961a-a8cce9b2f5ee.vbs"
        15⤵
        
        PID:2820
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c715ba-ffb8-4e96-b9a9-3d541029baff.vbs"
        17⤵
        
        PID:3612
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7844f8-8e69-4614-97bb-8f6ff456227a.vbs"
        19⤵
        
        PID:4020
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\584db7e5-2ac3-4363-971d-896965b110b2.vbs"
        21⤵
        
        PID:2012
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\712a2bd2-0f39-4857-ad57-cdad8f36b25b.vbs"
        23⤵
        
        PID:3140
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7117126-745a-418c-86a2-647800b89965.vbs"
        25⤵
        
        PID:440
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132816d6-f5a3-4a68-a930-99a3e35ff4da.vbs"
        27⤵
        
        PID:532
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bae0a47e-de0a-4272-9796-e600470b0dc4.vbs"
        29⤵
        
        PID:3416
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb20c13-459a-4454-baca-a13d127e5e80.vbs"
        31⤵
        
        PID:456
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b574a844-afee-4abe-a8c8-822980e9d4fa.vbs"
        33⤵
        
        PID:1144
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c988681-5fa9-4828-a2f3-14cff4f8cb15.vbs"
        35⤵
        
        PID:1664
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcec069f-5e70-4dcb-91de-695e4c076e74.vbs"
        35⤵
        
        PID:100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2ef4e79-dc9c-4752-908b-88a29bd1d929.vbs"
        33⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70210c32-92bb-4d03-845f-9c7ca29adcb0.vbs"
        31⤵
        
        PID:3796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98f47450-e542-4285-8a7b-dded956c563a.vbs"
        29⤵
        
        PID:3980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f25f2d88-e4b2-4454-af1c-31a4419d2e88.vbs"
        27⤵
        
        PID:428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab0956d-29cf-457b-b67f-e2f308253029.vbs"
        25⤵
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be6501c1-5ac7-45db-ab3c-7d3e3d8bcac4.vbs"
        23⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9cedfc-873e-4aee-8696-d812bdc10a2c.vbs"
        21⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f475f26-a6d3-4b37-bdb2-c0d016eec490.vbs"
        19⤵
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\728788ec-88d8-4091-9ca3-be5ce471418a.vbs"
        17⤵
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dbc762d-f05b-499c-b7cd-439738767219.vbs"
        15⤵
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ba8bb0-1580-4f80-a7d9-fbd649d632b6.vbs"
        13⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc7397c4-68a0-4c76-b83a-3943e1f2bf3e.vbs"
        11⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390f61f1-c978-4616-bf29-55a5538f8f96.vbs"
        9⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ee9c516-24e5-4819-a0e5-e04a71158774.vbs"
        7⤵
        
        PID:3648
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99981579-e0db-4f0f-87a9-fcde0d938948.vbs"
        5⤵
        
        PID:3324
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad991fe1-4a21-40c6-8c50-dddc630c7590.vbs"
    3⤵
    PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\Telephony\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\Telephony\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\Telephony\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellExperiences\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\IME\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\Logs\Telephony\spoolsv.exe
C:\Windows\Logs\Telephony\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
"C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3508
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a749fb9-2b27-4e7f-9784-2cac012c86cb.vbs"
  2⤵
  PID:228
- - C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d76c4fb-22a2-4874-880e-1e5806821381.vbs"
      4⤵
      PID:396
    - - C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c500dc-58a9-4857-bc5e-33b57ae1cbae.vbs"
        6⤵
        
        PID:2024
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08aead5f-68f8-4278-942e-6e56c39c76a5.vbs"
        8⤵
        
        PID:552
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ca024d-228c-4098-9353-f6c47296de6c.vbs"
        10⤵
        
        PID:5016
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a3aacc-31e0-49a1-8aca-f8f5700b8404.vbs"
        12⤵
        
        PID:4032
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0375c670-efd0-4efe-9bcd-41646774eda0.vbs"
        14⤵
        
        PID:228
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10d6d7f-8135-4a21-8273-254ecee1e16b.vbs"
        16⤵
        
        PID:648
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26163174-ed7f-4e1d-8e71-f0b27495d2db.vbs"
        18⤵
        
