dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
70s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d8ce72bea14182d0909964ca07a8b6.exe
Size

885KB
MD5

d9d8ce72bea14182d0909964ca07a8b6
SHA1

b28d8a45177dc711160d4ea289b88ececf0174fb
SHA256

c14f2d55ba7fb0234c638ac3b7b7081e5c94fb27382b081176fd88ae5b90aeb7
SHA512

78e08e64514d53ae1335caa9c36d66b0e1eea3f52b8fef6fee72cfbc449b6cd3b8f15b432329f7528a7291a438ba96fd8ec6ee4f13a13a30438bd7f98870c256
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4808	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	4808	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/3100-0-0x0000000000CE0000-0x0000000000DC4000-memory.dmp	dcrat
behavioral10/files/0x0007000000024148-19.dat	dcrat

Blocklisted process makes network request 5 IoCs

flow	pid	Process
35	3152	Process not Found
39	3152	Process not Found
78	3152	Process not Found
80	3152	Process not Found
82	3152	Process not Found

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	d9d8ce72bea14182d0909964ca07a8b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 8 IoCs

pid	Process
4472	System.exe
2844	System.exe
5108	System.exe
4720	System.exe
2224	System.exe
4992	System.exe
2864	System.exe
2156	System.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\attachments\RCXFD07.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXFD18.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXFD62.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXFD72.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Crashpad\attachments\System.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Crashpad\attachments\27d1bcfc3c54e0	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	d9d8ce72bea14182d0909964ca07a8b6.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\RCXFCE3.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXFD96.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXFDA7.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\fontdrvhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\5b884080fd4f94	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\Panther\UnattendGC\fontdrvhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\Panther\UnattendGC\5b884080fd4f94	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\RCXFCD3.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4264	schtasks.exe
3504	schtasks.exe
1240	schtasks.exe
4856	schtasks.exe
2124	schtasks.exe
3960	schtasks.exe
3132	schtasks.exe
1448	schtasks.exe
2520	schtasks.exe
4072	schtasks.exe
2084	schtasks.exe
1584	schtasks.exe
648	schtasks.exe
3120	schtasks.exe
3388	schtasks.exe
4676	schtasks.exe
2792	schtasks.exe
3192	schtasks.exe
4176	schtasks.exe
4924	schtasks.exe
3300	schtasks.exe
2268	schtasks.exe
4332	schtasks.exe
3260	schtasks.exe
372	schtasks.exe
228	schtasks.exe
520	schtasks.exe
3500	schtasks.exe
3736	schtasks.exe
3036	schtasks.exe
4996	schtasks.exe
4892	schtasks.exe
2612	schtasks.exe
2228	schtasks.exe
1692	schtasks.exe
1828	schtasks.exe
1152	schtasks.exe
2652	schtasks.exe
2700	schtasks.exe
1856	schtasks.exe
3580	schtasks.exe
2992	schtasks.exe
2668	schtasks.exe
5072	schtasks.exe
1968	schtasks.exe
4888	schtasks.exe
100	schtasks.exe
1188	schtasks.exe
4772	schtasks.exe
2384	schtasks.exe
4348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3100	d9d8ce72bea14182d0909964ca07a8b6.exe
3100	d9d8ce72bea14182d0909964ca07a8b6.exe
3100	d9d8ce72bea14182d0909964ca07a8b6.exe
3100	d9d8ce72bea14182d0909964ca07a8b6.exe
3100	d9d8ce72bea14182d0909964ca07a8b6.exe
4472	System.exe
2844	System.exe
5108	System.exe
4720	System.exe
4720	System.exe
2224	System.exe
2224	System.exe
4992	System.exe
4992	System.exe
2864	System.exe
2864	System.exe
2156	System.exe
2156	System.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	d9d8ce72bea14182d0909964ca07a8b6.exe
Token: SeDebugPrivilege	4472	System.exe
Token: SeDebugPrivilege	2844	System.exe
Token: SeDebugPrivilege	5108	System.exe
Token: SeDebugPrivilege	4720	System.exe
Token: SeDebugPrivilege	2224	System.exe
Token: SeDebugPrivilege	4992	System.exe
Token: SeDebugPrivilege	2864	System.exe
Token: SeDebugPrivilege	2156	System.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4472	3100	d9d8ce72bea14182d0909964ca07a8b6.exe	140
PID 3100 wrote to memory of 4472	3100	d9d8ce72bea14182d0909964ca07a8b6.exe	140
PID 4472 wrote to memory of 560	4472	System.exe	143
PID 4472 wrote to memory of 560	4472	System.exe	143
PID 4472 wrote to memory of 4104	4472	System.exe	144
PID 4472 wrote to memory of 4104	4472	System.exe	144
