dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Size

1.6MB
MD5

52e4554ec87085ec0d31bca66d35df00
SHA1

3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
SHA256

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
SHA512

04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3436	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3436	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/4100-1-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral28/files/0x0007000000024159-26.dat	dcrat
behavioral28/files/0x000f000000023f53-151.dat	dcrat
behavioral28/files/0x0012000000023f5b-186.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4840	powershell.exe
3592	powershell.exe
3816	powershell.exe
3048	powershell.exe
4360	powershell.exe
928	powershell.exe
1480	powershell.exe
436	powershell.exe
2108	powershell.exe
2796	powershell.exe
3748	powershell.exe
4356	powershell.exe
4008	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 13 IoCs

pid	Process
5300	unsecapp.exe
5848	unsecapp.exe
5144	unsecapp.exe
2124	unsecapp.exe
1824	unsecapp.exe
5648	unsecapp.exe
3912	unsecapp.exe
5336	unsecapp.exe
4932	unsecapp.exe
4616	unsecapp.exe
436	unsecapp.exe
5440	unsecapp.exe
2272	unsecapp.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXA922.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXADB9.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXADBA.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXA921.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Crashpad\attachments\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Crashpad\attachments\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Crashpad\attachments\c5b4cb5e9653cc	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCXA0BC.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCXA0BD.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\22eafd247d37c3	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
4928	schtasks.exe
2608	schtasks.exe
4788	schtasks.exe
2668	schtasks.exe
1496	schtasks.exe
376	schtasks.exe
4608	schtasks.exe
1480	schtasks.exe
3384	schtasks.exe
1348	schtasks.exe
3380	schtasks.exe
2312	schtasks.exe
3764	schtasks.exe
4880	schtasks.exe
2660	schtasks.exe
3416	schtasks.exe
1876	schtasks.exe
2016	schtasks.exe
3556	schtasks.exe
3292	schtasks.exe
1560	schtasks.exe
1612	schtasks.exe
4480	schtasks.exe
668	schtasks.exe
4568	schtasks.exe
4328	schtasks.exe
1948	schtasks.exe
3032	schtasks.exe
4824	schtasks.exe
3004	schtasks.exe
2024	schtasks.exe
4016	schtasks.exe
2108	schtasks.exe
3452	schtasks.exe
928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2108	powershell.exe
2108	powershell.exe
4356	powershell.exe
4356	powershell.exe
2796	powershell.exe
2796	powershell.exe
928	powershell.exe
928	powershell.exe
4360	powershell.exe
4360	powershell.exe
3592	powershell.exe
3592	powershell.exe
3816	powershell.exe
3816	powershell.exe
4008	powershell.exe
4008	powershell.exe
4840	powershell.exe
4840	powershell.exe
436	powershell.exe
436	powershell.exe
3048	powershell.exe
3048	powershell.exe
1480	powershell.exe
1480	powershell.exe
3748	powershell.exe
3748	powershell.exe
2108	powershell.exe
2108	powershell.exe
4356	powershell.exe
4356	powershell.exe
3592	powershell.exe
4360	powershell.exe
4360	powershell.exe
3816	powershell.exe
928	powershell.exe
928	powershell.exe
2796	powershell.exe
2796	powershell.exe
3048	powershell.exe
4008	powershell.exe
436	powershell.exe
1480	powershell.exe
4840	powershell.exe
3748	powershell.exe
5300	unsecapp.exe
5300	unsecapp.exe
5848	unsecapp.exe
5144	unsecapp.exe
5144	unsecapp.exe
2124	unsecapp.exe
1824	unsecapp.exe
1824	unsecapp.exe
5648	unsecapp.exe
3912	unsecapp.exe
5336	unsecapp.exe
4932	unsecapp.exe
4616	unsecapp.exe
436	unsecapp.exe
5440	unsecapp.exe
2272	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	5300	unsecapp.exe
Token: SeDebugPrivilege	5848	unsecapp.exe
Token: SeDebugPrivilege	5144	unsecapp.exe
Token: SeDebugPrivilege	2124	unsecapp.exe
Token: SeDebugPrivilege	1824	unsecapp.exe
Token: SeDebugPrivilege	5648	unsecapp.exe
Token: SeDebugPrivilege	3912	unsecapp.exe
Token: SeDebugPrivilege	5336	unsecapp.exe
Token: SeDebugPrivilege	4932	unsecapp.exe
Token: SeDebugPrivilege	4616	unsecapp.exe
Token: SeDebugPrivilege	436	unsecapp.exe
Token: SeDebugPrivilege	5440	unsecapp.exe
Token: SeDebugPrivilege	2272	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3748	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	130
PID 4100 wrote to memory of 3748	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	130
PID 4100 wrote to memory of 4356	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	131
PID 4100 wrote to memory of 4356	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	131
PID 4100 wrote to memory of 3816	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	132
PID 4100 wrote to memory of 3816	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	132
PID 4100 wrote to memory of 2796	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	133