        PID:2236
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\948a7e53-41a8-4dcc-8497-59c850799968.vbs"
        20⤵
        
        PID:3272
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa17b08-f3dd-46ab-b21a-203b2cf6c992.vbs"
        22⤵
        
        PID:5084
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da2eb70-8889-4d0a-81c5-2f641e8295d5.vbs"
        24⤵
        
        PID:3428
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc82e55b-58c8-4819-af57-0a5b312b6c24.vbs"
        26⤵
        
        PID:4732
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f4f5da-26d2-4df6-b5a1-d6c7119ca9a3.vbs"
        28⤵
        
        PID:5016
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e93551-21a3-4741-b126-2107cbb2b26f.vbs"
        30⤵
        
        PID:1044
        
        C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6175967e-6518-4a07-9254-3676430a3ffe.vbs"
        30⤵
        
        PID:3660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86021497-f824-4228-a034-30d575b267c1.vbs"
        28⤵
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83eb5ddd-20af-465b-a944-6c50df02a2b6.vbs"
        26⤵
        
        PID:4020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c3747da-3dcb-42e0-b5f3-2d5faf624590.vbs"
        24⤵
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51976353-9c53-444a-991e-9211af25bd61.vbs"
        22⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\443984ac-824a-4d55-8db5-45cdfd23b948.vbs"
        20⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a8fb0d0-6a9d-434d-b2b4-2fbf5d68a263.vbs"
        18⤵
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa33e3a2-904a-4391-9ed1-89f31c391641.vbs"
        16⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3be68df-3d5f-4e24-bca2-775788057f23.vbs"
        14⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c73cda-2c84-42b3-ac03-d9b8158f640a.vbs"
        12⤵
        
        PID:1308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec7fb4a-9f44-47ce-a55c-6c3ec5cb4801.vbs"
        10⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597b9b83-771d-43b6-ab35-99bd7000ed37.vbs"
        8⤵
        
        PID:4872
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cdab15-2cd8-45fa-95b5-a70d77df3ef5.vbs"
        6⤵
        
        PID:3536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a538d48-2232-4883-8e79-0369ac3c1298.vbs"
      4⤵
      PID:1496
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6588275-4bbe-4c7d-8151-62b8b16f88d4.vbs"
  2⤵
  PID:2476

C:\Users\Admin\Links\dllhost.exe
C:\Users\Admin\Links\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Tasks\lsass.exe
C:\Windows\Tasks\lsass.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\ShellExperiences\smss.exe
C:\Windows\ShellExperiences\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Users\Default User\upfc.exe
"C:\Users\Default User\upfc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\Logs\Telephony\spoolsv.exe
C:\Windows\Logs\Telephony\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\Music\RuntimeBroker.exe
C:\Users\Admin\Music\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Public\Pictures\fontdrvhost.exe
C:\Users\Public\Pictures\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files\Windows Mail\SppExtComObj.exe
"C:\Program Files\Windows Mail\SppExtComObj.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1048
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0e09b3-c8b8-4fb4-86fc-ab7fe683af49.vbs"
  2⤵
  PID:3288
- - C:\Program Files\Windows Mail\SppExtComObj.exe
    "C:\Program Files\Windows Mail\SppExtComObj.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\557e86ed-ea92-4d4d-84dd-43a1a5d0c8f1.vbs"
      4⤵
      PID:212
    - - C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea924071-d73b-479d-85c4-dda3b5f18638.vbs"
        6⤵
        
        PID:2704
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30dcfa30-03a5-4cb2-bc8a-1d5db84bfdba.vbs"
        8⤵
        
        PID:3460
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a517aef7-f9dc-496d-9ade-600f84a9e252.vbs"
        10⤵
        
        PID:3312
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d61b8df-cf22-4588-a0f4-d775b3e4c96d.vbs"
        12⤵
        
        PID:2900
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\593d870e-6d67-433d-bfe3-a50f6bf8788d.vbs"
        14⤵
        
        PID:4728
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf6699df-1796-41ac-bcae-d0d8793e1759.vbs"
        16⤵
        
        PID:452
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beacec11-0741-4064-b81a-9db2d73c344a.vbs"
        18⤵
        