PID 560 wrote to memory of 2844	560	WScript.exe	147
PID 560 wrote to memory of 2844	560	WScript.exe	147
PID 2844 wrote to memory of 2156	2844	System.exe	177
PID 2844 wrote to memory of 2156	2844	System.exe	177
PID 2844 wrote to memory of 3536	2844	System.exe	149
PID 2844 wrote to memory of 3536	2844	System.exe	149
PID 2156 wrote to memory of 5108	2156	WScript.exe	152
PID 2156 wrote to memory of 5108	2156	WScript.exe	152
PID 5108 wrote to memory of 1952	5108	System.exe	153
PID 5108 wrote to memory of 1952	5108	System.exe	153
PID 5108 wrote to memory of 2416	5108	System.exe	154
PID 5108 wrote to memory of 2416	5108	System.exe	154
PID 1952 wrote to memory of 4720	1952	WScript.exe	155
PID 1952 wrote to memory of 4720	1952	WScript.exe	155
PID 4720 wrote to memory of 1568	4720	System.exe	156
PID 4720 wrote to memory of 1568	4720	System.exe	156
PID 4720 wrote to memory of 2652	4720	System.exe	157
PID 4720 wrote to memory of 2652	4720	System.exe	157
PID 1568 wrote to memory of 2224	1568	WScript.exe	166
PID 1568 wrote to memory of 2224	1568	WScript.exe	166
PID 2224 wrote to memory of 1376	2224	System.exe	169
PID 2224 wrote to memory of 1376	2224	System.exe	169
PID 2224 wrote to memory of 2912	2224	System.exe	170
PID 2224 wrote to memory of 2912	2224	System.exe	170
PID 1376 wrote to memory of 4992	1376	WScript.exe	171
PID 1376 wrote to memory of 4992	1376	WScript.exe	171
PID 4992 wrote to memory of 4380	4992	System.exe	172
PID 4992 wrote to memory of 4380	4992	System.exe	172
PID 4992 wrote to memory of 2840	4992	System.exe	173
PID 4992 wrote to memory of 2840	4992	System.exe	173
PID 4380 wrote to memory of 2864	4380	WScript.exe	174
PID 4380 wrote to memory of 2864	4380	WScript.exe	174
PID 2864 wrote to memory of 4716	2864	System.exe	175
PID 2864 wrote to memory of 4716	2864	System.exe	175
PID 2864 wrote to memory of 936	2864	System.exe	176
PID 2864 wrote to memory of 936	2864	System.exe	176
PID 4716 wrote to memory of 2156	4716	WScript.exe	177
PID 4716 wrote to memory of 2156	4716	WScript.exe	177
PID 2156 wrote to memory of 2028	2156	System.exe	178
PID 2156 wrote to memory of 2028	2156	System.exe	178
PID 2156 wrote to memory of 3152	2156	System.exe	179
PID 2156 wrote to memory of 3152	2156	System.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe
"C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files\Crashpad\attachments\System.exe
  "C:\Program Files\Crashpad\attachments\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aae6f99-1caf-427b-991b-3411f0b0c999.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Program Files\Crashpad\attachments\System.exe
      "C:\Program Files\Crashpad\attachments\System.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\383e7b75-8d8b-4c8b-85e6-d1e48217820e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e28e121-39eb-4ba2-bfcd-f6735fe24dde.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7e2d399-4df5-4ecf-bd35-1d799a38cfed.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcab72fa-0f2f-48b8-b5c0-22bb894a8d8f.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f0edbd-bdbc-4021-8f82-fdd7fbabc5ab.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad3cc679-9371-4dac-b182-a3ddbc609e72.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6503d2fc-669b-437a-aa03-b2578b2e1d74.vbs"
        17⤵
        
        PID:2028
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        18⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf95ad88-226a-4a64-bbba-06ad729c8045.vbs"
        19⤵
        
        PID:1272
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        20⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7ff8bd-9244-42d1-b514-4d5d6cd50396.vbs"
        21⤵
        
        PID:2944
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        22⤵
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\078ea51c-2dbb-4e3e-aaec-7fc1abd1dec1.vbs"
        23⤵
        
        PID:4388
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        24⤵
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2315978c-035a-43a3-95ea-57f23a4959a4.vbs"
        25⤵
        
        PID:2176
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        26⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d24dd163-5abd-4eef-b94c-831403af5afb.vbs"
        27⤵
        
        PID:2612
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        28⤵
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f9a400b-2d47-4450-9cc3-37a808ef249a.vbs"
        29⤵
        
