dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc027f345eec8bb836216b98c2a013df.exe
Size

885KB
MD5

cc027f345eec8bb836216b98c2a013df
SHA1

f13c3e0e7c6d7938dfb97fb19a55cc47424b174e
SHA256

00bc028b5d4f9cdadf18888944bf27281bfe3299b051f9e4f20f129f5f45b400
SHA512

4740c0d83f273b50ccfd0a5a1b53a66782d9b811ce323b010a915ca78d6e844ed94b75e57eb8d97b06b1848679fa9ee5abc3b24e97fff8292050c1726449a2b6
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2888	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral23/memory/2308-1-0x00000000010F0000-0x00000000011D4000-memory.dmp	dcrat
behavioral23/files/0x000500000001c894-18.dat	dcrat
behavioral23/files/0x000600000001caab-121.dat	dcrat
behavioral23/files/0x000400000001cb75-214.dat	dcrat
behavioral23/memory/1816-231-0x0000000000D60000-0x0000000000E44000-memory.dmp	dcrat
behavioral23/memory/2488-242-0x0000000000020000-0x0000000000104000-memory.dmp	dcrat
behavioral23/memory/2020-254-0x00000000012B0000-0x0000000001394000-memory.dmp	dcrat
behavioral23/memory/2860-266-0x0000000000070000-0x0000000000154000-memory.dmp	dcrat
behavioral23/memory/2308-278-0x0000000000230000-0x0000000000314000-memory.dmp	dcrat
behavioral23/memory/1520-290-0x0000000000A30000-0x0000000000B14000-memory.dmp	dcrat
behavioral23/memory/2372-302-0x0000000000FA0000-0x0000000001084000-memory.dmp	dcrat
behavioral23/memory/2920-314-0x00000000003C0000-0x00000000004A4000-memory.dmp	dcrat
behavioral23/memory/2188-326-0x0000000000E20000-0x0000000000F04000-memory.dmp	dcrat
behavioral23/memory/2340-360-0x0000000000E80000-0x0000000000F64000-memory.dmp	dcrat
behavioral23/memory/2708-372-0x0000000000F10000-0x0000000000FF4000-memory.dmp	dcrat
behavioral23/memory/1540-395-0x0000000001180000-0x0000000001264000-memory.dmp	dcrat