        PID:1612
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2de5b41f-0157-4678-83f2-f0faf452924a.vbs"
        20⤵
        
        PID:2948
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fce79ac-9e36-4397-aef0-04261c83162d.vbs"
        22⤵
        
        PID:3048
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8214c1b8-3440-44bf-bc7f-c174bf77824e.vbs"
        24⤵
        
        PID:3228
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e16233-79dc-4463-bf6f-625acf64b3dc.vbs"
        26⤵
        
        PID:4936
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80fb64a0-e55b-4619-8cc0-c4608b2082b0.vbs"
        28⤵
        
        PID:1900
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bd502d5-c379-41a5-b906-1f5ac88d31ef.vbs"
        30⤵
        
        PID:2740
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83bf73f-10cc-4db4-a01e-95059bfd0a52.vbs"
        32⤵
        
        PID:4616
        
        C:\Program Files\Windows Mail\SppExtComObj.exe
        
        "C:\Program Files\Windows Mail\SppExtComObj.exe"
        33⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75f332cb-8142-4c95-9125-aeca247e9b67.vbs"
        32⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9eddd31-a4ea-4acc-b5e4-62b738373ba0.vbs"
        30⤵
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe8e6be-6346-4433-ae02-8bf424459c8e.vbs"
        28⤵
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30199e54-10d0-4b37-922d-f0c928f3f3aa.vbs"
        26⤵
        
        PID:3116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e12018bc-699d-4add-ab69-1c8d6d136a5a.vbs"
        24⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\810094ac-346e-4679-ae3b-dfd6abedc897.vbs"
        22⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\243a80d7-8078-4d24-bf7b-e5172d302f19.vbs"
        20⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84593f38-d1d9-4963-a825-7643a598c46e.vbs"
        18⤵
        
        PID:4760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea9beb3a-def8-4a5b-9d5b-9cc96cbe3d24.vbs"
        16⤵
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc70b9b8-502b-453f-9dc4-b4b7d18c75aa.vbs"
        14⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4b3aa6-4eff-4e69-876a-ea9fc0feeeac.vbs"
        12⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2232718a-7672-459f-9d37-e1bf3c68cdce.vbs"
        10⤵
        
        PID:4588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c493eb91-e108-4f6d-b359-c82c08b18f65.vbs"
        8⤵
        
        PID:400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e856c0c-764e-430f-9b6c-ad3ec7dfe24c.vbs"
        6⤵
        
        PID:4004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac1ebe08-f0db-453a-bcfb-2ea4655d9a4e.vbs"
      4⤵
      PID:1876
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\309c1872-e36b-4b90-bf40-086b408d940a.vbs"
  2⤵
  PID:1372

C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe
"C:\Program Files\Microsoft Office 15\ClientX64\explorer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\Links\dllhost.exe
C:\Users\Admin\Links\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\IME\en-US\backgroundTaskHost.exe
C:\Windows\IME\en-US\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\Logs\Telephony\spoolsv.exe
C:\Windows\Logs\Telephony\spoolsv.exe
1⤵
- Executes dropped EXE
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.7MB

MD5
0624cb81236f6a0e8d0487a766458088

SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b

SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\132816d6-f5a3-4a68-a930-99a3e35ff4da.vbs

Filesize
713B

MD5
72cbf020f5443660286ff41d29fd099c

SHA1
533e5c4f5e60f9c4838694cb9ac89c028b805350

SHA256
15dee952247a6effb957b5f5eb56f440ae99208956056c6a0f5b191e29bdb8a6

SHA512
58aeb11c9fb54874323e9b8b99d014f0c27bdff7cd2b144c03925e343ce5024cd59c466bbf7cd5035ed22c57ed406a57324fb8718c559fa1f4ff313b880d0215

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e61f918-e651-436b-af4f-f52e36c7a562.vbs

Filesize
713B

MD5
93fa629784561e548383d2a3800d626e

SHA1
5dd965661ade3f149e3ed84d2867c72c2bbeb28d

SHA256
8ffe4025c4755165d6317cb6149969134d9a3569184ee20da0482a3074b0fb04

SHA512
a7ac3f851a5542c13474621d9bf63508473d67b1ad008ed0005888b2db897cf743aad5ac0ec0feed6b6bb53c4c5b4163931afe12ef06797ae7c2d1080ffd3403