        PID:4360
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        30⤵
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a93d4e2-c9f0-44b5-8cad-c25fdb691819.vbs"
        31⤵
        
        PID:3984
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        32⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12772d9d-3975-491d-92fd-7d4dd5fae886.vbs"
        33⤵
        
        PID:648
        
        C:\Program Files\Crashpad\attachments\System.exe
        
        "C:\Program Files\Crashpad\attachments\System.exe"
        34⤵
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34b60c55-99d5-42f6-be7d-afbb452cb618.vbs"
        35⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f24cc5-e34b-4ac1-a38d-9819cab0042f.vbs"
        35⤵
        
        PID:3124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be7159f9-0c5f-4ecc-8059-84943556fa16.vbs"
        33⤵
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d862b6be-c60f-42f4-a673-0ff8b154365f.vbs"
        31⤵
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b5580a1-1fb6-4aa1-8b99-4985cc4d6248.vbs"
        29⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c9a383-fdb4-4c16-91be-b12ecce32be7.vbs"
        27⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826c447f-fa16-4e80-9456-e9f8d0c0fd5a.vbs"
        25⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec80d5c-3e40-4acc-817f-c5bae5e472d4.vbs"
        23⤵
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04d0b259-4930-4049-bf19-80b5dbf9f5bf.vbs"
        21⤵
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da10d50f-4d34-4e40-84bc-6ca34dfb09e3.vbs"
        19⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9de1902-493b-43ae-9858-8b703d9ec4a8.vbs"
        17⤵
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f419b281-d93e-4e9e-86e1-9617645007c3.vbs"
        15⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e336cc40-6ebb-479e-9ce7-3087e16859e5.vbs"
        13⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da9b83b6-61bd-4c50-aa6c-134587c5446e.vbs"
        11⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c00f896f-b8ec-4ae6-8dd0-a862ee1b56d6.vbs"
        9⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8b6f749-462a-4b02-8759-912d34d4e377.vbs"
        7⤵
        
        PID:2416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977e72c6-5e88-40f5-934e-9ae681096b99.vbs"
        5⤵
        
        PID:3536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0199a0be-7db4-4249-86ef-e2c220509f49.vbs"
    3⤵
    PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\attachments\System.exe

Filesize
885KB

MD5
d9d8ce72bea14182d0909964ca07a8b6

SHA1
b28d8a45177dc711160d4ea289b88ececf0174fb

SHA256
c14f2d55ba7fb0234c638ac3b7b7081e5c94fb27382b081176fd88ae5b90aeb7

SHA512
78e08e64514d53ae1335caa9c36d66b0e1eea3f52b8fef6fee72cfbc449b6cd3b8f15b432329f7528a7291a438ba96fd8ec6ee4f13a13a30438bd7f98870c256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0199a0be-7db4-4249-86ef-e2c220509f49.vbs

Filesize
500B

MD5
7fbb35897026098c498a2c47e81c51ff

SHA1
ab06cd69a63e40dd3e4972d24ff0f06a6ac9168e

SHA256
afed8b277bd0942616938da91bc6bafe9e08ad3ca05401906b67ee319913c470

SHA512
aa1a7439abc8ca26b6e111eccc3d27204a1cb76b0632764b7de3be4628d2d9fe32c068db3333413b3f010fb8fd4bb313cee9e387338f3fb2877d80d1c8184d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\078ea51c-2dbb-4e3e-aaec-7fc1abd1dec1.vbs

Filesize
724B

MD5
ec0c9521eb78c4e8f51aa1a5021b898f

SHA1
e83c30e359ca932ebdd4500fccfe796a52c2f4e6

SHA256
224500dcc4abb75bf85cc53f9423d76a8d8825f293cb7413dfde6a04822913a6

SHA512
724928aba5f1391da3f9022b4aedc6fb1c94d2c0d9d1362d9ed2b564f2a67548f27716636b3727ff558e2100bd815ee034c45044a7d7e30e5a8c196c4e3a2d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f9a400b-2d47-4450-9cc3-37a808ef249a.vbs

Filesize
724B

MD5
045f880012cd8c21c3488f254c9bb56b

SHA1
cd4c2ae1a6a86f77ef61d05cca5e50bdba711410

SHA256
a48e3acc056a7f9faaea75e4d3c524eb60c3a9b48fa9f60ad5825b2d065784a2

SHA512
6575803d2095d593c78b7746c3ff39a37e36da096243bc981cbdac0a2e721f72f8038fd24fe15e7e0ddb90a6604d02c94fe11dbe05555e6243fed8ce018fa09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\12772d9d-3975-491d-92fd-7d4dd5fae886.vbs