PID 4100 wrote to memory of 2796	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	133
PID 4100 wrote to memory of 2108	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	135
PID 4100 wrote to memory of 2108	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	135
PID 4100 wrote to memory of 436	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	136
PID 4100 wrote to memory of 436	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	136
PID 4100 wrote to memory of 1480	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	137
PID 4100 wrote to memory of 1480	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	137
PID 4100 wrote to memory of 3592	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	138
PID 4100 wrote to memory of 3592	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	138
PID 4100 wrote to memory of 928	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 4100 wrote to memory of 928	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 4100 wrote to memory of 4360	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	143
PID 4100 wrote to memory of 4360	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	143
PID 4100 wrote to memory of 4840	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	144
PID 4100 wrote to memory of 4840	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	144
PID 4100 wrote to memory of 4008	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	145
PID 4100 wrote to memory of 4008	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	145
PID 4100 wrote to memory of 3048	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	146
PID 4100 wrote to memory of 3048	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	146
PID 4100 wrote to memory of 5300	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	158
PID 4100 wrote to memory of 5300	4100	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	158
PID 5300 wrote to memory of 5688	5300	unsecapp.exe	159
PID 5300 wrote to memory of 5688	5300	unsecapp.exe	159
PID 5300 wrote to memory of 5732	5300	unsecapp.exe	160
PID 5300 wrote to memory of 5732	5300	unsecapp.exe	160
PID 5688 wrote to memory of 5848	5688	WScript.exe	161
PID 5688 wrote to memory of 5848	5688	WScript.exe	161
PID 5848 wrote to memory of 5980	5848	unsecapp.exe	162
PID 5848 wrote to memory of 5980	5848	unsecapp.exe	162
PID 5848 wrote to memory of 6028	5848	unsecapp.exe	163
PID 5848 wrote to memory of 6028	5848	unsecapp.exe	163
PID 5980 wrote to memory of 5144	5980	WScript.exe	173
PID 5980 wrote to memory of 5144	5980	WScript.exe	173
PID 5144 wrote to memory of 2484	5144	unsecapp.exe	174
PID 5144 wrote to memory of 2484	5144	unsecapp.exe	174
PID 5144 wrote to memory of 4820	5144	unsecapp.exe	175
PID 5144 wrote to memory of 4820	5144	unsecapp.exe	175
PID 2484 wrote to memory of 2124	2484	WScript.exe	176
PID 2484 wrote to memory of 2124	2484	WScript.exe	176
PID 2124 wrote to memory of 4840	2124	unsecapp.exe	177
PID 2124 wrote to memory of 4840	2124	unsecapp.exe	177
PID 2124 wrote to memory of 2636	2124	unsecapp.exe	178
PID 2124 wrote to memory of 2636	2124	unsecapp.exe	178
PID 4840 wrote to memory of 1824	4840	WScript.exe	179
PID 4840 wrote to memory of 1824	4840	WScript.exe	179
PID 1824 wrote to memory of 3988	1824	unsecapp.exe	180
PID 1824 wrote to memory of 3988	1824	unsecapp.exe	180
PID 1824 wrote to memory of 5504	1824	unsecapp.exe	181
PID 1824 wrote to memory of 5504	1824	unsecapp.exe	181
PID 3988 wrote to memory of 5648	3988	WScript.exe	183
PID 3988 wrote to memory of 5648	3988	WScript.exe	183
PID 5648 wrote to memory of 5784	5648	unsecapp.exe	184
PID 5648 wrote to memory of 5784	5648	unsecapp.exe	184
PID 5648 wrote to memory of 5948	5648	unsecapp.exe	185
PID 5648 wrote to memory of 5948	5648	unsecapp.exe	185
PID 5784 wrote to memory of 3912	5784	WScript.exe	186
PID 5784 wrote to memory of 3912	5784	WScript.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
"C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
  "C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e935a78-47cc-4e38-a31c-4bc3de291065.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5688
  - - C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
      C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1921888a-2849-4b8c-ac25-ef17311a59f2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5980
      - C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2826b229-e7f0-49ef-8069-a631e8b5c59c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85c2fb59-e8b5-467e-a28f-324cd64bd6d1.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f599a40-b1dd-4cba-b15b-a2bebbbbda27.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96b826ab-fe7d-4a4e-a85b-1d9e593e9281.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5784
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d711c511-4cd0-4f98-a1f1-1aa2474167bf.vbs"
        15⤵
        
