dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

08/04/2025, 14:11

250408-rhjmcsvp15 10

22/03/2025, 06:18

250322-g2ywaay1fy 10

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Size

1.6MB
MD5

52e4554ec87085ec0d31bca66d35df00
SHA1

3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
SHA256

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
SHA512

04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5256	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5632	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	876	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	876	schtasks.exe	89

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/2428-1-0x00000000005F0000-0x0000000000792000-memory.dmp	dcrat
behavioral28/files/0x00040000000229c8-28.dat	dcrat
behavioral28/files/0x000e0000000240e2-47.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
5872	powershell.exe
5380	powershell.exe
2888	powershell.exe
2824	powershell.exe
2676	powershell.exe
4320	powershell.exe
5432	powershell.exe
3152	powershell.exe
2028	powershell.exe
5448	powershell.exe
3244	powershell.exe
2572	powershell.exe
1340	powershell.exe
4868	powershell.exe
4300	powershell.exe
1456	powershell.exe
2768	powershell.exe
4068	powershell.exe
6120	powershell.exe
5652	powershell.exe
3424	powershell.exe
1220	powershell.exe
5648	powershell.exe
2052	powershell.exe
4612	powershell.exe
3904	powershell.exe
3680	powershell.exe
4876	powershell.exe
696	powershell.exe
3268	powershell.exe
5492	powershell.exe
5260	powershell.exe
4316	powershell.exe
5176	powershell.exe
4884	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 13 IoCs

