dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
63s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac98ebb342782d2e8ef453b3d4006f5.exe
Size

885KB
MD5

eac98ebb342782d2e8ef453b3d4006f5
SHA1

b8bfb2496a72d101e9c8f0a86c6a838615b99b72
SHA256

554055083c7aee5ed747c7fad8cd8232365485281f84a05ffb757732b0f323f4
SHA512

f4778728326651083824f1e0023b04959077a722ef333d981e614c8cd45824c357a341d757e0a6427ebd6ac00f7c2b8204f6706f4a047e775ff70269d1112dc2
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5680	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5352	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	5056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	5056	schtasks.exe	87

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/5372-1-0x00000000001C0000-0x00000000002A4000-memory.dmp	dcrat
behavioral14/files/0x0007000000024226-19.dat	dcrat
behavioral14/files/0x0007000000024229-415.dat	dcrat
behavioral14/files/0x0007000000024254-419.dat	dcrat

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	eac98ebb342782d2e8ef453b3d4006f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 7 IoCs

pid	Process
5524	spoolsv.exe
4772	spoolsv.exe
2312	spoolsv.exe
6120	spoolsv.exe
4172	spoolsv.exe
5684	spoolsv.exe
4280	spoolsv.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4484_1552870239\RuntimeBroker.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\edge_BITS_4484_1552870239\9e8d7a4ca61bd9	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Registry.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\29c1c3cc0f7685	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX424E.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\edge_BITS_4484_1552870239\RCX42A7.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\edge_BITS_4484_1552870239\RCX42A8.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX42F3.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX42A9.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\RCX4307.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f3b6ecef712a24	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\unsecapp.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\RCX42B9.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\RCX4308.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\f3b6ecef712a24	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\Google\Chrome\Application\133.0.6943.60\ee2ad38f3d4382	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX424D.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX42F4.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\en-US\SppExtComObj.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Windows\en-US\e1ef82546f0b02	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\en-US\RCX42F1.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\en-US\RCX42F2.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	eac98ebb342782d2e8ef453b3d4006f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3188	schtasks.exe
5324	schtasks.exe
1840	schtasks.exe
5016	schtasks.exe
4800	schtasks.exe
3120	schtasks.exe
116	schtasks.exe
220	schtasks.exe
5280	schtasks.exe
3696	schtasks.exe
1052	schtasks.exe
2040	schtasks.exe
3312	schtasks.exe
2332	schtasks.exe
8	schtasks.exe
5776	schtasks.exe
3404	schtasks.exe
1284	schtasks.exe
2764	schtasks.exe
540	schtasks.exe
5680	schtasks.exe
820	schtasks.exe
1176	schtasks.exe
5664	schtasks.exe
6116	schtasks.exe
4600	schtasks.exe
3884	schtasks.exe
4792	schtasks.exe
5724	schtasks.exe
4984	schtasks.exe
6072	schtasks.exe
4660	schtasks.exe
4892	schtasks.exe
5852	schtasks.exe
2384	schtasks.exe
5208	schtasks.exe
912	schtasks.exe
4592	schtasks.exe
4672	schtasks.exe
4568	schtasks.exe
4532	schtasks.exe
5352	schtasks.exe
5380	schtasks.exe
4864	schtasks.exe
4180	schtasks.exe
4772	schtasks.exe
4820	schtasks.exe
4748	schtasks.exe
5832	schtasks.exe
3428	schtasks.exe
5436	schtasks.exe
4692	schtasks.exe
1236	schtasks.exe
1116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5372	eac98ebb342782d2e8ef453b3d4006f5.exe
5372	eac98ebb342782d2e8ef453b3d4006f5.exe
5372	eac98ebb342782d2e8ef453b3d4006f5.exe
5372	eac98ebb342782d2e8ef453b3d4006f5.exe