Download Submit
C:\Users\Admin\AppData\Local\Temp\584db7e5-2ac3-4363-971d-896965b110b2.vbs

Filesize
713B

MD5
a0be9bd9e5a26e3c925241c9466b380d

SHA1
b8da59eb2d1d65f86bfc3f83ee18d754bdcbce87

SHA256
6b15cd4057476d272d6194bd13938137b469315f80d8a7e5a834aba5f57e2a92

SHA512
2e43fd4fd64422d15a2ce1722d1fec9fb126c455e5f86e7e870a924ed5d0fe21897f7750117499954853a3ebcccb417df76994bb6b02f00723df2128c7d0a995

Download Submit
C:\Users\Admin\AppData\Local\Temp\60c715ba-ffb8-4e96-b9a9-3d541029baff.vbs

Filesize
713B

MD5
71a139b74b00c33eecf9a5d80760938c

SHA1
dafe90119250d077d75f0817beb7d75f81856157

SHA256
6f27c24cf5360c0558a18597d00ebb809b785fdea39a2b49a0674ee25e853fe7

SHA512
40b26959706817e007f302283dbdce567e859520227343de7c4a9ae2da44d5faeed7be4c97009a42a203696dcb5d9f0e7e0787bddf120454f837f5c55d0ac4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\712a2bd2-0f39-4857-ad57-cdad8f36b25b.vbs

Filesize
713B

MD5
8d66c4bf9cd5aa99a4b5217dd1a156df

SHA1
28b9d35792043ba38ac248d817816f09ebfd2192

SHA256
7b8f35ea0fe7ae66ce1f99b6a83e6db8c3e5e47883870ccc86edeeefec609b17

SHA512
8ac5875d9f576a77807fe9b90783181a749dc29194f0bd00906b72a6b77ba84daa9500bced041e4f2f54fd75c363801d6337df410d1ce95133546a43d867098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a538d48-2232-4883-8e79-0369ac3c1298.vbs

Filesize
511B

MD5
a9dba59dabd4f4b0f38ed7982b9b3b1f

SHA1
3d7155c077f8d7c1400035e4fb7c77a5915fb187

SHA256
180c737fbede1ff7e287bb4a6e235528f983e2d9137a090de964b938bab7e208

SHA512
e46c039d17cc63e983702cde2dc3840ea4e83b1dbd887d6e41d9c07e250342cb44c6533ba3db727e9bf6469ca1a408c09504e6de12bc8613dfbdc3f98d79bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8827f228-5aad-4736-a399-95d34fd26a16.vbs

Filesize
712B

MD5
11dc84b88eb8873421a99373078ee9c5

SHA1
13637727b637277f67fdb075d7ec5e70e102bdcc

SHA256
ded5f818c705c4f35d8a61c2abfbb70a9c0dadc2f2c1a570fa4d12c292f7fba3

SHA512
6a743ca0e1840ef33c37a6a3b083bfe23cd6916fd607412692d23ef0225a2ffc9094fa8045c2fb59cee4b6afe4049f27a1db07af7c51ebb7b5077ff5b531a976

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d7844f8-8e69-4614-97bb-8f6ff456227a.vbs

Filesize
713B

MD5
8d5c6d6a1abbc714ec8dd6a03142a0e5

SHA1
1c9f43726753d702e3e207fd1129a9d79e2b3e40

SHA256
a89a8f963d0ace32a3e439561618916b002f7ec3be5006cae6f3646b465a78c3

SHA512
027f8180ef292e989614d2083bc3c9d865077ccea9e8242bd872a2713bfdbc7af1204658b71b02b1ab399828ee95106320a7a7364f6710066c527b1f5f666e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fd6470f-5c17-4cd8-82ab-7958a7b5835a.vbs