pid	Process
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2720	TextInputHost.exe
4696	TextInputHost.exe
1920	TextInputHost.exe
2768	TextInputHost.exe
5916	TextInputHost.exe
3372	TextInputHost.exe
5644	TextInputHost.exe
3840	TextInputHost.exe
4944	TextInputHost.exe
752	TextInputHost.exe
3688	TextInputHost.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\TextInputHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\RCX7062.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Java\jre-1.8\TextInputHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Internet Explorer\images\upfc.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows NT\Accessories\wininit.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows NT\Accessories\56085415360792	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\RCX6FE4.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4604_1784435341\9e8d7a4ca61bd9	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wininit.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Java\jre-1.8\22eafd247d37c3	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4604_1784435341\24e59622c34364	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\edge_BITS_4420_2042165253\1f93f77a7f4778	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\5940a34987c991	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\9e8d7a4ca61bd9	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\upfc.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Internet Explorer\images\ea1d8f6d871115	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\9e8d7a4ca61bd9	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\Boot\Registry.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\9e8d7a4ca61bd9	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\SchCache\smss.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\PolicyDefinitions\it-IT\29c1c3cc0f7685	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RCX6DCF.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\assembly\24e59622c34364	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\SchCache\smss.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RCX6DD0.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\SchCache\69ddcba757bf72	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5492	schtasks.exe
3444	schtasks.exe
3020	schtasks.exe
708	schtasks.exe
5500	schtasks.exe
2396	schtasks.exe
1940	schtasks.exe
4052	schtasks.exe
4344	schtasks.exe
1520	schtasks.exe
2392	schtasks.exe
432	schtasks.exe
4284	schtasks.exe
2680	schtasks.exe
4508	schtasks.exe
3736	schtasks.exe
1488	schtasks.exe
1164	schtasks.exe
4428	schtasks.exe
1856	schtasks.exe
4592	schtasks.exe
5256	schtasks.exe
5312	schtasks.exe
3096	schtasks.exe
4364	schtasks.exe
640	schtasks.exe
2356	schtasks.exe
4448	schtasks.exe
4256	schtasks.exe
3928	schtasks.exe
2168	schtasks.exe
3032	schtasks.exe
3980	schtasks.exe
3100	schtasks.exe
5928	schtasks.exe
4672	schtasks.exe
4508	schtasks.exe
772	schtasks.exe
4132	schtasks.exe
516	schtasks.exe
3656	schtasks.exe
4000	schtasks.exe
4400	schtasks.exe
5356	schtasks.exe
2092	schtasks.exe
4016	schtasks.exe
5676	schtasks.exe
2768	schtasks.exe
2876	schtasks.exe
4892	schtasks.exe
1576	schtasks.exe
3156	schtasks.exe
5276	schtasks.exe
5116	schtasks.exe
5632	schtasks.exe
1880	schtasks.exe
5488	schtasks.exe
4200	schtasks.exe
3204	schtasks.exe
2200	schtasks.exe
3428	schtasks.exe
2180	schtasks.exe
3348	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
4612	powershell.exe
4612	powershell.exe
4876	powershell.exe
4876	powershell.exe
4868	powershell.exe
4868	powershell.exe
4612	powershell.exe
4868	powershell.exe
4876	powershell.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
4316	powershell.exe
4316	powershell.exe
4068	powershell.exe
4068	powershell.exe
2824	powershell.exe
2824	powershell.exe
2768	powershell.exe
2768	powershell.exe
4300	powershell.exe
4300	powershell.exe
1456	powershell.exe
1456	powershell.exe
5260	powershell.exe
5260	powershell.exe
4320	powershell.exe
4320	powershell.exe
2676	powershell.exe
2676	powershell.exe
696	powershell.exe
696	powershell.exe
5872	powershell.exe
5872	powershell.exe
3904	powershell.exe
3904	powershell.exe
3200	powershell.exe
3200	powershell.exe
696	powershell.exe
4316	powershell.exe
4300	powershell.exe
5260	powershell.exe
2768	powershell.exe
2824	powershell.exe
4068	powershell.exe
4320	powershell.exe
1456	powershell.exe
5872	powershell.exe
2676	powershell.exe
3904	powershell.exe
3200	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	5872	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2720	TextInputHost.exe
Token: SeDebugPrivilege	4696	TextInputHost.exe
Token: SeDebugPrivilege	1920	TextInputHost.exe
Token: SeDebugPrivilege	2768	TextInputHost.exe
Token: SeDebugPrivilege	5916	TextInputHost.exe
Token: SeDebugPrivilege	3372	TextInputHost.exe
Token: SeDebugPrivilege	5644	TextInputHost.exe
Token: SeDebugPrivilege	3840	TextInputHost.exe
Token: SeDebugPrivilege	4944	TextInputHost.exe
Token: SeDebugPrivilege	752	TextInputHost.exe
Token: SeDebugPrivilege	3688	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4868	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	99
PID 2428 wrote to memory of 4868	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	99
PID 2428 wrote to memory of 4876	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	100
PID 2428 wrote to memory of 4876	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	100
PID 2428 wrote to memory of 4612	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	101
PID 2428 wrote to memory of 4612	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	101
PID 2428 wrote to memory of 6140	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	105
PID 2428 wrote to memory of 6140	2428	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	105
PID 6140 wrote to memory of 1212	6140	cmd.exe	107
PID 6140 wrote to memory of 1212	6140	cmd.exe	107
PID 6140 wrote to memory of 1880	6140	cmd.exe	109
PID 6140 wrote to memory of 1880	6140	cmd.exe	109
PID 1880 wrote to memory of 4300	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	148
PID 1880 wrote to memory of 4300	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	148
PID 1880 wrote to memory of 4320	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	149
PID 1880 wrote to memory of 4320	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	149
PID 1880 wrote to memory of 5872	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	150
PID 1880 wrote to memory of 5872	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	150
PID 1880 wrote to memory of 4316	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	151
PID 1880 wrote to memory of 4316	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	151
PID 1880 wrote to memory of 4068	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	153
PID 1880 wrote to memory of 4068	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	153
PID 1880 wrote to memory of 3200	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	154
PID 1880 wrote to memory of 3200	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	154
PID 1880 wrote to memory of 2676	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	156
PID 1880 wrote to memory of 2676	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	156
PID 1880 wrote to memory of 696	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	157
PID 1880 wrote to memory of 696	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	157
PID 1880 wrote to memory of 2824	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	158
PID 1880 wrote to memory of 2824	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	158
PID 1880 wrote to memory of 2768	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	160
PID 1880 wrote to memory of 2768	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	160
PID 1880 wrote to memory of 5260	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	161
PID 1880 wrote to memory of 5260	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	161
PID 1880 wrote to memory of 1456	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	162
PID 1880 wrote to memory of 1456	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	162
PID 1880 wrote to memory of 3904	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	163
PID 1880 wrote to memory of 3904	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	163
PID 1880 wrote to memory of 2388	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	174
PID 1880 wrote to memory of 2388	1880	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	174
PID 2388 wrote to memory of 2080	2388	cmd.exe	176
PID 2388 wrote to memory of 2080	2388	cmd.exe	176
PID 2388 wrote to memory of 1020	2388	cmd.exe	177
PID 2388 wrote to memory of 1020	2388	cmd.exe	177
PID 1020 wrote to memory of 3680	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	236
PID 1020 wrote to memory of 3680	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	236
PID 1020 wrote to memory of 6120	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	237
PID 1020 wrote to memory of 6120	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	237
PID 1020 wrote to memory of 5176	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	238
PID 1020 wrote to memory of 5176	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	238
PID 1020 wrote to memory of 2028	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	239
PID 1020 wrote to memory of 2028	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	239
PID 1020 wrote to memory of 5380	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	240
PID 1020 wrote to memory of 5380	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	240
PID 1020 wrote to memory of 5432	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	241
PID 1020 wrote to memory of 5432	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	241
PID 1020 wrote to memory of 1220	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	242
PID 1020 wrote to memory of 1220	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	242
PID 1020 wrote to memory of 5448	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	243
PID 1020 wrote to memory of 5448	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	243
PID 1020 wrote to memory of 3152	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	244
PID 1020 wrote to memory of 3152	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	244
PID 1020 wrote to memory of 5652	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	245
PID 1020 wrote to memory of 5652	1020	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	245