        PID:4596
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cce4b65-8d7c-4ef7-876b-eaef788139aa.vbs"
        17⤵
        
        PID:6004
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2cf9818-3764-46d8-a7f2-2f68921b1994.vbs"
        19⤵
        
        PID:2808
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b6b1a2-d6ac-4a63-b31a-aba951714d30.vbs"
        21⤵
        
        PID:5312
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e9405c6-2962-4959-85c4-3852a9ec7111.vbs"
        23⤵
        
        PID:5364
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7efe4f83-9d51-4474-be14-8904cfc3da96.vbs"
        25⤵
        
        PID:3996
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        
        C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2172f73a-1d44-4e31-9030-8dbdd78d271b.vbs"
        27⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c51c86-65d6-46ff-aad9-d8e1a44b4018.vbs"
        27⤵
        
        PID:5152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7122dc0-992c-4089-9333-885726ab9269.vbs"
        25⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6e19902-de8f-4e0f-88b7-28bb7cc21c75.vbs"
        23⤵
        
        PID:5588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d7c8371-853a-447e-8eee-68360369d768.vbs"
        21⤵
        
        PID:5316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54fb39db-eaa1-430c-936a-db08966dd900.vbs"
        19⤵
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b24b329a-fc4a-49be-b0fc-266f450d5050.vbs"
        17⤵
        
        PID:5964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0e766f0-d8c4-4497-90a9-7e642909bd6e.vbs"
        15⤵
        
        PID:6108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77683400-b37d-44c4-b49e-643c81d7a540.vbs"
        13⤵
        
        PID:5948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fddc8dcf-c92d-4efb-a729-b91ed2344b0a.vbs"
        11⤵
        
        PID:5504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf57ddb-9d19-4312-a4d4-f06a75e5a70d.vbs"
        9⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e321249-c83e-4076-acc1-44c6631edaec.vbs"
        7⤵
        
        PID:4820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a6b0a53-dac2-4e19-83aa-c1468f0cba23.vbs"
        5⤵
        
        PID:6028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1c972ac-c17b-4f6f-a5ba-f69371ccdf4d.vbs"
    3⤵
    PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\System.exe