Filesize
713B

MD5
6ac51c29d54dcb40ed2a1f093318181b

SHA1
d8bb6f6c4cb795e6680596b8245e4b85be9c9aea

SHA256
2a873922412043414c26e87365b7dc9d68e3c470797baf30a393c99a293a4554

SHA512
a415d66e16e77bfc9e1b7890d553fa578ed5b992687151af349285a5ceb4c2fdf15acdd93b2db3b028ee44d2f1abfb9ba3ddad5ec091f2bbc08e4e1f8bd756d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c5cb073-b950-46fb-83dc-10e4667cb415.vbs

Filesize
713B

MD5
17b0c15036018de4bb6cd8e040cd9b11

SHA1
19bb096b3ee490ff9a00ea11de9705ee2925e073

SHA256
763970966f7ca3a03d2f061b8e8b8de8b3cd1dcab5a9d68c7b7f878172182640

SHA512
4b77bf61826105c89927127387343ad15a1552f918425b2bf76a6262f89b516baadf17a40e6593addb5dd32deac56eeceabe620d4c2a5446bcec52e04fb53a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hzop5mx.oj5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac1ebe08-f0db-453a-bcfb-2ea4655d9a4e.vbs

Filesize
498B

MD5
ab61390ed1820df964bd9bdd9747d082

SHA1
9769de666e167e26212808d6f23c9e74e150af7e

SHA256
9fdf909cd3b8c9170e79a71e419f42e641be8edb017944dbe17a64085d980240

SHA512
6b403a8e9adb0440db78af9f4cd6a35393555fb7bac2bdfeb38f0d32bbe392aba7dd44dfc5bfc1684dda2717c543325318567b21e94e58eb970e4a0ae1440c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad991fe1-4a21-40c6-8c50-dddc630c7590.vbs

Filesize
489B

MD5
183b1d2fe9b4f7a963b2b9035a68f3f7

SHA1
9b5d32f26d09cd0734e2be6b8eae30e9ffa36adf

SHA256
92900311a991c0e01984de1dc185ea9e6e743e2655fb69db5df8d73e5e20e713

SHA512
bce3510f32719a05b14497f759ef784660f75e8911ea7c08e91b74b5b3a3616f61d8cb24dc00cb4b94fcfb6e80f1d87f79cbe6592ff5c4b39c52575b80df32e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8fc28a7-657e-44ba-96f8-de2072e53ae0.vbs

Filesize
713B

MD5
47da5cc2795f986f10d617791995333a

SHA1
b0cb7a2111df83c178d569142fdc1d48883239f7

SHA256
22984323c2a764f20e33cecbe196497e2bcd1d52642381daecb341cfef521c02

SHA512
93b5eaf78c55452a89ca94185feccabb803948161c9e96f7955cc9b99b9c09741d0c581da8942086c0f3c1fa5dc2d05409677ac8e01ee6496c6fa722a2654e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7117126-745a-418c-86a2-647800b89965.vbs

Filesize
713B

MD5
c19e6aedb8cd021d1a486a152a4a8969

SHA1
65efafa689726213fa8fd1474a8a615a8a13abf0

SHA256
5f4752a9350b8e99097aee98a5100aa34e65124d02f606c9281e1664e0b72e4c

SHA512
ef6408f122bdcaafdc9a741c93554f466ef5d4b3fba85e6f88711b0906e309d1b391ec90d68874c351648d1a0ae0ba6f8c7d515d25a5010984a8b4a3dffe6bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f035ea5f-8796-4936-afc9-d256bc2bdbe1.vbs

Filesize
713B

MD5
91994a909da09c86bbb5ae78cc2f431d

SHA1
cda95f7b21a8e421e8fb33a1ea00b85daab918ef

SHA256
eba58013526a1139dc8aac88217ecb0af8a67b0fd654e9270a4e4e5052ef117b

SHA512
a2f0f3697f298ced184379fd36f3c84eeccdc5860bef728ceb0006b30994237cae84d95396333ebb19d058d62113d3b2c6024644bf50bdf38562eb362826381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f42f7a24-974f-436c-961a-a8cce9b2f5ee.vbs

