dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe282eaa9036b889aafc6db602127b45.exe
Size

885KB
MD5

fe282eaa9036b889aafc6db602127b45
SHA1

65e037b4c6a892801ac475c201219167f89d1f48
SHA256

1a55e2bcf26895655a7da6acda6ecbdbef033d60bf805aaf4ef88c0cf6348cb6
SHA512

c3a913f2ba698ec5d387cb394b7b6fb600271dcb7d2db8c8162d2f6c90c9dd123d4f9dcbd482d6ee8e76c83cacb566faf4f7bd92fea981e2c49fee8817854d39
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2908	schtasks.exe	30

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2180-1-0x0000000000C80000-0x0000000000D64000-memory.dmp	dcrat
behavioral3/files/0x000500000001946e-18.dat	dcrat
behavioral3/files/0x000500000001a4e4-147.dat	dcrat
behavioral3/memory/332-253-0x00000000003B0000-0x0000000000494000-memory.dmp	dcrat
behavioral3/memory/2236-265-0x0000000000CE0000-0x0000000000DC4000-memory.dmp	dcrat
behavioral3/memory/3012-277-0x0000000000DE0000-0x0000000000EC4000-memory.dmp	dcrat
behavioral3/memory/1928-289-0x0000000000290000-0x0000000000374000-memory.dmp	dcrat
behavioral3/memory/1740-301-0x00000000000B0000-0x0000000000194000-memory.dmp	dcrat
behavioral3/memory/880-313-0x00000000008A0000-0x0000000000984000-memory.dmp	dcrat
behavioral3/memory/300-325-0x0000000000A60000-0x0000000000B44000-memory.dmp	dcrat
behavioral3/memory/328-348-0x0000000001120000-0x0000000001204000-memory.dmp	dcrat
behavioral3/memory/2644-360-0x0000000001250000-0x0000000001334000-memory.dmp	dcrat
behavioral3/memory/832-383-0x00000000013C0000-0x00000000014A4000-memory.dmp	dcrat
behavioral3/memory/2916-395-0x00000000001F0000-0x00000000002D4000-memory.dmp	dcrat
behavioral3/memory/1740-407-0x0000000000840000-0x0000000000924000-memory.dmp	dcrat