Filesize
1.6MB

MD5
addbd4baecf85be49416fbca1a382785

SHA1
b8a90b4e054467aefb5558cb414bcb0e38b36a3d

SHA256
4fcdebaf6d51198d72183a49a89f66a9795c83fcd83f9e94431ca473cc54ca87

SHA512
f26f69f0d15b72a44bee3ba024bf06205aee3fbc94cd99909412d32a4b1e433aa86cf06a55aaa156b7336a7f835e5a79ac6f723cae41d6e2a4a295fceac1a4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8c29ea1bc8dbf75da42cf6ed688d9e3

SHA1
572ef3fcdca764b8f924e7875b76a5ee13064630

SHA256
2d80a98589acc4a2f3b6d3ac4d5a6a079b75b0be8131f1c140593e64ae446a53

SHA512
fca7810cd1111336f5ff7105f3b3a8b2c5d1fc125265726b9f97ca9e1344b698fc53d4b02e77fcc0a3b5948fedf5a4087ebbb763ddaf25d04ec897e4eca07bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5224a8af64b17b8a36247f8bda22bc94

SHA1
841edc986867d9813534b217790e76b017c48617

SHA256
464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

SHA512
041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1921888a-2849-4b8c-ac25-ef17311a59f2.vbs

Filesize
712B

MD5
6a5b4049624a37acadd85aa53b4993c8

SHA1
d83923be7e5819400725f52b3ca030926f9ffb90

SHA256
7fa55cbcaa58326ac67a05f69f024d054753ab6d88e182fc592c5a3ffecbf0ae

SHA512
915f2a8062933fd2895f1f5d14bd29a25f3fe18314bf2357e776d02152422f11366a89fe09c7b0f24e568223bd643a06fc8555f258521ffd04df8b73ff37b583

Download Submit
C:\Users\Admin\AppData\Local\Temp\2826b229-e7f0-49ef-8069-a631e8b5c59c.vbs

Filesize
712B

MD5
4fe5777e3388487148f7db2f0e600ee3

SHA1
0e6de700a4241936576755e1958d21ebcb3e4ded

SHA256
d0e42f842ea082b27b9771c0c8a4c39c579af08c0bb1a3aa201126c8fe3bfc46

SHA512
dbafc0af690021ef4bcda4396587991087480e38879e75ac34bc97a2d42eb8372751efd496bb0523336080b6371c05d31330d17dc50da9c5ad5806cd3cc76da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cce4b65-8d7c-4ef7-876b-eaef788139aa.vbs

Filesize
712B

MD5
e69771b14e07108a4c374fac558a1d2e

SHA1
d33c5b560f9a7c85120cdad9f7e3642a59294b27

SHA256
891d4776ec84f39a53ae01d6e178b62f35673c9bd02a22842ea7492dfc701c6e

SHA512
400aca6e0b1c95d163fa352b4450210430ea6aa7defa53c2f0a0b5f8a28a3253255824d59d070dd93e47910759a33bfee9b731c7e299e2df6cb34f1977513fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e935a78-47cc-4e38-a31c-4bc3de291065.vbs

Filesize
712B

MD5
48f1c2aca382d5321a3806a6031b6ac1

SHA1
3a5fb67a29e099bd25dc4c4bcc379c89afcfb0b3

SHA256
e85f02c69363bb2323d7ebbc77cfcd66001ee33493ff16123d8ba004f55ca820

SHA512
ecb0a8ac69a6001e389e1d7f0d9fee55a5affe136171a7f941956f5e40e336aed5c4c6723d04da943a844d2ef618d67a522f7f03fa4a9abd28a3adcab6779bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f599a40-b1dd-4cba-b15b-a2bebbbbda27.vbs