Filesize
713B

MD5
5d15609ac660ad35187da9350ed296bf

SHA1
ba35ee22c317c7eb6ef2889c6656e282e3d04250

SHA256
324d4b06d60764482fdf46692080aeabb6b77482819ed6c968cb1e890151e28d

SHA512
009850627c19c40d0d50e8a2c36b6afd47a7109b906adfacf307b54a15b0df6dfbaab70c538ee639e9550b5de3b611fdfaef259fbbc53bcc3e3ce961ecc99b68

Download Submit
C:\Users\Default\upfc.exe

Filesize
1.7MB

MD5
1ff05441e01512e7ff54bd515b80f853

SHA1
4beec7962a80afcada3516401e92b3bf74a3f65e

SHA256
89542811899b437feb9cda26245944be677498b54619d5eb55449ddbffd1c2e8

SHA512
ca2706698b6d732266d2e08c74ab8ede241ed3f3f472d5e1bcec791350a264eaee6519a3e2c4c76ed9723e958e99dc7c47957ddd9138ab8ed53899922bfda7e7

Download Submit
C:\Windows\IME\en-US\RCXA280.tmp

Filesize
1.7MB

MD5
9fb150fb811f6f1136d556f67c5ac780

SHA1
a94d410cb41cea8676fa8aa6baed66bb2a1e266f

SHA256
c1f43008b7efc99c61d7f9e577c04cac8ef0346cadbedc5d743412f19856e13d

SHA512
8a63e4e13a72b740e169948c77d388ed4140de510125a9e625a2244e753db4bb5a62e4939e1454350aae45ac6ea1f8bbf3349938863ed3e23276905467abfcb4

Download Submit
memory/1140-530-0x000000001BAF0000-0x000000001BB02000-memory.dmp

Filesize
72KB

Download
memory/1596-484-0x000000001B840000-0x000000001B852000-memory.dmp

Filesize
72KB

Download
memory/1712-790-0x000000001B480000-0x000000001B492000-memory.dmp

Filesize
72KB

Download
memory/2660-450-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/3668-798-0x0000000001200000-0x0000000001212000-memory.dmp

Filesize
72KB

Download
memory/4204-710-0x000000001B100000-0x000000001B112000-memory.dmp

Filesize
72KB

Download
memory/4324-566-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/4720-761-0x00000000031F0000-0x0000000003202000-memory.dmp

Filesize
72KB

Download
memory/4732-269-0x0000027374B30000-0x0000027374B52000-memory.dmp

Filesize
136KB

Download
memory/4816-598-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4860-16-0x000000001B560000-0x000000001B56E000-memory.dmp

Filesize
56KB

Download
memory/4860-5-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/4860-12-0x000000001B3B0000-0x000000001B3C2000-memory.dmp

Filesize
72KB

Download
memory/4860-10-0x000000001B3A0000-0x000000001B3A8000-memory.dmp

Filesize
32KB

Download
memory/4860-13-0x000000001C190000-0x000000001C6B8000-memory.dmp

Filesize
5.2MB

Download
memory/4860-14-0x000000001B3E0000-0x000000001B3EC000-memory.dmp

Filesize
48KB

Download
memory/4860-7-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/4860-18-0x000000001B580000-0x000000001B58C000-memory.dmp

Filesize
48KB

Download
memory/4860-17-0x000000001B570000-0x000000001B578000-memory.dmp

Filesize
32KB

Download
memory/4860-8-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/4860-0-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/4860-4-0x000000001B3F0000-0x000000001B440000-memory.dmp

Filesize
320KB

Download
memory/4860-23-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-9-0x0000000002AB0000-0x0000000002ABC000-memory.dmp

Filesize
48KB

Download
memory/4860-19-0x000000001B590000-0x000000001B59C000-memory.dmp

Filesize
48KB

Download
memory/4860-6-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/4860-22-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-3-0x0000000002940000-0x000000000295C000-memory.dmp

Filesize
112KB

Download
memory/4860-381-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-2-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-365-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-15-0x000000001B440000-0x000000001B44A000-memory.dmp

Filesize
40KB

Download
memory/4860-1-0x0000000000670000-0x0000000000830000-memory.dmp

Filesize
1.8MB

Download
memory/4860-195-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-194-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/4860-170-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/4876-641-0x0000000000A30000-0x0000000000BF0000-memory.dmp

Filesize
1.8MB

Download
memory/5056-518-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download