5372	eac98ebb342782d2e8ef453b3d4006f5.exe
5524	spoolsv.exe
4772	spoolsv.exe
2312	spoolsv.exe
6120	spoolsv.exe
6120	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
5684	spoolsv.exe
5684	spoolsv.exe
4280	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5372	eac98ebb342782d2e8ef453b3d4006f5.exe
Token: SeDebugPrivilege	5524	spoolsv.exe
Token: SeDebugPrivilege	4772	spoolsv.exe
Token: SeDebugPrivilege	2312	spoolsv.exe
Token: SeDebugPrivilege	6120	spoolsv.exe
Token: SeDebugPrivilege	4172	spoolsv.exe
Token: SeDebugPrivilege	5684	spoolsv.exe
Token: SeDebugPrivilege	4280	spoolsv.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5372 wrote to memory of 4936	5372	eac98ebb342782d2e8ef453b3d4006f5.exe	142
PID 5372 wrote to memory of 4936	5372	eac98ebb342782d2e8ef453b3d4006f5.exe	142
PID 4936 wrote to memory of 5684	4936	cmd.exe	144
PID 4936 wrote to memory of 5684	4936	cmd.exe	144
PID 4936 wrote to memory of 5524	4936	cmd.exe	148
PID 4936 wrote to memory of 5524	4936	cmd.exe	148
PID 5524 wrote to memory of 1612	5524	spoolsv.exe	150
PID 5524 wrote to memory of 1612	5524	spoolsv.exe	150
PID 5524 wrote to memory of 1424	5524	spoolsv.exe	151
PID 5524 wrote to memory of 1424	5524	spoolsv.exe	151
PID 1612 wrote to memory of 4772	1612	WScript.exe	154
PID 1612 wrote to memory of 4772	1612	WScript.exe	154
PID 4772 wrote to memory of 3624	4772	spoolsv.exe	155
PID 4772 wrote to memory of 3624	4772	spoolsv.exe	155
PID 4772 wrote to memory of 5628	4772	spoolsv.exe	156
PID 4772 wrote to memory of 5628	4772	spoolsv.exe	156
PID 3624 wrote to memory of 2312	3624	WScript.exe	157
PID 3624 wrote to memory of 2312	3624	WScript.exe	157
PID 2312 wrote to memory of 4692	2312	spoolsv.exe	158
PID 2312 wrote to memory of 4692	2312	spoolsv.exe	158
PID 2312 wrote to memory of 5484	2312	spoolsv.exe	159
PID 2312 wrote to memory of 5484	2312	spoolsv.exe	159
PID 4692 wrote to memory of 6120	4692	WScript.exe	165
PID 4692 wrote to memory of 6120	4692	WScript.exe	165
PID 6120 wrote to memory of 5836	6120	spoolsv.exe	169
PID 6120 wrote to memory of 5836	6120	spoolsv.exe	169
PID 6120 wrote to memory of 4416	6120	spoolsv.exe	170
PID 6120 wrote to memory of 4416	6120	spoolsv.exe	170
PID 5836 wrote to memory of 4172	5836	WScript.exe	172
PID 5836 wrote to memory of 4172	5836	WScript.exe	172
PID 4172 wrote to memory of 5748	4172	spoolsv.exe	173
PID 4172 wrote to memory of 5748	4172	spoolsv.exe	173
PID 4172 wrote to memory of 5808	4172	spoolsv.exe	174
PID 4172 wrote to memory of 5808	4172	spoolsv.exe	174
PID 5748 wrote to memory of 5684	5748	WScript.exe	175
PID 5748 wrote to memory of 5684	5748	WScript.exe	175
PID 5684 wrote to memory of 4688	5684	spoolsv.exe	176
PID 5684 wrote to memory of 4688	5684	spoolsv.exe	176
PID 5684 wrote to memory of 4436	5684	spoolsv.exe	177
PID 5684 wrote to memory of 4436	5684	spoolsv.exe	177
PID 4688 wrote to memory of 4280	4688	WScript.exe	178
PID 4688 wrote to memory of 4280	4688	WScript.exe	178
PID 4280 wrote to memory of 4312	4280	spoolsv.exe	179
PID 4280 wrote to memory of 4312	4280	spoolsv.exe	179
PID 4280 wrote to memory of 4872	4280	spoolsv.exe	180
PID 4280 wrote to memory of 4872	4280	spoolsv.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe
"C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mk0QQv4eRL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5684
- - C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
    "C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\431d9e3c-2a90-47a6-bc9b-34b480b751e2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3af7b6c-026f-4227-8d36-8a3dd7bd53f2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\babff6ff-a04a-4e8d-958c-1a7695a036a3.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ff6e454-314c-4319-9d27-5d96ec34cf34.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5836
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071796cf-cb6c-4e12-9fde-8c799dc1da91.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5748
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843b1def-09b0-4681-b61b-4ef6ec5aed7f.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b2dec2-fbce-49e8-85e5-5d321b2464bc.vbs"
        16⤵
        