Executes dropped EXE 16 IoCs

pid	Process
1816	sppsvc.exe
2488	sppsvc.exe
2020	sppsvc.exe
2860	sppsvc.exe
2308	sppsvc.exe
1520	sppsvc.exe
2372	sppsvc.exe
2920	sppsvc.exe
2188	sppsvc.exe
2580	sppsvc.exe
1832	sppsvc.exe
2340	sppsvc.exe
2708	sppsvc.exe
3056	sppsvc.exe
1540	sppsvc.exe
1732	sppsvc.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\f3b6ecef712a24	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows Sidebar\audiodg.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows Sidebar\42af1c969fbb7b	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Internet Explorer\cc11b995f2a76d	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\spoolsv.exe	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXB9C4.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXB9D4.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXBAA0.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\RCXBAA4.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXBA69.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\RCXBAA3.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXB9EB.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXBA8F.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Internet Explorer\winlogon.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\f3b6ecef712a24	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\spoolsv.exe	cc027f345eec8bb836216b98c2a013df.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Landscape\RCXBAA1.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\Media\Landscape\RCXBAA2.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXBAB6.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXBAB7.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Media\Landscape\dwm.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Media\Landscape\6cb0b6c459d5d3	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Prefetch\ReadyBoot\cc027f345eec8bb836216b98c2a013df.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Prefetch\ReadyBoot\e7b4578db3b322	cc027f345eec8bb836216b98c2a013df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
408	schtasks.exe
2300	schtasks.exe
1700	schtasks.exe
1348	schtasks.exe
2284	schtasks.exe
1584	schtasks.exe
2372	schtasks.exe
2220	schtasks.exe
1692	schtasks.exe
2584	schtasks.exe
2356	schtasks.exe
2836	schtasks.exe
1344	schtasks.exe
1160	schtasks.exe
2760	schtasks.exe
1652	schtasks.exe
1788	schtasks.exe
2684	schtasks.exe
1276	schtasks.exe
1408	schtasks.exe
2780	schtasks.exe
2232	schtasks.exe
1712	schtasks.exe
2712	schtasks.exe
2980	schtasks.exe
316	schtasks.exe
1812	schtasks.exe
2348	schtasks.exe
2384	schtasks.exe
2568	schtasks.exe
1800	schtasks.exe
3020	schtasks.exe
2216	schtasks.exe
1192	schtasks.exe
2352	schtasks.exe
2936	schtasks.exe
2864	schtasks.exe
2720	schtasks.exe
772	schtasks.exe
1840	schtasks.exe
2576	schtasks.exe
2016	schtasks.exe
2396	schtasks.exe
1520	schtasks.exe
2532	schtasks.exe
3044	schtasks.exe
336	schtasks.exe
1356	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1816	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2308	cc027f345eec8bb836216b98c2a013df.exe
2308	cc027f345eec8bb836216b98c2a013df.exe
2308	cc027f345eec8bb836216b98c2a013df.exe
1816	sppsvc.exe
2488	sppsvc.exe
2020	sppsvc.exe
2860	sppsvc.exe
2308	sppsvc.exe
1520	sppsvc.exe
2372	sppsvc.exe
2920	sppsvc.exe
2188	sppsvc.exe
2580	sppsvc.exe
1832	sppsvc.exe
2340	sppsvc.exe
2708	sppsvc.exe
3056	sppsvc.exe
1540	sppsvc.exe
1732	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	cc027f345eec8bb836216b98c2a013df.exe
Token: SeDebugPrivilege	1816	sppsvc.exe
Token: SeDebugPrivilege	2488	sppsvc.exe
Token: SeDebugPrivilege	2020	sppsvc.exe
Token: SeDebugPrivilege	2860	sppsvc.exe
Token: SeDebugPrivilege	2308	sppsvc.exe
Token: SeDebugPrivilege	1520	sppsvc.exe
Token: SeDebugPrivilege	2372	sppsvc.exe
Token: SeDebugPrivilege	2920	sppsvc.exe
Token: SeDebugPrivilege	2188	sppsvc.exe
Token: SeDebugPrivilege	2580	sppsvc.exe
Token: SeDebugPrivilege	1832	sppsvc.exe
Token: SeDebugPrivilege	2340	sppsvc.exe
Token: SeDebugPrivilege	2708	sppsvc.exe
Token: SeDebugPrivilege	3056	sppsvc.exe
Token: SeDebugPrivilege	1540	sppsvc.exe
Token: SeDebugPrivilege	1732	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1336	2308	cc027f345eec8bb836216b98c2a013df.exe	79