Executes dropped EXE 14 IoCs

pid	Process
332	spoolsv.exe
2236	spoolsv.exe
3012	spoolsv.exe
1928	spoolsv.exe
1740	spoolsv.exe
880	spoolsv.exe
300	spoolsv.exe
2384	spoolsv.exe
328	spoolsv.exe
2644	spoolsv.exe
2440	spoolsv.exe
832	spoolsv.exe
2916	spoolsv.exe
1740	spoolsv.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\images\System.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Windows NT\Accessories\spoolsv.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Windows NT\Accessories\f3b6ecef712a24	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\spoolsv.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\f3b6ecef712a24	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX183C.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX183D.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCX1861.tmp	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\wininit.exe	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX1805.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX1806.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX18E1.tmp	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Java\f3b6ecef712a24	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Internet Explorer\images\System.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6203df4a6bafc7	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Java\spoolsv.exe	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCX1862.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX1863.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX198E.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX199F.tmp	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Internet Explorer\images\27d1bcfc3c54e0	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\lsass.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\56085415360792	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Java\RCX190B.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Program Files\Java\RCX190C.tmp	fe282eaa9036b889aafc6db602127b45.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Migration\smss.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\Migration\69ddcba757bf72	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\AppPatch\dwm.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\AppPatch\6cb0b6c459d5d3	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\Resources\RCX181A.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\AppPatch\RCX18F6.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\AppPatch\RCX18F7.tmp	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\servicing\Sessions\lsm.exe	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\Resources\dwm.exe	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\Resources\RCX1819.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\Migration\RCX18E4.tmp	fe282eaa9036b889aafc6db602127b45.exe
File opened for modification	C:\Windows\Migration\RCX18E5.tmp	fe282eaa9036b889aafc6db602127b45.exe
File created	C:\Windows\Resources\6cb0b6c459d5d3	fe282eaa9036b889aafc6db602127b45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
1248	schtasks.exe
332	schtasks.exe
2208	schtasks.exe
444	schtasks.exe
2448	schtasks.exe
1648	schtasks.exe
2340	schtasks.exe
2652	schtasks.exe
2952	schtasks.exe
880	schtasks.exe
3068	schtasks.exe
2356	schtasks.exe
2564	schtasks.exe
1272	schtasks.exe
1456	schtasks.exe
1332	schtasks.exe
992	schtasks.exe
944	schtasks.exe
828	schtasks.exe
2416	schtasks.exe
2600	schtasks.exe
1164	schtasks.exe
1128	schtasks.exe
2528	schtasks.exe
624	schtasks.exe
2312	schtasks.exe
836	schtasks.exe
1460	schtasks.exe
2156	schtasks.exe
1852	schtasks.exe
884	schtasks.exe
1764	schtasks.exe
2352	schtasks.exe
1000	schtasks.exe
2620	schtasks.exe
2540	schtasks.exe
2848	schtasks.exe
2860	schtasks.exe
2044	schtasks.exe
1264	schtasks.exe
2368	schtasks.exe
2740	schtasks.exe
2132	schtasks.exe
2188	schtasks.exe
3020	schtasks.exe
908	schtasks.exe
1812	schtasks.exe
2204	schtasks.exe
2280	schtasks.exe
2592	schtasks.exe
840	schtasks.exe
1960	schtasks.exe
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
2180	fe282eaa9036b889aafc6db602127b45.exe
332	spoolsv.exe
2236	spoolsv.exe
3012	spoolsv.exe
1928	spoolsv.exe
1740	spoolsv.exe
880	spoolsv.exe
300	spoolsv.exe
2384	spoolsv.exe
328	spoolsv.exe
2644	spoolsv.exe
2440	spoolsv.exe
832	spoolsv.exe
2916	spoolsv.exe
1740	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	fe282eaa9036b889aafc6db602127b45.exe
Token: SeDebugPrivilege	332	spoolsv.exe
Token: SeDebugPrivilege	2236	spoolsv.exe
Token: SeDebugPrivilege	3012	spoolsv.exe
Token: SeDebugPrivilege	1928	spoolsv.exe
Token: SeDebugPrivilege	1740	spoolsv.exe
Token: SeDebugPrivilege	880	spoolsv.exe
Token: SeDebugPrivilege	300	spoolsv.exe
Token: SeDebugPrivilege	2384	spoolsv.exe