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
"C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bOuYaabJ9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6140
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1212
- - C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
    "C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\upfc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sppsvc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9rtY8HP7wY.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\Registry.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c70806f1-2966-46c8-a370-9aad43bbf651.vbs"
        7⤵
        
        PID:2080
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7009584f-dfdb-4974-91c7-3ff4715ebac1.vbs"
        9⤵
        
        PID:5488
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50d4cdda-6c72-403f-a341-999c56b6e722.vbs"
        11⤵
        
        PID:3872
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317f52c5-bb4f-46a6-8c5e-82afee959048.vbs"
        13⤵
        
        PID:4968
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec5a6ff6-1683-471b-848e-04e35ee8507e.vbs"
        15⤵
        
        PID:1700
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\024db536-8555-4f9d-a121-4892b35b0be2.vbs"
        17⤵
        
        PID:3504
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f4a8f4a-1144-416b-876a-f61055cd0cb6.vbs"
        19⤵
        
        PID:5200
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11fa1deb-7442-4b57-a769-3a54aeee0f81.vbs"
        21⤵
        
        PID:4224
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d1a5b40-9d36-4122-a0e4-e77e7c454868.vbs"
        23⤵
        
        PID:6064
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71c7c8e2-524a-4f98-9719-2bc89bb88c97.vbs"
        25⤵
        
        PID:2660
        
        C:\Program Files\Java\jre-1.8\TextInputHost.exe
        
        "C:\Program Files\Java\jre-1.8\TextInputHost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03177b8a-98a5-4c51-9ccb-2edca7ad3234.vbs"
        27⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbf0ca7d-cb27-4f18-b239-4515b26a7ba4.vbs"
        27⤵
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05154125-b058-4189-af88-187f89ca3025.vbs"
        25⤵
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17649910-7958-44a7-9f2e-acf9743dddc0.vbs"
        23⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\560f7ecb-67bd-4883-b1ed-69c36889c1d6.vbs"
        21⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc98783-afa3-4c18-b90e-e35b771d0c1c.vbs"
        19⤵
        
        PID:5508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05123401-7e18-4ce3-87df-bcc0d8a004df.vbs"
        17⤵
        
        PID:4824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91534a49-dce4-4743-827d-682a9d62f758.vbs"
        15⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da549074-a106-4ba1-805a-23151582815a.vbs"
        13⤵
        
        PID:5752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\293955c8-8bd6-4fbf-b5c0-e2e8fa4a5643.vbs"
        11⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb39e479-f977-4fc3-a499-c5bc847b173b.vbs"
        9⤵
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bface1c-ab1b-4c7e-af58-90ed29e7bca0.vbs"
        7⤵
        
        PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4604_1784435341\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\images\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\images\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93f" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93" /sc ONLOGON /tr "'C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93f" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\7e20f84d5244aba7145631d4073af8\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\csrss.exe'" /rl HIGHEST /f
1⤵
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93f" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /rl HIGHEST /f
1⤵
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93f" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4604_1784435341\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe'" /f
1⤵
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4420_2042165253\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f
1⤵
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:516