PID 2308 wrote to memory of 1336	2308	cc027f345eec8bb836216b98c2a013df.exe	79
PID 2308 wrote to memory of 1336	2308	cc027f345eec8bb836216b98c2a013df.exe	79
PID 1336 wrote to memory of 1696	1336	cmd.exe	81
PID 1336 wrote to memory of 1696	1336	cmd.exe	81
PID 1336 wrote to memory of 1696	1336	cmd.exe	81
PID 1336 wrote to memory of 1816	1336	cmd.exe	82
PID 1336 wrote to memory of 1816	1336	cmd.exe	82
PID 1336 wrote to memory of 1816	1336	cmd.exe	82
PID 1336 wrote to memory of 1816	1336	cmd.exe	82
PID 1336 wrote to memory of 1816	1336	cmd.exe	82
PID 1816 wrote to memory of 2372	1816	sppsvc.exe	83
PID 1816 wrote to memory of 2372	1816	sppsvc.exe	83
PID 1816 wrote to memory of 2372	1816	sppsvc.exe	83
PID 1816 wrote to memory of 2760	1816	sppsvc.exe	84
PID 1816 wrote to memory of 2760	1816	sppsvc.exe	84
PID 1816 wrote to memory of 2760	1816	sppsvc.exe	84
PID 2372 wrote to memory of 2488	2372	WScript.exe	85
PID 2372 wrote to memory of 2488	2372	WScript.exe	85
PID 2372 wrote to memory of 2488	2372	WScript.exe	85
PID 2372 wrote to memory of 2488	2372	WScript.exe	85
PID 2372 wrote to memory of 2488	2372	WScript.exe	85
PID 2488 wrote to memory of 2796	2488	sppsvc.exe	86
PID 2488 wrote to memory of 2796	2488	sppsvc.exe	86
PID 2488 wrote to memory of 2796	2488	sppsvc.exe	86
PID 2488 wrote to memory of 2236	2488	sppsvc.exe	87
PID 2488 wrote to memory of 2236	2488	sppsvc.exe	87
PID 2488 wrote to memory of 2236	2488	sppsvc.exe	87
PID 2796 wrote to memory of 2020	2796	WScript.exe	88
PID 2796 wrote to memory of 2020	2796	WScript.exe	88
PID 2796 wrote to memory of 2020	2796	WScript.exe	88
PID 2796 wrote to memory of 2020	2796	WScript.exe	88
PID 2796 wrote to memory of 2020	2796	WScript.exe	88
PID 2020 wrote to memory of 2448	2020	sppsvc.exe	89
PID 2020 wrote to memory of 2448	2020	sppsvc.exe	89
PID 2020 wrote to memory of 2448	2020	sppsvc.exe	89
PID 2020 wrote to memory of 2756	2020	sppsvc.exe	90
PID 2020 wrote to memory of 2756	2020	sppsvc.exe	90
PID 2020 wrote to memory of 2756	2020	sppsvc.exe	90
PID 2448 wrote to memory of 2860	2448	WScript.exe	91
PID 2448 wrote to memory of 2860	2448	WScript.exe	91
PID 2448 wrote to memory of 2860	2448	WScript.exe	91
PID 2448 wrote to memory of 2860	2448	WScript.exe	91
PID 2448 wrote to memory of 2860	2448	WScript.exe	91
PID 2860 wrote to memory of 2148	2860	sppsvc.exe	92
PID 2860 wrote to memory of 2148	2860	sppsvc.exe	92
PID 2860 wrote to memory of 2148	2860	sppsvc.exe	92
PID 2860 wrote to memory of 2388	2860	sppsvc.exe	93
PID 2860 wrote to memory of 2388	2860	sppsvc.exe	93
PID 2860 wrote to memory of 2388	2860	sppsvc.exe	93
PID 2148 wrote to memory of 2308	2148	WScript.exe	94
PID 2148 wrote to memory of 2308	2148	WScript.exe	94
PID 2148 wrote to memory of 2308	2148	WScript.exe	94
PID 2148 wrote to memory of 2308	2148	WScript.exe	94
PID 2148 wrote to memory of 2308	2148	WScript.exe	94
PID 2308 wrote to memory of 1064	2308	sppsvc.exe	95
PID 2308 wrote to memory of 1064	2308	sppsvc.exe	95
PID 2308 wrote to memory of 1064	2308	sppsvc.exe	95
PID 2308 wrote to memory of 1328	2308	sppsvc.exe	96
PID 2308 wrote to memory of 1328	2308	sppsvc.exe	96
PID 2308 wrote to memory of 1328	2308	sppsvc.exe	96
PID 1064 wrote to memory of 1520	1064	WScript.exe	97
PID 1064 wrote to memory of 1520	1064	WScript.exe	97
PID 1064 wrote to memory of 1520	1064	WScript.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc027f345eec8bb836216b98c2a013df.exe
"C:\Users\Admin\AppData\Local\Temp\cc027f345eec8bb836216b98c2a013df.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mIr7g9QuKX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1696
- - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dca70cb-c41d-449c-9b9a-f1b056b01181.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\611f5d83-a1cb-45f8-82e9-7bb784bdb697.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d17b505-08cb-454b-aaee-2b378c05e8d4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ca7243f-bde2-4967-b5d4-af6bc1e02447.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e411c0d-b2fe-4611-bb27-3bf7f454b57a.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d399f4b9-e847-48e2-89a2-e7d84cd7ec3b.vbs"
        14⤵
        