Token: SeDebugPrivilege	328	spoolsv.exe
Token: SeDebugPrivilege	2644	spoolsv.exe
Token: SeDebugPrivilege	2440	spoolsv.exe
Token: SeDebugPrivilege	832	spoolsv.exe
Token: SeDebugPrivilege	2916	spoolsv.exe
Token: SeDebugPrivilege	1740	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 332	2180	fe282eaa9036b889aafc6db602127b45.exe	85
PID 2180 wrote to memory of 332	2180	fe282eaa9036b889aafc6db602127b45.exe	85
PID 2180 wrote to memory of 332	2180	fe282eaa9036b889aafc6db602127b45.exe	85
PID 332 wrote to memory of 2140	332	spoolsv.exe	86
PID 332 wrote to memory of 2140	332	spoolsv.exe	86
PID 332 wrote to memory of 2140	332	spoolsv.exe	86
PID 332 wrote to memory of 2892	332	spoolsv.exe	87
PID 332 wrote to memory of 2892	332	spoolsv.exe	87
PID 332 wrote to memory of 2892	332	spoolsv.exe	87
PID 2140 wrote to memory of 2236	2140	WScript.exe	88
PID 2140 wrote to memory of 2236	2140	WScript.exe	88
PID 2140 wrote to memory of 2236	2140	WScript.exe	88
PID 2236 wrote to memory of 2384	2236	spoolsv.exe	89
PID 2236 wrote to memory of 2384	2236	spoolsv.exe	89
PID 2236 wrote to memory of 2384	2236	spoolsv.exe	89
PID 2236 wrote to memory of 1852	2236	spoolsv.exe	90
PID 2236 wrote to memory of 1852	2236	spoolsv.exe	90
PID 2236 wrote to memory of 1852	2236	spoolsv.exe	90
PID 2384 wrote to memory of 3012	2384	WScript.exe	91
PID 2384 wrote to memory of 3012	2384	WScript.exe	91
PID 2384 wrote to memory of 3012	2384	WScript.exe	91
PID 3012 wrote to memory of 2116	3012	spoolsv.exe	92
PID 3012 wrote to memory of 2116	3012	spoolsv.exe	92
PID 3012 wrote to memory of 2116	3012	spoolsv.exe	92
PID 3012 wrote to memory of 3060	3012	spoolsv.exe	93
PID 3012 wrote to memory of 3060	3012	spoolsv.exe	93
PID 3012 wrote to memory of 3060	3012	spoolsv.exe	93
PID 2116 wrote to memory of 1928	2116	WScript.exe	94
PID 2116 wrote to memory of 1928	2116	WScript.exe	94
PID 2116 wrote to memory of 1928	2116	WScript.exe	94
PID 1928 wrote to memory of 992	1928	spoolsv.exe	95
PID 1928 wrote to memory of 992	1928	spoolsv.exe	95
PID 1928 wrote to memory of 992	1928	spoolsv.exe	95
PID 1928 wrote to memory of 2732	1928	spoolsv.exe	96
PID 1928 wrote to memory of 2732	1928	spoolsv.exe	96
PID 1928 wrote to memory of 2732	1928	spoolsv.exe	96
PID 992 wrote to memory of 1740	992	WScript.exe	97
PID 992 wrote to memory of 1740	992	WScript.exe	97
PID 992 wrote to memory of 1740	992	WScript.exe	97
PID 1740 wrote to memory of 2472	1740	spoolsv.exe	98
PID 1740 wrote to memory of 2472	1740	spoolsv.exe	98
PID 1740 wrote to memory of 2472	1740	spoolsv.exe	98
PID 1740 wrote to memory of 2408	1740	spoolsv.exe	99
PID 1740 wrote to memory of 2408	1740	spoolsv.exe	99
PID 1740 wrote to memory of 2408	1740	spoolsv.exe	99
PID 2472 wrote to memory of 880	2472	WScript.exe	100
PID 2472 wrote to memory of 880	2472	WScript.exe	100
PID 2472 wrote to memory of 880	2472	WScript.exe	100
PID 880 wrote to memory of 1692	880	spoolsv.exe	101
PID 880 wrote to memory of 1692	880	spoolsv.exe	101
PID 880 wrote to memory of 1692	880	spoolsv.exe	101
PID 880 wrote to memory of 1792	880	spoolsv.exe	102
PID 880 wrote to memory of 1792	880	spoolsv.exe	102
PID 880 wrote to memory of 1792	880	spoolsv.exe	102
PID 1692 wrote to memory of 300	1692	WScript.exe	103
PID 1692 wrote to memory of 300	1692	WScript.exe	103
PID 1692 wrote to memory of 300	1692	WScript.exe	103
PID 300 wrote to memory of 2184	300	spoolsv.exe	104
PID 300 wrote to memory of 2184	300	spoolsv.exe	104
PID 300 wrote to memory of 2184	300	spoolsv.exe	104
PID 300 wrote to memory of 688	300	spoolsv.exe	105
PID 300 wrote to memory of 688	300	spoolsv.exe	105
PID 300 wrote to memory of 688	300	spoolsv.exe	105
PID 2184 wrote to memory of 2384	2184	WScript.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fe282eaa9036b889aafc6db602127b45.exe
"C:\Users\Admin\AppData\Local\Temp\fe282eaa9036b889aafc6db602127b45.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files\Windows NT\Accessories\spoolsv.exe
  "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe82ca05-1149-4e6e-afc1-5dfbbda2b82a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Program Files\Windows NT\Accessories\spoolsv.exe
      "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af222ca-d5f5-4791-88e9-a025cb0d8df4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a90d9bb7-bedd-4eb9-9788-5080da72e3d2.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f155ebc5-5b45-4a36-9af1-fcf1c559ae6e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d28a84e-0b96-49ad-b76d-53623bc53074.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e48cb55d-e5db-4b5b-9391-bb66c9801b1f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22287549-05ad-4ea1-bd20-c8e376646c22.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e20944e-aeb9-4f01-b721-be2f9aa96ee3.vbs"
        17⤵
        