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\plugins\access_output\RuntimeBroker.exe

Filesize
1.6MB

MD5
85e5ef6218303ab49b6212c727eebe52

SHA1
228ddd25563019f0b6164933309ad727ca8ee694

SHA256
74260343ae18fcfc00fb2f925ab03886d23f17371c9b99e36e404fa377f852b6

SHA512
74da2dad5e6b085ff991afd3cfce1aa92ce00fc2acb47aa1075c414c676e76dab74c7c3286f870503d0e29a2ce9e89375cfaa1aff6eb0e390ae22b10ec392794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9078a011b49db705765cff4b845368b0

SHA1
533576940a2780b894e1ae46b17d2f4224051b77

SHA256
c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

SHA512
48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
575c67abdb0b2c72de0d9dd38b94d791

SHA1
27783f259ffd096b21c02c70cb999bf860183124

SHA256
fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc

SHA512
61b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0734894a83d0290998731718d8d124ba

SHA1
219148114dac7bf0ddad9da28e4d7f8093637974

SHA256
67a1c23fcd3308a4264a0f0dcabdd6be7f0eefa9bd406a6dc642dedcdc118355

SHA512
b142dbeacc967d813aa02b35e4562512730f7d071bfc94191e5cfa8569af3c80f904cd6620d88f0ebf32aa1152d496fcfc69f5731afd03b42de6b094b07875a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a83cd2b6d39537485921aedf93dc0130

SHA1
1917805667529b9fb4290d1b3411e55c929a1179

SHA256
3c56e1552fd24116e64472933d7c82dae76438d0eb8271bf6c98d4eab30f2642

SHA512
c7aefc87d41a78f99fa966a53e1cdb7dd3e75f1068afb58745f6bae43c90696f43acc94c5faeaa95e59e44261952ac88e69681afff52780f8bb2066952780bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf79136142125a14a0d763b303b2effd

SHA1
20c496b9c84ddb9c365d6c59823660768c9dfdf7

SHA256
38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

SHA512
37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5772860e80a4ad209b363a064b3303d7

SHA1
18da8f9946606bb785740c6f9e24daff3e137d68

SHA256
5e889679e1805fcfacb6971b12ea331d38a58a703f2374fe1eef19f2917d8022

SHA512
207bc482178667f072617c35a84593c0d7e7cbaceed9e93e3365039f043e5f9548f65bf90e51b2dc3735ad0572a90a4271465c653a69498bbb62e472a8d85bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d39ea6f9ab2ac89f0eecf4195aa92ab1

SHA1
330eceaf8a8f7f482b8efcdd909dd17fcab58861

SHA256
c43aeb94aa5a3757d5366738541991ed39ff1ad7d5b5f5644dcecd78bdc48398

SHA512
25d06b3688f9454a2b9598c9cc65f49184d743124a5723b43a4278effd95bee192e83ba7be486f5e331692d78d81e58c5cc2720aac56551dc3f90a9e81278222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf1cbedd91790c2be65fc829402dc0f1

SHA1
9f0e53c9cdd5ff915dde34c26119f027822ab08b

SHA256
7a48200a25d98070baaf5ffba058b4c32667910896d01f2ff95b490f09d961e6

SHA512
050dc81be09cb08e6944889809c1c6e4dda87ce6a47b78e8162a95efd5163b7e741b1ecec7662e77deeb36f6a47f20414766ce668f15074260d6f703c02e3d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4345955c1b5cc2f2c8a6923e677f6a61

SHA1
572a46a5fa74524df83da70b00f40ddb81b5b432

SHA256
14178c711c1c432e590041f1c4e426b664b07b1c3aad6c84b352677330ce3fef

SHA512
6bc29254e9aa6e12b353979f4e3b7689fe586bdcc6a6605f540b9202ab70c7b6c1cf28b25d7d69e8569917b183f62f0f40c8689e9e5d0134b2b6f1c306cbd2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b4e39689cee6c9a38f5a03b68b3df72