Filesize
712B

MD5
8a4589a4fbfe287e6b10b44c55533269

SHA1
ce2f7e67e9f63c881aac1b4742f97e20ba11f167

SHA256
73a2c22a88ae8f9d3b09db02bd356e87b906655cb6665b96aadecbc3055a6438

SHA512
b2c4a83f18bc4c390accbe3ba38a9c5b0024ce2cd9da61ef9eb1367ffe8fd0d38c414e19a7242a39b70ecda18fff3c5fe2b4a82243f653f72b3f840dea17c8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e9405c6-2962-4959-85c4-3852a9ec7111.vbs

Filesize
711B

MD5
8d57de811fe8860e7beddf4123cb6477

SHA1
d6b48f71ba0eebc5ad2b192edc1ce86a8c1dc0c3

SHA256
11e4f3adb3be06cfb0eb6831d928bbd57c7beb3eb6f01a760b5582a228c88a39

SHA512
6d23916140e35374f47c786f45ee4b7b37055df76bdfce6d264bc210787377b05b62129d7b2e79ee729980e469ac8f25c56229d440bc83e5ade518c8e9321ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7efe4f83-9d51-4474-be14-8904cfc3da96.vbs

Filesize
712B

MD5
5e27cdbbfa80d76c5af1bd10d57ae230

SHA1
678ed6f69f465844d6ac9109212ecfba1fccad61

SHA256
ffa24e8bd8062db9aee13538034c9a9c11555a890f4abf73157cc65da1d6d805

SHA512
a2d66f9fe41187310e3905eb2a06d55be86c4142d74338d599d65bfa7f206d37988a8e82b7fb145fc206175702e43fb66fca146ea0083cd21252f7ad9d271f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\85c2fb59-e8b5-467e-a28f-324cd64bd6d1.vbs

Filesize
712B

MD5
5e2ceb695c5d16aa63214310807d92ad

SHA1
6c1f158e38c3ba29310a037f43d9a67abdbce043

SHA256
0f7c0a605bdc4cd1a62c756a3297e3716621420c2e38b68810ef854e382adbf8

SHA512
0e28ccbb3231b4d7f6643ab47b108394ff70a0fbaa01c95500150fde7b5884fe503b3f245cd96a6d2a51fbd41c0b353a9564d5c27637a57a2e57ef323836544d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96b826ab-fe7d-4a4e-a85b-1d9e593e9281.vbs

Filesize
712B

MD5
41eb52a5f8f12765a68fd5cea1ddf03c

SHA1
1a3b6d78ac0e609b9f5583b947050fec3f7fb245

SHA256
8ce3c29cf7d79a354a0adff909d27b4a412513096842d2e45b2bccc4da8cce04

SHA512
ce76ffcb57f6b1a4d94d1bc98df14aae45376f4934921f61b41c5c1fb085a8614975af1564ecd5981bc43ba3fa9413a1f2af13c1d3954eb52e4e626704a4e8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqedinwj.zfa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1c972ac-c17b-4f6f-a5ba-f69371ccdf4d.vbs

Filesize
488B

MD5
94d99061b32e27df8516b726ac5a133a

SHA1
1be187840b0059e0391f49adde1f72bae82caa1f

SHA256
44c46f97d358b6ee7ae0ef626d22962a470f7ad8203a6eaaadc6b9b9592c202b

SHA512
655df24298c8c0be3911d1f035d1157b6a479db75523a7266c163e9d9b3d5bf1775d0b1f4672d8917ceb7a0def89b266d3e4d6e4cdd62bd91dca736db924cb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2cf9818-3764-46d8-a7f2-2f68921b1994.vbs

Filesize
712B

MD5
2e76f243d14c89357b2f04c7e3478226

SHA1
8f952b97545d27f822a2ad22c0de2d19e9349287

SHA256
85aedf06bdde56f1b7bcc491e7316ac0842527ccc219c68403864f44a0cbd0ab

SHA512
d730610e077169746a4cd77332e8100776627ef54f4256386bb0ca873093ba57624a93249aaccbc82d9dfbbed5fb07957a1f6b0a2a5781b2ca8e92789ac8bec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3b6b1a2-d6ac-4a63-b31a-aba951714d30.vbs