        PID:2960
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a1be6ab-b1f1-4e6b-8cc7-db77ebf0f416.vbs"
        19⤵
        
        PID:824
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99837994-f973-4db4-937b-baaf34fb6960.vbs"
        21⤵
        
        PID:3044
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c7010f-afe3-445a-83be-ea8e59b1e76f.vbs"
        23⤵
        
        PID:352
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c26026-2942-4711-86b6-b7f19269996c.vbs"
        25⤵
        
        PID:2320
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3258438-433b-4a92-b555-b297a1cdefb8.vbs"
        27⤵
        
        PID:1960
        
        C:\Program Files\Windows NT\Accessories\spoolsv.exe
        
        "C:\Program Files\Windows NT\Accessories\spoolsv.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47170903-01a6-44ed-9dad-be34f71b209b.vbs"
        27⤵
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c564d498-67f9-496d-ad52-5a2edb4a3f54.vbs"
        25⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a4544c9-55a7-4216-9604-fcc9e4f3c06b.vbs"
        23⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834e5ea7-cb6c-41b8-ae20-3528bf34396a.vbs"
        21⤵
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbf3ed4b-250f-4831-8e63-d825078c6cb6.vbs"
        19⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb51c804-d2de-40e0-b6eb-bb059ac5d292.vbs"
        17⤵
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\449e2e34-8b86-4a9b-8dcb-ac4d9579696c.vbs"
        15⤵
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4ce3a1-2063-45b5-a4b7-ad3316a1afb5.vbs"
        13⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f039ecbb-31fe-42e7-8713-78766d0d3110.vbs"
        11⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\557c9746-2656-442d-8741-78d547805972.vbs"
        9⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3889e1dc-a69e-4f5d-a181-ea3df5e7e168.vbs"
        7⤵
        
        PID:3060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb9844b-98e2-4385-87f5-d857195b2578.vbs"
        5⤵
        
        PID:1852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfe7d919-5b92-4e68-97f1-9a088da99289.vbs"
    3⤵
    PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Resources\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Migration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppPatch\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fe282eaa9036b889aafc6db602127b45f" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\fe282eaa9036b889aafc6db602127b45.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fe282eaa9036b889aafc6db602127b45" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\fe282eaa9036b889aafc6db602127b45.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fe282eaa9036b889aafc6db602127b45f" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\fe282eaa9036b889aafc6db602127b45.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\lsass.exe

Filesize
885KB

MD5
0105ca058f81a8e2a1d4f23938a8bb7b

SHA1
4ab5fd95683ab5266966a1d2dd7ff644b56b4b9c

SHA256
419de0faa1410cac3e30399f9aa58c7daf7f71d6846ca0ef1f4ad91029c184fe

SHA512
fc9cd1752360ed7944c5e979f0b7fea08224daff43cdddcd61fb690d058c6b2b2891305a4b447ddbe015567b7d5b5d4c15badb86b6a54f5982ba66615751ffcf

Download Submit
C:\Program Files\Windows NT\Accessories\spoolsv.exe

Filesize
885KB

MD5
fe282eaa9036b889aafc6db602127b45

SHA1
65e037b4c6a892801ac475c201219167f89d1f48

SHA256
1a55e2bcf26895655a7da6acda6ecbdbef033d60bf805aaf4ef88c0cf6348cb6

SHA512
c3a913f2ba698ec5d387cb394b7b6fb600271dcb7d2db8c8162d2f6c90c9dd123d4f9dcbd482d6ee8e76c83cacb566faf4f7bd92fea981e2c49fee8817854d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\07c7010f-afe3-445a-83be-ea8e59b1e76f.vbs

Filesize
727B

MD5
ee5759b772e22204c8ac97fe3ef596d4

SHA1
f25e9e2e292672a24d0a85516d0f1bd53a6a6c6b

SHA256
1344c2bf5965eb84905f98b9a78daf886399305627119330c1300550f3e22cd6

SHA512
25c5eb35ad105747d593bee04dc2a7641cac45edc62f53046c2ad48bbcc7905413206a2bfff3e202e93f121a411226c959d6004bfcd601bc5f9dadbc1ae04c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1be6ab-b1f1-4e6b-8cc7-db77ebf0f416.vbs

Filesize
726B

MD5
f804946a13067b8e25bcb1b0b68918b2

SHA1
fbceb068ec51809c66b2766ad8bcc720a00ff8d8

SHA256
6e78ccbca79a204d6503b628d000ecc03525a497c47cefdce7dccee7527055ae

SHA512
f179fcb8c0ac4509b5bfc58eaff32229d74cac6e3ef98dd32aae1c6eca34e34a40a27950eb164d3c4b8f6ac9f6def8387699dd6a30bae5ec9ffdd2db1f85e1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e20944e-aeb9-4f01-b721-be2f9aa96ee3.vbs