SHA1
af6cc92ac1532a1059151831885c2929d83f8107

SHA256
01bd20c1140847c1d579ca92531850535e5b0aaddfce3c8648716dc1cb811f8d

SHA512
9fb0e8c8ebd43525f8364eff0d18c02a34c044d14558cfbea351d283f03df9b84e3e32453e296b2cd844b785dcefef75adfeaff401d80462959104033fe7ba02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5e147edfabd7f129d7206d4ee8c4242

SHA1
a4a26e1793fe331b20a56e97c930f343a92be728

SHA256
9417644a8d49effdbc6a120b8d32093626b2ef9e8fe65d2c3163e3b3741a9629

SHA512
ec2530e8b7f2a9a916a94bf0d3a8c830bc258e2b73b5feacb99fbbeda40bf45d20931dded36fc24039a55e3c35cc150bc88e4837339f4db696508745c18f64c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56afc37a6fa78dde7c6bb49af2c000c9

SHA1
dad88cd38148f8ac76e0592d632fa1fdf8c2a3ac

SHA256
5e858d6aac3c13aa5ca83f0a12793d125028ddf87ac73355a42877d16db655f0

SHA512
f9f4ed6581ebeccac22dbeee2bb99d5a03ab4ad098f3e4af91f806b55a685b8e7b181aa131d31e1044f5c60f11742625d4947947f182fc1ab487bd4d33483795

Download Submit
C:\Users\Admin\AppData\Local\Temp\024db536-8555-4f9d-a121-4892b35b0be2.vbs

Filesize
723B

MD5
fa93c0fa782a09792b249edb9288eefb

SHA1
200ae435cc36134d38f8e6753d6ef41db648d8eb

SHA256
519b33842279336025f9aa788f5a07042eb3ffae483e661884ef46f7a2cc48b4

SHA512
e3d87b792a695e81bd596fd41d8c3bbe6e34073372080a9ca59027adaa45f8a9e4bf5837bb32591c0d2a0225ce75a1dbf20d473d56990629c32565f0cb77648d

Download Submit
C:\Users\Admin\AppData\Local\Temp\317f52c5-bb4f-46a6-8c5e-82afee959048.vbs

Filesize
723B

MD5
664eccbeedfa38de109c7459dc2310a8

SHA1
b25961d141010dbb15c1497cd916a13ff04e9022

SHA256
8b02d5f1f8aa6143027e01106bccfa960ca18616c20714bd5ae0e5f979365b0d

SHA512
2804a4050979969fd4dc663cb342ac73e84ddd1dafb46677bdead7ed38fe26a51d76b55c5999be44b12ca0eecc20b81cc4a562b6cce955bac47b50da8e23983c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50d4cdda-6c72-403f-a341-999c56b6e722.vbs

Filesize
723B

MD5
a50b351762712a60d735140b2019b4b0

SHA1
18e3517298866bbccb068e7fe6730f52bf948081

SHA256
b70ecde97a9bd0dca91c7364ea9465e4bc9157b5d8800f1c4170bed7fef3f77f

SHA512
88a70970f5c424b5099ea86ef470a19a0be283c960a0b3ec23164625e1103e2de9c92926ac6efd81c94868fd1ca6fb2fbe52f691182404288199cfcaac202fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bface1c-ab1b-4c7e-af58-90ed29e7bca0.vbs

Filesize
499B

MD5
6c4bf8d937e1bbccd378186fb0c7b8aa

SHA1
c5f8d760181ce7b55bbe67f9e7a11f5de745ca83

SHA256
a06c0beae1a39f73cc0ae553291a79e62c75e613380f2ea8020441d1e69652b9

SHA512
4ed9ec277b4bfeb2c0f734a3a741922ef9700ceb246298c55fbe4353d822ea9348114f290b337aaa5c588567ca77c4995cfada36a96d7538d31aad6ae76c9623

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bOuYaabJ9.bat

Filesize
267B

MD5
76b38d677ec4d11c8556360e917e10ce

SHA1
19baaac9dd6d94350ceba60b63b1f5b2bd1299a0

SHA256
7ec5402e2d23d24efa0953ddb76412f705b7c40d5962760cb5ebd772b49fccd1

SHA512
adb1d2bd186fe1fc360acf05a1b13d900a139637d6e0978c4bbc8eb8841622d3a503a4f602fd171c79ba32fba74dde56e22811e3c619e68ef5351820176548ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7009584f-dfdb-4974-91c7-3ff4715ebac1.vbs