Filesize
723B

MD5
9d6c9073d4a4b076564e5a11ba1e5393

SHA1
e8c3d860cfded56cc2e693af463d589f1659a070

SHA256
d6ac3e3be893ab6eea5e26c8386a35d5ef9de9969c9786b24f5ec776de61c11a

SHA512
6f15d6ceeae6cc48232ad2109d53a8e242f854e05a13d7b328c752d0971abf1d64d2be860c857da67568baab54abf80e72d031eb071e5e41cf32a73e090d3434

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a93d4e2-c9f0-44b5-8cad-c25fdb691819.vbs

Filesize
724B

MD5
9b93474a2a1e994c5732ac6385195687

SHA1
a055cac78c43ba3104624ba3ef4377d1e6100002

SHA256
5bf6fe22f4eca6c1f456c65fa405e039da7545fe7091c291f458dbab82c664da

SHA512
9a62959e34882c99f4272c33961b5d0b7d85f6b5a1c6fb964d3a268043ec05a30f61490b070aa6c4724063012a15168a38883c546cd4e8df29ebe482704760e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2315978c-035a-43a3-95ea-57f23a4959a4.vbs

Filesize
724B

MD5
7e9da96b40ddc736245aa3a16ef5f83a

SHA1
077e77db35815343bf679359f8e86d0fbe1408de

SHA256
a115d39d7912a136a26df2ea50bcaf7da2c59d5686b407a16d3807e5d52d4a2f

SHA512
38374d7f286428c7e9f18ce291da5d91e6a39d8b70bdd4564beb0859ee0c9b7d80bfe7158ff12f96b2dd6b084b4a159b0cdd76dcfbc01800886402f84ad2e3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\383e7b75-8d8b-4c8b-85e6-d1e48217820e.vbs

Filesize
724B

MD5
78b45e205a990bce86bed900970ac794

SHA1
dbb8f2398d5b97b35c1c113c950b5eebee7de0e8

SHA256
0363037a610b03440a7c4b9048290e0b1fbb6ffa0579c4adeb33a5a99b98a95c

SHA512
ac3c775a2debe7b08303d43eac3bfbb9af99e9800088bdde00a220181b321bb5dc51aca8fb63b7faea52a7b1f7e64d03801d352fda37845d60b568fe9e4be066

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c7ff8bd-9244-42d1-b514-4d5d6cd50396.vbs

Filesize
724B

MD5
b3a1ac9d92dc477563def0776088cd1e

SHA1
5846df083d0b276cbe2df96c2716c81327fe189c

SHA256
3d8a21dd2091c92c5542a5fb2053eb8240dc560ace0af22b579132e7a04f93c4

SHA512
1805c12e614a2deac51375723d51494a679554f570a5865932a0e0e418e59d2c76c62e5fbbcccba6ac44c74bc9022ef1056e4ab79c7d1eb6256c32f40020118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e28e121-39eb-4ba2-bfcd-f6735fe24dde.vbs

Filesize
724B

MD5
a9e014a4a9fc30a93cf27bdb24b4e66c

SHA1
79ba5ddcec197679eefb6eb81cd36da037044a08

SHA256
b19392068033e3e559ddb8765919df7fad7e29c34615025675cd64bc47140b90

SHA512
37e6526ee7a57092449b14cc087d5d559f20df95bc8eb771c34a694daf9f3b922f6c77c8fe7c12a70678f07ce6e6948dd395154f2c76e8bfc67d9ade78cddc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aae6f99-1caf-427b-991b-3411f0b0c999.vbs

Filesize
724B

MD5
441efcecc1eb9c83f98c04cdff80b7a5

SHA1
9336dc0b4096febbb6ba5065a031c7cf7364b181

SHA256
3823ab80f935a18fb2930c9a4a4eabb27b459e8cb4c13b1d408e67794334917e

SHA512
125ccfccd853609d73edc1e2848d5c9f0ab12715266d8abe56f3163f1886cd6951e2a31ec704fbbbba6b02fb2ac584d2ac3c2769596da40a2b3f6e22a277ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6503d2fc-669b-437a-aa03-b2578b2e1d74.vbs

Filesize
724B

MD5
a23b03568a2709c99bdf126dca54c2fb

SHA1
d3aa1a44b557e6343de595be7e3bdbc1621f4c33

SHA256
9cac4f5a5df7b58260abb1693b3d6bbca1bcffc1ba07672b066d22137ceadbc9

SHA512
e3a614c88e5003acf0feb4b643c8ef89a4b7090faa74d1f15d9d6193518639968c9d68575d47aa6e05a45acadbe9e5ff3842e6eb271893c7959c49e479232015