Filesize
727B

MD5
7f26c1c931e9b45c0fdd1baef8f9cd85

SHA1
e32225980206532c096f138a2c5da17298eb6c52

SHA256
2fb4bf853b77a59cba85f3366e10539483ffd48bbdb7b27d149b3ccfba60df7d

SHA512
3ea12fbd3f42d228d3107ba37a652ee204bc2a2e61a51b19e142fbfb2e7ac99088b302dde82fe9c5bd84b3939e93960dffbd049643c59b647324165ffa6e62d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\22287549-05ad-4ea1-bd20-c8e376646c22.vbs

Filesize
726B

MD5
3a15c2c266a6863246b702d74d52a770

SHA1
70f836417dc6a6a78d05b8cacdfb95f1db957ada

SHA256
fe377462f505c0f0110e9fda938b3da67007b4b9cce34895f4971aa30a97f962

SHA512
e27dc3cdf99414eb5b0b3edc0d630928f1a2668b890250ced7b38328cd461dca0b942ef8dac68cc76712a472912ceb42303ba5b7c5f5b6dcd70d85323087d5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d28a84e-0b96-49ad-b76d-53623bc53074.vbs

Filesize
727B

MD5
5e5c3abae4287e08d9263e8dd14db194

SHA1
ac785e2482c163b360410549f2a35937f2851ce4

SHA256
22141c295baeb5264f3e7f48b9574f3664808ba9692c149796e7a04ac4038144

SHA512
71d8818eea992200881ed3d8586fc34889152d7b5b6c5b9d03c5018523afbf88a6620b316ea7f0a9d2d799541f478499c1a1ca62755da3711af81289d7f4eed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\99837994-f973-4db4-937b-baaf34fb6960.vbs

Filesize
727B

MD5
a926ed15be2fa99b70e7e6777464566e

SHA1
f3fd067bb46208606f3e7d7ea1b19d1b638da6d2

SHA256
652fbdc9381c7a59cda6f607e9541faeeb07d0f63b56a2500b02a9766b63858a

SHA512
0633006bf6c4f038aa0a8cd898a6a83d9266f06b89566cdacb5524ac9b0fb80d9cb65ed73c6f8b7756aeb2b9088e4d4adb8f2a8650570e053de74d53db6502ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9af222ca-d5f5-4791-88e9-a025cb0d8df4.vbs

Filesize
727B

MD5
7610bfea19a349950536f5485b1d7b79

SHA1
01d5a601b06f76ef2e0b8bc9a280af6eeec3e75c

SHA256
8fa72d929b2a132bd4394b2c0ed5b34b3d0488c6aede463e5be440510686bacb

SHA512
436e7c6f005a7a231ac20a1924286f77426e5a20a206086bdbee7283b73b3f91f94418b774128e58bcd6c20991dbc9e31f4f3b99d1995844ee7d0e7d9923cade

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3258438-433b-4a92-b555-b297a1cdefb8.vbs

Filesize
727B

MD5
2821b09c868a3c5d0d526909d87afb06

SHA1
82f4307a8a19c2f6a3396a0d99b88b351f3c6038

SHA256
185a432f105333fe06f701e1b02ce193c00586067cf07862c716a43ff5adffb8

SHA512
15783e38f3415c497f1560436de6f67859d71698b1c669d1530cae11a17813d39950d34beb743ed648c0b14872d3d44db9b24bed9675da32bb9fda9c8a1212b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a90d9bb7-bedd-4eb9-9788-5080da72e3d2.vbs

Filesize
727B

MD5
129560b96c1fc021a1271dcab942c600

SHA1
e97ab10f03cee9ceb40aa930282f9f41128ce8a6

SHA256
0464064c48ae26ceafe4c2a8dae7f2fcfeb3c86e83f7964ab2f313ac76a1ffdc

SHA512
1f2e39d08781a816673bae57f6fa2e96894fc074c77090fecce3f610334d224d5a9518a508ec01d8e82f2970610154bb9c4dd12a04a04ca286b222281e61fc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfe7d919-5b92-4e68-97f1-9a088da99289.vbs