Filesize
712B

MD5
304dc9d4abc311a5e115cace5ea5e213

SHA1
1f67064cada263865bf18de982f43e987e8baed4

SHA256
7505cc5b317c63cf445a93a99fd99f56f18825613c0d3dcb7180830f69c4b85e

SHA512
0f46b979dfaa733e2d4f5e1ffc031eb72e594fbdc46b0fd47f059bcf0de92fd76812396ead70222c85abb605f125f8f030e3638a6bd66894096cc221dc2480a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d711c511-4cd0-4f98-a1f1-1aa2474167bf.vbs

Filesize
712B

MD5
114942c7892391a6f8bf338a235d0dc8

SHA1
9cc714e5b8f7332f7847dd65ff0ddf594a0df66a

SHA256
fba658ff63e52b54fbf9fd52727631290b0e1549f8e6314f301f0f84a602063c

SHA512
6594cec1c621d251c59c5b38c790c058662d962b426963b645df2525d84513bb61c0de502815218b94bd7858566acdd0e09aab7fbcab5491ecae0bb2d0491fbe

Download Submit
C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe

Filesize
1.6MB

MD5
52e4554ec87085ec0d31bca66d35df00

SHA1
3196fc8f3064b5d80cd8829c0b3fd6730b2141c0

SHA256
f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93

SHA512
04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899

Download Submit
C:\d9c22b4eaa3c0b9c12c7\sysmon.exe

Filesize
1.6MB

MD5
fffeece90eac529001e3e7da86f5db73

SHA1
5525979ae1709b181787aa04b6fa98ccb38e22d7

SHA256
682b8c1f2c06671f00a2939c19476e428895a4a74bb9594183bb69af7c1ec437

SHA512
b1048ffa505a3da996b841f5337f25cfb9de3852040e70d38115313ff7120210d066bb4f94feef1ac67fac580e33280d1edbc02a9b9dd4fadcdf2f76d14b0709

Download Submit
memory/2108-240-0x0000022EEA8D0000-0x0000022EEA8F2000-memory.dmp

Filesize
136KB

Download
memory/4100-11-0x0000000003120000-0x000000000312C000-memory.dmp

Filesize
48KB

Download
memory/4100-6-0x0000000001770000-0x0000000001786000-memory.dmp

Filesize
88KB

Download
memory/4100-14-0x000000001C230000-0x000000001C238000-memory.dmp

Filesize
32KB

Download
memory/4100-15-0x000000001C240000-0x000000001C248000-memory.dmp

Filesize
32KB

Download
memory/4100-12-0x0000000003130000-0x000000000313A000-memory.dmp

Filesize
40KB

Download
memory/4100-16-0x000000001C250000-0x000000001C25A000-memory.dmp

Filesize
40KB

Download
memory/4100-368-0x00007FF966930000-0x00007FF9673F1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-10-0x0000000003110000-0x000000000311C000-memory.dmp

Filesize
48KB

Download
memory/4100-9-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/4100-13-0x000000001C220000-0x000000001C22E000-memory.dmp

Filesize
56KB

Download
memory/4100-7-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/4100-8-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4100-5-0x0000000001750000-0x0000000001760000-memory.dmp

Filesize
64KB

Download
memory/4100-4-0x000000001C270000-0x000000001C2C0000-memory.dmp

Filesize
320KB

Download
memory/4100-275-0x00007FF966933000-0x00007FF966935000-memory.dmp

Filesize
8KB

Download
memory/4100-3-0x0000000001730000-0x000000000174C000-memory.dmp

Filesize
112KB

Download
memory/4100-0-0x00007FF966933000-0x00007FF966935000-memory.dmp

Filesize
8KB

Download
memory/4100-17-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/4100-2-0x00007FF966930000-0x00007FF9673F1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-1-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download