Filesize
723B

MD5
e26d9776c2f24b43fd0b450a5b9da528

SHA1
873c46c299c7b77e1d83cb7aadd505f996fbd208

SHA256
5fdcebe0b4c36f7bc3e451d4fdb674761f0e95db31f8545a252421f0f9aa2cd6

SHA512
36be9395cf5f59f56218a10fb7102fc86561381837c9fa347e4cea43a1daf3b7177424fe6b09c8e1dd92ede558091d528438589a9cfd988fae4f678ef34cb6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9rtY8HP7wY.bat

Filesize
267B

MD5
948f2ecdc2c7c83eff3705fc59012b8c

SHA1
42fb781cbf274065c4b166d265c4b651061b8b3c

SHA256
2b237a434c4f73062d8b28151bea1bd166a0d4fe3e87da0e60c793d4eac9f9e5

SHA512
a136e5f4f146e474c4342bc536b4ff3b4f77a68d236105e04dc234849852bfc433f57d4cb4ed273a0d179d0027a4a4c8e165a6b2abe94c941c22522583eee316

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rthqsvsy.tg2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c70806f1-2966-46c8-a370-9aad43bbf651.vbs

Filesize
723B

MD5
200e0932d8d612395354cbbc39cb1e18

SHA1
e2a7d458fe7f5049af9d834a0d13d5e4d72592d6

SHA256
642c610c6403b62f18567c98168d68913ca0d1aeb054ae4b4e567a47b8ce1dba

SHA512
ccf61e8d98225b7c7bd33ff1dd56f288a8ae7a957960483b687176154d148af9c75a2c98767b8ba383e8ca6d59bddccf24f6c38044dcef4061fc94f0f4d019fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec5a6ff6-1683-471b-848e-04e35ee8507e.vbs

Filesize
723B

MD5
76a47ab30827bc10ba94bfd5c0efd5ad

SHA1
0a559b536970d893ea6612b5b4da5a6c5a906e72

SHA256
218d0814a523da02f22f122ea116fc0ae367b20c01b7809fb55ffef137361077

SHA512
741a5eade0eac48bfdb60d25d6994cdbd2eaebb95f17d726d7a5010ac4c5e815f3c03e8583b9d89c0c312162ad22328c4b859ef07d139ed6d7a102787c62916c

Download Submit
C:\Windows\PolicyDefinitions\it-IT\unsecapp.exe

Filesize
1.6MB

MD5
52e4554ec87085ec0d31bca66d35df00

SHA1
3196fc8f3064b5d80cd8829c0b3fd6730b2141c0

SHA256
f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93

SHA512
04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899

Download Submit
memory/2428-4-0x000000001B510000-0x000000001B560000-memory.dmp

Filesize
320KB

Download
memory/2428-8-0x000000001B560000-0x000000001B570000-memory.dmp

Filesize
64KB

Download
memory/2428-14-0x000000001BC60000-0x000000001BC68000-memory.dmp

Filesize
32KB

Download
memory/2428-15-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/2428-17-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/2428-7-0x000000001B4E0000-0x000000001B4E8000-memory.dmp

Filesize
32KB

Download
memory/2428-11-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/2428-10-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/2428-9-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/2428-16-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/2428-5-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/2428-2-0x00007FF915BD0000-0x00007FF916691000-memory.dmp

Filesize
10.8MB

Download
memory/2428-13-0x000000001BC50000-0x000000001BC5E000-memory.dmp

Filesize
56KB

Download
memory/2428-12-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/2428-0-0x00007FF915BD3000-0x00007FF915BD5000-memory.dmp

Filesize
8KB

Download
memory/2428-6-0x000000001B4C0000-0x000000001B4D6000-memory.dmp

Filesize
88KB

Download
memory/2428-84-0x00007FF915BD0000-0x00007FF916691000-memory.dmp

Filesize
10.8MB

Download
memory/2428-3-0x000000001B380000-0x000000001B39C000-memory.dmp

Filesize
112KB

Download
memory/2428-1-0x00000000005F0000-0x0000000000792000-memory.dmp

Filesize
1.6MB

Download
memory/4612-60-0x000001FAEA8D0000-0x000001FAEA8F2000-memory.dmp

Filesize
136KB

Download