        PID:4312
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        17⤵
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fc67b77-f25d-4bdc-bc7a-4dffa5aadafe.vbs"
        18⤵
        
        PID:5028
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        19⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b6eb8d-f3f6-4958-824c-ad6793011fdf.vbs"
        20⤵
        
        PID:3852
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        21⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc68cd4-2389-4d92-8856-d307bad303b1.vbs"
        22⤵
        
        PID:5088
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        23⤵
        
        PID:5440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c77ba1d-c49c-4b3b-b95a-e5dbdc125c6d.vbs"
        24⤵
        
        PID:5212
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        25⤵
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f67e24-a805-43db-9010-ea923f2d97a1.vbs"
        26⤵
        
        PID:1456
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        27⤵
        
        PID:5804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8d7eb4-743a-4854-a9a2-12218b2fd0d1.vbs"
        28⤵
        
        PID:516
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        29⤵
        
        PID:4332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3661a2-b516-49db-9aba-3d9da4961358.vbs"
        30⤵
        
        PID:6132
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        
        C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe
        31⤵
        
        PID:6112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cedfe330-0320-492f-bcc9-bffcd3c3e011.vbs"
        32⤵
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75ba811f-3581-44ad-9f00-b0d1ea2814bf.vbs"
        32⤵
        
        PID:6028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f19b8e-f2d5-469a-a939-609780c04ef6.vbs"
        30⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deb8b291-0911-4778-8403-316c7ab459c5.vbs"
        28⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd3f2c1-fbb7-4be6-847d-f4347756de17.vbs"
        26⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03b9f986-56b9-4e96-bdab-93a99e602481.vbs"
        24⤵
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b525e733-724e-4da3-9bdf-51cb1bbdb02d.vbs"
        22⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0bcce0-b878-485d-bd81-747820c158b1.vbs"
        20⤵
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a926dc49-3a34-4fb1-adad-18615201fd9e.vbs"
        18⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7063bbab-6462-4cff-affb-79baa06b99fe.vbs"
        16⤵
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4edcab8e-5819-48dc-b806-7f98c70aa0b5.vbs"
        14⤵
        
        PID:4436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6856f232-5c6a-4c21-9a2b-a5dc0653721e.vbs"
        12⤵
        
        PID:5808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a63cd70-ba0f-47be-99c6-1b3c40a0335c.vbs"
        10⤵
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4836e4a-fc40-494b-b229-594b491aaffa.vbs"
        8⤵
        
        PID:5484
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8eb8f56-4464-439e-acc4-3484b8c4c179.vbs"
        6⤵
        
        PID:5628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f25ed64-6765-4362-834e-6ec97e3306f2.vbs"
      4⤵
      PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\87efddaf44110a3d80760c508da79ad7\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4484_1552870239\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4484_1552870239\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4484_1552870239\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\87efddaf44110a3d80760c508da79ad7\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\87efddaf44110a3d80760c508da79ad7\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\87efddaf44110a3d80760c508da79ad7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\87efddaf44110a3d80760c508da79ad7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\87efddaf44110a3d80760c508da79ad7\spoolsv.exe

Filesize
411KB

MD5
82e0ee5214f1be099ffa6216e850debd

SHA1
5952051c756a3f19fa216789024faf2b13e41143

SHA256
5c754c89542e1593f6fb33b400f75b9931cd8ee0209c18752efcaa28f22d98e6

SHA512
687ff82b1fd1aa07f0a05da3dfd0c31e0439214e28139c3c23e5d2420f05b61fbe4781aa27d409f8ed8cfc1b667ff16181a8c247836c3cddfd900d5800e97257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\071796cf-cb6c-4e12-9fde-8c799dc1da91.vbs