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3f0edbd-bdbc-4021-8f82-fdd7fbabc5ab.vbs

Filesize
724B

MD5
ace40cf5defcf353f1b2faad12871f0f

SHA1
0e12765c63830ebffeaf73bc8f30fb5e177b9781

SHA256
fbd7c125442765395c4fc192ca09e08a0f4a52ca30ee56cc37678d73a475ae66

SHA512
6e2bf4c66dd22a82b222aa7075a506e516bc4eb37e6afd97d11973b67557eec255b272f59002e56e512acddd485fe9810bff82d1fef6e50d0b1b85c4e00b7506

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad3cc679-9371-4dac-b182-a3ddbc609e72.vbs

Filesize
724B

MD5
bb3c9c1be8e3e6de61d1d3a286d095e1

SHA1
34f14ad7205286f02a22210b7854105c0705015e

SHA256
532f478a2fece6aebd7981be31baba9f93dcc835eaf4a01c14ad28bc447c58ab

SHA512
befcd99dedae46acbf1b8ba9e179dd322016357eded20314536055ae3cc0f46531303be81d254961322ceb20c035b9221c6bba189ace5d0cddbb2e9ddb4c8cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7e2d399-4df5-4ecf-bd35-1d799a38cfed.vbs

Filesize
724B

MD5
dc2218a0679ec067461489cd1d1cd91d

SHA1
da82954a50da0d730b4c4d01ca8c2a467358d131

SHA256
3706d753a255ce0e780d9030a38c9145baf10cf855f1fc598d52e66b33c90896

SHA512
590d0830f67e9a6035286b7fe60924ef162857b166f429ef412e7ac1fa7024e1ca9b758c776cf2f3dbab3ce2e264588290e6f88e4a33ec2aaca6eeda43161bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf95ad88-226a-4a64-bbba-06ad729c8045.vbs

Filesize
724B

MD5
b053d17d709bf90a82ca9a3f05c3e4f5

SHA1
d996734aa0b00ae6d9b9ad745598dc626b279e8c

SHA256
4cc84667c1688628124693962a9c0b96ee15efb6133c49338987123928851e00

SHA512
1caeed3006015af133452b0794c93324853a15de8226e1da1a9772d1825605ab8203cca4fc784138ea8ba7936522f511b2d8e70b6c8582a6d9d57072ebaee3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d24dd163-5abd-4eef-b94c-831403af5afb.vbs

Filesize
724B

MD5
33bf59e08e1eee85afb317989a9c6e35

SHA1
1de64c04032e671d84abfb067ab45481783b0ca8

SHA256
e5240d1e5aad5dd1777114d8be16f30a30bec52766aa7545565f20ac32606321

SHA512
7d64107d2ba3229156b14ba987492d99127f35d7813598c97d27d736100a8fa6e3f138ef99be82b4f6482ee420df3ff27d47b878884e97dd514e9be9e6980742

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcab72fa-0f2f-48b8-b5c0-22bb894a8d8f.vbs

Filesize
724B

MD5
2064aeaeb76c27388134e8a4aa32b3d9

SHA1
4eec910f4112c21570a9364db39846b2793c66fc

SHA256
1c84f6945c988b658d1ee86c88b15cc0468baf5a080924a7aac814d6f5f8caf4

SHA512
61151918ef025d35534942ce7fdc4e41efdb600bcd0f173ba584eff58f043da019101b8741548de07740480bbfc75354470258d47271abd7c49319fe42d942a8

Download Submit
memory/3100-10-0x000000001BF50000-0x000000001BF5C000-memory.dmp

Filesize
48KB

Download
memory/3100-7-0x000000001BA10000-0x000000001BA1A000-memory.dmp

Filesize
40KB

Download
memory/3100-2-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

Filesize
2.0MB

Download
memory/3100-6-0x000000001B9F0000-0x000000001BA06000-memory.dmp

Filesize
88KB

Download
memory/3100-3-0x000000001B9D0000-0x000000001B9EC000-memory.dmp

Filesize
112KB

Download
memory/3100-4-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/3100-8-0x000000001BA20000-0x000000001BA2E000-memory.dmp

Filesize
56KB

Download
memory/3100-9-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/3100-249-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

Filesize
2.0MB

Download
memory/3100-5-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/3100-0-0x0000000000CE0000-0x0000000000DC4000-memory.dmp

Filesize
912KB

Download
memory/3100-1-0x00007FF99AF50000-0x00007FF99B145000-memory.dmp

Filesize
2.0MB

Download