        PID:2200
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046fee41-effc-4890-8c13-27b8df6f28e4.vbs"
        16⤵
        
        PID:3060
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ff2da84-3148-4551-b763-91bed7be3e45.vbs"
        18⤵
        
        PID:2072
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef7e920-e74e-4d17-a154-a37d2700a9e6.vbs"
        20⤵
        
        PID:2956
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26bff2ca-7c63-479b-a1ca-e15c11901482.vbs"
        22⤵
        
        PID:2088
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d954990-e916-4966-a1cd-6ffdf4611331.vbs"
        24⤵
        
        PID:2616
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf636c07-b894-40cd-9f2f-60396a1e993f.vbs"
        26⤵
        
        PID:2372
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fda4644-a4ab-4f8b-ad88-c7bbc31325b9.vbs"
        28⤵
        
        PID:1924
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89bfc6cc-72c4-486d-b8fa-bb5d13460f70.vbs"
        30⤵
        
        PID:1624
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\863f85c1-b1e2-44e1-9391-1be5cc9a6c7b.vbs"
        32⤵
        
        PID:928
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98bef4a1-4fc8-434f-9a5d-7386b2fe6b98.vbs"
        34⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\705aa8ab-7a57-4ce7-b579-35f50fa59a00.vbs"
        34⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10549a6a-0221-48c5-9a1f-10524b85969c.vbs"
        32⤵
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9d3990-ec4e-4115-9620-20eea4408009.vbs"
        30⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf1338e7-9523-4725-89b5-fada37df8177.vbs"
        28⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e4873bf-f8ed-4f90-ba6e-ef1c34559914.vbs"
        26⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa26f18-789c-452c-9dd1-35464e79341b.vbs"
        24⤵
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\152d9810-056c-490f-bb50-37e86eedb802.vbs"
        22⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef3edb92-7579-4be4-b3ce-9ad5154855bd.vbs"
        20⤵
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8572bf2b-ce2d-47a6-a2f0-175ca6d03e7e.vbs"
        18⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07b35acb-38ba-482d-ba04-803e671cdb5c.vbs"
        16⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529b835d-f980-4a60-8fe7-fd79b77a342d.vbs"
        14⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10cce2f-b27b-4230-9a4f-cdb153a7d2a4.vbs"
        12⤵
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6302aee-e87b-4e01-a96a-a16b7c912bba.vbs"
        10⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36528575-a96c-495a-8ff0-a035c68fe5f4.vbs"
        8⤵
        
        PID:2756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e8b2dd2-3458-46ba-8356-42877d789dda.vbs"
        6⤵
        
        PID:2236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bafaee11-a7af-4bea-b3b0-08b1a987ae40.vbs"
      4⤵
      PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\cc027f345eec8bb836216b98c2a013df.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013df" /sc ONLOGON /tr "'C:\Users\Admin\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Landscape\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Landscape\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\cc027f345eec8bb836216b98c2a013df.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013df" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RCXBAB8.tmp

Filesize
885KB

MD5
a3a31fc0e5215938a2783aa753591280

SHA1
e99c266382b62c063e70a8c79e2fe71ed7cdb2a6

SHA256
dbce50b79708b8591323f1d6d1b1bd619f0c100b66dcdcadb510ad59fd95db70

SHA512
fbc98a70acc72f4fae1c7a3282d13df03bbe0aa454579e312374391e79ce0913794f86b163dd859643e88bd17d58f6765f8ec6dc11290bda77f9e7d44a8ac773

Download Submit
C:\Program Files (x86)\Internet Explorer\winlogon.exe

Filesize
885KB

MD5
8d707d84b6da28b6d7ddd5f8bd7a5910

SHA1
eec6e381adef2024a352e57b1207115d9e614491

SHA256
3aa826f45ee603f08c7d537e6429f0fb4799e9f6f68a43f132d6858b4cfbab67

SHA512
8c5f6f368885730f2e47e3b74748ae47993cc13d2552615bde725d76cbdf077c35cddfddb8ebba460a9ccf3736f9a86a1c3be77d03cdb30367470e9d0d154935

Download Submit
C:\Users\Admin\AppData\Local\Temp\046fee41-effc-4890-8c13-27b8df6f28e4.vbs