Filesize
723B

MD5
ded73355ec538aa2b3352913ff93f117

SHA1
8c0e0dc2989cbdb6afc8a41015d19435d3f885e1

SHA256
4103a48194b03be1abc0566137941c5daa0e67835eda01d1e601f5c6e9adc72a

SHA512
b6e8bf6b7d6fb3103825532c94a97fa1a1ad226c5c69505d53bd2858f940ec64f5efb953c70373e034c7429b601ebe038d2bc660fc8be30bff3929db12fcf935

Download Submit
C:\Users\Admin\AppData\Local\Temp\15f67e24-a805-43db-9010-ea923f2d97a1.vbs

Filesize
723B

MD5
22f8729dcfb49194fe841696174dceac

SHA1
59514270eae7028c9d14c89109eca6120a84978b

SHA256
624b077182ffe3894f4d31be62c4584c997efc851ddb34f9c378334c93188aa3

SHA512
2de381505d688d6298184e0522a9b902891704ea36fbe88ed80ddf8254546e4867dc8daaca7b4bd2f88d4bcec7dc21e78a9dc7a200adbaf6bfe519e448e291d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d8d7eb4-743a-4854-a9a2-12218b2fd0d1.vbs

Filesize
723B

MD5
54e229bdb3f9b63008b6a8dc1a2f1031

SHA1
aa762296b2be44bdaae3c014ab3b713b4ecc5dc5

SHA256
caaee7ead941c8c17401415ea8edab6e7926b8317fbc31d5ce454e40c2dc44c7

SHA512
dbb80dbf7bdb4a1ff14b066a47701a4fa21465271c61742f3aff27cdb4e5a5af7da394006e7b1e94b4d861d1076c09e1f32fcc38ca10d2f8b140f248a8105276

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f25ed64-6765-4362-834e-6ec97e3306f2.vbs

Filesize
499B

MD5
183fe6c98b43bff8bcaefdfc6a93306c

SHA1
e6e8d7a4ed2f8fe3c24a792d962cbfdf9af2f739

SHA256
95910b577932efb87fe9d67d359b0501f878e195dafff09bc87edf4d888e0d56

SHA512
bcc50ad38c2475edc0b7f41b4960135a4646f6606e991d49ead137de25a5efb2703c5b761edac80fe610b1db5888da157dce870c2ece75b41cdeeed973f00cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fc67b77-f25d-4bdc-bc7a-4dffa5aadafe.vbs

Filesize
723B

MD5
2ea21b31722b85c601fff92f2dc1b3da

SHA1
c7cc1fd9d82cacce0437bfc0b006d788c7b7343d

SHA256
c9239a7f43fa7b6164a7288fe5bc926bc5944dc9824bd5927a755a08838ce2f5

SHA512
f9ff13ed2da8d4148281f49d931e1ad0182e2ed5aa0da9c31190bdd7effc058a313e73e42161d7767c87fee73aba4946412aa43bd72179e99b025d69a94bd71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\30b6eb8d-f3f6-4958-824c-ad6793011fdf.vbs

Filesize
723B

MD5
2af9d9797b506a411f26649c2f3f926f

SHA1
0321296729591d7bf81a3b7cfbcfc16e7a5409dc

SHA256
797d2e14b1c35c39efe44fd770ddd9a9130b6d054b0d0a1e2f98e6ba2ab05cbb

SHA512
cec5b05663a446f46ee991907d90de005dd0eb8f21dae39f2d856d0e1a4bd30cdc22bcf79c599241caa18863fdadd6d7e782289bf2c1ac1d4280bbb09b24960e

Download Submit
C:\Users\Admin\AppData\Local\Temp\431d9e3c-2a90-47a6-bc9b-34b480b751e2.vbs

Filesize
723B

MD5
774996b2d098c380bd67af73546b84e0

SHA1
fe6b491d184642ece403a7e90ed777aaa69e7509

SHA256
1a8467e458637651dddce1312cf888603e57551db2317f865a236f77d65e4580

SHA512
7bd222219ed8896628f1d7d0ed72fdfd6fd152e03f373dc57faf9816938a04c619d85d2fa660f17059e0432ef61110205d9d7c65f275ab2186bc53eead381576