Filesize
503B

MD5
d9d9725f5424dc1da1c40f3a5108bffd

SHA1
fa6b19989a96a9f6a907bfffbd043d4c6e499cff

SHA256
2834a46e380abdaaee192f5c953b7fbe8e97789239750868d8cf164ed9c441f1

SHA512
1b941d7b315e482b0d8e0a6e78bfcd908d0cf1d65e316ddc11c00bcc6bdf77b16b9104b4dac72e22c198f973d82d5a84614dd04ee0925016306d2a1a4c5e2b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e48cb55d-e5db-4b5b-9391-bb66c9801b1f.vbs

Filesize
726B

MD5
f7ac9b89f3811b3f92c9e24924c7cba7

SHA1
0c0288f5f27044277673886f814fa86ba641c568

SHA256
310eb550377d5d9b773db08f2970a7cab80604604da3f90e9e92a70e12ae0397

SHA512
52a811bbe4bc01217da760cdb537a122ecf87b7c5bbbd40588863c8f9d6cf278603fc841e67c949072353967deaf06a21acfb13dbeed5bd7f5dccec172875438

Download Submit
C:\Users\Admin\AppData\Local\Temp\f155ebc5-5b45-4a36-9af1-fcf1c559ae6e.vbs

Filesize
727B

MD5
0c603b7dc1074a57769f8bb8ddb9af4c

SHA1
58b169f62fa5023e82448bd09450acda836b2ed6

SHA256
b58e558b39385f8fe11d62dfca5686ce09282bfa7cd4d70b923562c77065529a

SHA512
4ba83dab61bce14a4ac0f7dbe8bd7f8b5b9ef2faa102da24d0ba5086d963db0095c6bc449bb95f326f681434dd6dd7be525f94f98432d2f219108217c29f8955

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c26026-2942-4711-86b6-b7f19269996c.vbs

Filesize
726B

MD5
d2f43173aadf1f05dceabf88c90718d9

SHA1
7d74490517fdc6ffa22ace8da8ecff322239b0b4

SHA256
a7badfc2673c7ffe00c5b686cfe4cd4165d98e552993c22b5f65ca9b5feceb0c

SHA512
85f1fab0a957839b50d2c8898edca072cd85e59558aebf3ca2f2da8c250d40409c8fe1bbd226024e0780e547c30ccb9477b1a988d22b8eadd5d5647f464828ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe82ca05-1149-4e6e-afc1-5dfbbda2b82a.vbs

Filesize
726B

MD5
f6e21511b8017b55d32185821252bd54

SHA1
8f4286384c91a2643cf8c82f41f5cf3b5d48c737

SHA256
7208c6dfa38ce730175e7c4082c71257ed7bbbc4ac8a6d7fae9a6fe94d12e64d

SHA512
25ab0d396bb5fae11066fa6ca8213882c1654b7ad32660b182e15782e7eecf21a73dd054df0aa8f4a040c013eef9807ea7d31850ab34fcb3ea1b469410454b10

Download Submit
memory/300-325-0x0000000000A60000-0x0000000000B44000-memory.dmp

Filesize
912KB

Download
memory/328-348-0x0000000001120000-0x0000000001204000-memory.dmp

Filesize
912KB

Download
memory/332-253-0x00000000003B0000-0x0000000000494000-memory.dmp

Filesize
912KB

Download
memory/832-383-0x00000000013C0000-0x00000000014A4000-memory.dmp

Filesize
912KB

Download
memory/880-313-0x00000000008A0000-0x0000000000984000-memory.dmp

Filesize
912KB

Download
memory/1740-301-0x00000000000B0000-0x0000000000194000-memory.dmp

Filesize
912KB

Download
memory/1740-407-0x0000000000840000-0x0000000000924000-memory.dmp

Filesize
912KB

Download
memory/1928-289-0x0000000000290000-0x0000000000374000-memory.dmp

Filesize
912KB

Download
memory/2180-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2180-4-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2180-1-0x0000000000C80000-0x0000000000D64000-memory.dmp

Filesize
912KB

Download
memory/2180-254-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2180-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2180-7-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2180-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-6-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2180-5-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2180-3-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2236-265-0x0000000000CE0000-0x0000000000DC4000-memory.dmp

Filesize
912KB

Download
memory/2644-360-0x0000000001250000-0x0000000001334000-memory.dmp

Filesize
912KB

Download
memory/2916-395-0x00000000001F0000-0x00000000002D4000-memory.dmp

Filesize
912KB

Download
memory/3012-277-0x0000000000DE0000-0x0000000000EC4000-memory.dmp

Filesize
912KB

Download