Filesize
735B

MD5
8ea04ee60ba6c3158d6c87c8a7496f19

SHA1
2407b94719169e183069a92868b9c36abafc6ade

SHA256
547509c6585ea53de85426782c54d3ec05e863b4b2922d7640cbbb5e3059371a

SHA512
455f821b236ca990ddb315f04f412b077d0c31f4c0cf58e44a0b6be6afdb80972b4fec996eb99d3eeb423af49a7c7327a9c21544704fcd455d4101aba17d1dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ca7243f-bde2-4967-b5d4-af6bc1e02447.vbs

Filesize
735B

MD5
7671b342cb95ba01504159edacf0be94

SHA1
d6eb750c56a8b4bb2c78d7e9c8fd5adbf78a61b2

SHA256
e15e323bd9cbdb8aef815b0b71f7b34a608c04776fdfb0dfe525193ec286ae59

SHA512
f188874cd8e4f7bd29e80e1726b712f0f70f182e2e6918391309d3c8caa680d348fe6bb8c76a3570997321a29ef68d627bb0d3221c7c842cd121982338f1cd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d954990-e916-4966-a1cd-6ffdf4611331.vbs

Filesize
735B

MD5
184cf5f3c16d7c99c1dd5d735cab7be3

SHA1
5d86fdd279311fb85ef008f43da2fe22ba00e105

SHA256
6bee9817a79923c60719b7050ca6d7d577e6047be768b3c4ab012d4309be9276

SHA512
a2912de94858374fad4ffad5e25504af38abb2f0d3b0d79f3a3b89c299e5be9a3b93d9b03fe897700fe58603c9aa3a3a7542141b0ac5eb65284b07603775d01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fda4644-a4ab-4f8b-ad88-c7bbc31325b9.vbs

Filesize
735B

MD5
42ab751527d050e67e5dff574acb19aa

SHA1
263b5edc1b4207756b5633e9c47b73397a197e68

SHA256
c09aad965b691f552fcb947743ca5b14b560e08baf6a330e0e49a501d45ea396

SHA512
ffadab124d1777a433ec9fcac7e0f3ffdfd84ce60db7fd46d875502aa894da60a641341f6d1917790ad9e0fa4df0e56c6b6690f50c563ee838cee8c63c53275b

Download Submit
C:\Users\Admin\AppData\Local\Temp\26bff2ca-7c63-479b-a1ca-e15c11901482.vbs

Filesize
735B

MD5
006512e188baf608efd4149e22849ebe

SHA1
ad539976b55f4ff05b9324888646d954644f0594

SHA256
13260335498d2fe4a84cd54bc3983a7b47ae233de2213662ee30817771d0f5de

SHA512
d8d2d96f375ae746c38df7f751ac60f5efdbe89b7665f6635a9bca725d5bcdcdf25cfeca74ddad95c3a184b571a690c9fd0e9acc42e4fb615fc839d95c93bf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d17b505-08cb-454b-aaee-2b378c05e8d4.vbs

Filesize
735B

MD5
f73f096e1dd28494fd59f2fe6e053fa5

SHA1
7e729657cde0806f3ea15b0bf0564d47265ca96f

SHA256
7e688ceb30cc44d14632c06f99480dfd29aa99fab42da47641993f2132dc536c

SHA512
6423e893b78795fda3474f786d408bc4835928f7ec3c50ce9ace3eae1c758f211569c83b09d3ce36610b6e841f770c7100155d12b630e91973d258be61746a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dca70cb-c41d-449c-9b9a-f1b056b01181.vbs

Filesize
735B

MD5
5f3502bf9b6d85e905e994bf60eeec3f

SHA1
919a0d172dbab89df975c0a57d7dc11ec2ae96e0

SHA256
3d93cf88f78dafb82e9e2a048e01a3d1799d2cbb8e0632be86fb850e1e74d96f

SHA512
b368056eb9fbaa48e349575d2a2418a51170e77fcf160b8f7e0116c6abd5d38a53eeb0f3301d4bc702d3971481fed581c13acb38cf474c7d60250c781ad27e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ff2da84-3148-4551-b763-91bed7be3e45.vbs

Filesize
735B

MD5
6e3ee3daf02996e96cd3e4618be5817c

SHA1
dd18a51393e797f12009d1a35424069c06c5df06

SHA256
8528515b4cf2328ffe8c55924cd1ec90e8a54e99c32a284dc372bdf7344297b7

SHA512
945fe8fd0831aaa97dc870fa3c03a3e6c73aec7230b85b7f1f0d2a2a6c070fc17fe10fce67c50ae166672d84d611928f3e294de87a07b6aeebf9906fb4d706c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e411c0d-b2fe-4611-bb27-3bf7f454b57a.vbs

Filesize
735B

MD5
1b024afb52094cbc101edaac5a06992b

SHA1
fd8588b7dcb430d0c5e8f0ff001071ce1693e2fc

SHA256
7aa367d60f8aa2e6041bba673748955144061013bbc2935a680c14b8823e9ffc

SHA512
62596276d5434fc16902bfbbfcb687b5543b69af0f6e42ff51ee436c3a16269ed43ec0e5996ddda9763e0c09507bf35f4060d3b784065e7b212c8eb396be8d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\611f5d83-a1cb-45f8-82e9-7bb784bdb697.vbs

Filesize
735B

MD5
61a112cdfacefbb6a7a98bbb5a882dcd

SHA1
9a0a4b4c1dfda985f91a9cc7ec07ab6f0243ef3a

SHA256
df36ce8e77d076e5ce200def823a74080abec39373cf6575251dcea26eff142a

SHA512
4b9e4b33e278a6c52b0e33529dba092ae7ac126e707001eff1e45c97eb5ae1474b7441a23377700837538d58a2b43e992588dff3d14e54f5385572e86ed863ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\863f85c1-b1e2-44e1-9391-1be5cc9a6c7b.vbs

Filesize
735B

MD5
1c55fb766634f9273f10bc9a8f91dac3

SHA1
3d886e9738d7d87d89ec84754ad5b5b4a96ddc42

SHA256
6450bab1d70f31dd036ac909039969a3a2d6447df85de7b0a47653188500e2cb

SHA512
60f0b4862a8f6e609531145fd38701a617fdafac847868d223dae4574cf6c153908e322e0ac101602495f50b2552d52c4ab027f11b415a7065512ea3ab1453bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\89bfc6cc-72c4-486d-b8fa-bb5d13460f70.vbs

Filesize
735B

MD5
379a24c7fe2fac864e9dc170798ac485

SHA1
54886520c4a386849797a4b34bca43dd0fa42a8f

SHA256
28252c4d62ff62f6fa6617f118da72fd0a3f33b3a0caba8d1ee808877e68482b

SHA512
ac1f3e37c1ab9ebd7def6d7a9bdfb32a854ac5cbb3c2c73488176b0a9825ec1bdfe24a12d753a623c49af5f033d58898d33e529824e0a4bac11cd290fdec7a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\98bef4a1-4fc8-434f-9a5d-7386b2fe6b98.vbs

Filesize
735B

MD5
c658ba1ffe33949b312db46882c12f84

SHA1
7cac246d125b33864f1733b13788bf6959939097

SHA256
5134311a42ca31164cf5dda3965049f9d912cbde121fbbf30739ca232768a639

SHA512
8912c645d790666b7aee9908f35f69285883e90fa9991af88147a92aa571ace9dba0321ad41ba8b4c76e4969d9bb64144c4c49e896271728dcf9e3a306cb84ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bafaee11-a7af-4bea-b3b0-08b1a987ae40.vbs

Filesize
511B

MD5
fbbc04cd2bb38663945657a27fbe2d77

SHA1
ba77c9c3f9ea6a0f8444d70b0304837c2b71f7c0

SHA256
9870ee513a44e6cd80170453f14349fe0fdde60bc320378574ba94a6cf16c510

SHA512
629e97d4563eac16449eb539040b12fba7186d4f98bd53f69b1b7e19f92f25e6611e087bc28312938a52a5214d540655ad9cec079278c2d8f3b48addcec22fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf636c07-b894-40cd-9f2f-60396a1e993f.vbs

Filesize
735B

MD5
dc18731451a0a41801042c4019535afd

SHA1
8b1afb8cbbb87c31d8633f98dcbe51a57be41ce6

SHA256
4502ca114b88bd4b26edb11132a1488c2174b42ec058a0f4c22bdff9675f31d8

SHA512
1bc8d53f1e17edbb0f09743ed73b86f0e12b3cd370720d8f8467692fba7bb66fddc4ab3d8bcd922d8901c9521a8d63c7d724a81dea776ae1d539dd036cee8178

Download Submit
C:\Users\Admin\AppData\Local\Temp\d399f4b9-e847-48e2-89a2-e7d84cd7ec3b.vbs

Filesize
735B

MD5
082d0e78b86e591144f6feeab987ae5c

SHA1
b83629facd4668ae6bdda2fa0718d555d1c86a9f

SHA256
5dd1568caa16253557dc0461f8b81b6c3332ca2a5919d89e4126ca8e182c871f

SHA512
2b198d917b0b2041f1694662ff790474cd0bd7c597f5fdcd0876b4ee09d32fe2782ab7de96169e20589d9957ddea36bec8f30ed246de99a3a47248d3212685bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fef7e920-e74e-4d17-a154-a37d2700a9e6.vbs

Filesize
735B

MD5
3305a80364f2e3607641d882e004caee

SHA1
4de9d4abe830b4084073cbf5d1aaaae99557edcd

SHA256
0b1327c62a59dc27dc2ed2feecccb8f8fc843b95806be8fbdd978a05e8b4b6b2

SHA512
d34d8c390923590e6776f75021a0ea06fa2148f93c83d42c64f352e46263986df1a9eec42ab798344679b48d318be3715c4e57a65b08e07448968c2f55f49387

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIr7g9QuKX.bat

Filesize
224B

MD5
97434ce21786073bfc21d72eb9726088

SHA1
070a0b92df4b0039ff0f9f8f48f9d99e43d15235

SHA256
b2fb8e3447ba3027dfdc1ccb2262e117c41aa7f99311d5ebfc19b0456c26e191

SHA512
7e4d38f115316219966c48f4920af3d3ebb49797752be11af0aadabb3f1955736fa25707d94f5257878228bc62af71f0965ebfe41a08dde30217f484ca2bc077

Download Submit
C:\Users\Admin\Contacts\csrss.exe

Filesize
885KB

MD5
cc027f345eec8bb836216b98c2a013df

SHA1
f13c3e0e7c6d7938dfb97fb19a55cc47424b174e

SHA256
00bc028b5d4f9cdadf18888944bf27281bfe3299b051f9e4f20f129f5f45b400

SHA512
4740c0d83f273b50ccfd0a5a1b53a66782d9b811ce323b010a915ca78d6e844ed94b75e57eb8d97b06b1848679fa9ee5abc3b24e97fff8292050c1726449a2b6

Download Submit
memory/1520-290-0x0000000000A30000-0x0000000000B14000-memory.dmp

Filesize
912KB

Download
memory/1540-395-0x0000000001180000-0x0000000001264000-memory.dmp

Filesize
912KB

Download
memory/1816-231-0x0000000000D60000-0x0000000000E44000-memory.dmp

Filesize
912KB

Download
memory/2020-254-0x00000000012B0000-0x0000000001394000-memory.dmp

Filesize
912KB

Download
memory/2188-326-0x0000000000E20000-0x0000000000F04000-memory.dmp

Filesize
912KB

Download
memory/2308-8-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2308-4-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2308-1-0x00000000010F0000-0x00000000011D4000-memory.dmp

Filesize
912KB

Download
memory/2308-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2308-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2308-228-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2308-7-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2308-6-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2308-278-0x0000000000230000-0x0000000000314000-memory.dmp

Filesize
912KB

Download
memory/2308-5-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2340-360-0x0000000000E80000-0x0000000000F64000-memory.dmp

Filesize
912KB

Download
memory/2372-302-0x0000000000FA0000-0x0000000001084000-memory.dmp

Filesize
912KB

Download
memory/2488-242-0x0000000000020000-0x0000000000104000-memory.dmp

Filesize
912KB

Download
memory/2708-372-0x0000000000F10000-0x0000000000FF4000-memory.dmp

Filesize
912KB

Download
memory/2860-266-0x0000000000070000-0x0000000000154000-memory.dmp

Filesize
912KB

Download
memory/2920-314-0x00000000003C0000-0x00000000004A4000-memory.dmp

Filesize
912KB

Download