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ff6e454-314c-4319-9d27-5d96ec34cf34.vbs

Filesize
723B

MD5
e80273059afc866ed12beaaeecd69967

SHA1
149817ab1cc19f1e3fbc7b9b0f204eb4b99f450c

SHA256
4a67ff39f46cb4817c473f9f61bddeaf06af918152ab1da4a27490d4b51cb723

SHA512
38f5c8c58b0edd2ce6cfe7e529e5e502634936490a562d7f86b990428b7d393b3c96d9c3583372a1bb101df379c618d15eea0d2f772cf1eb30ccfab29bb2d630

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c77ba1d-c49c-4b3b-b95a-e5dbdc125c6d.vbs

Filesize
723B

MD5
b9736673e886ed7bad041d503e75cf4a

SHA1
01518561383c47d31c2cb0f4dfa3e853d393d3c4

SHA256
4824f5ceb729d694b08ef6fe90bdc10d7e23a44e541917c78ef5c8eaea7cdd15

SHA512
9d85c95c4cb8fed6c58ef3add311b1bb3f1094077c8842c8a4cd19e92331dc3ec5ba3728acba3fb1150549db28d6ea8003bb5ed5900de95ae08c90c1570e6615

Download Submit
C:\Users\Admin\AppData\Local\Temp\843b1def-09b0-4681-b61b-4ef6ec5aed7f.vbs

Filesize
723B

MD5
c9405dc63a143d9942563ee62955b0db

SHA1
816aff9aaa8944d1dea149acac82fe8aea8717e3

SHA256
fbc896c141f217f21a04ab4ac037fb4aaaacdf93e4085ca58db5602e539a4168

SHA512
e9a1d37b8efddf387be1a830667122ab3751b48beb0c206fbd00c3ed231dd7267c5083bb629cbc4d20eec6bfdda098fd6df3c938453cef4a8ece1eaa13fc3318

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dc68cd4-2389-4d92-8856-d307bad303b1.vbs

Filesize
723B

MD5
7a12fc4cd607650f9ed778d24f8083dd

SHA1
744f52cbcad9557d85ec32ff7d81a78cda40414b

SHA256
19a9285029ea3fc39a97246f7f566cf3773f20227f0633319192214f0c146d63

SHA512
6915db69684eba7c388858f78c29318ab5db62a31485ed275073b4d4960b53a14b262776a0fc66aa3cbe2866620ab229573e1f4f3c99fb2c6c680c5d7414e4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mk0QQv4eRL.bat

Filesize
212B

MD5
64f2e8847c59c8c5a2068e1a82036ede

SHA1
5bde982febefafda941df1e7a0cdf4b474def600

SHA256
98d6bbeeba09aeb20eb1475f281a249a6651bd1fc3f572e7d37bd3b3583b0d6e

SHA512
2fde77baef9469d95f792550af9b887969901935d92ee92ff58be776a3919ae0fe424d1cdbcbbc7add90b4966a51f12155d92d7b8089ad8344f728986c8b8352

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0b2dec2-fbce-49e8-85e5-5d321b2464bc.vbs

Filesize
723B

MD5
ce36d3e460cbaedfb423bded39f5c82d

SHA1
91da33972fd35c37704627e7c680ed9aa79467ce

SHA256
ed076a9a2825ce7cb28a13de2f139ebc53f876d5f678e17cd4c05c44eb2aa8ef

SHA512
f046cf15b5c472da6dde5828ad19b405a21624216279af7e6fc678c744eaabd03079e7c469725ada9d600b1e976055710a93501616d05abaece3d7a70f3ba169

Download Submit
C:\Users\Admin\AppData\Local\Temp\babff6ff-a04a-4e8d-958c-1a7695a036a3.vbs

Filesize
723B

MD5
c351cf1b15bb007588519bef1bf0a93a

SHA1
3bc6052099028627ce1ea0aebea5236930cbbbc0

SHA256
3f2c85e7b0955433564030e81b09e1014bd35071bea0213ed89bce537dfe56e5

SHA512
fb499b7829f88793c6dd0c10e65581db9edee20c539e5fa75171d347c57a30a1ac1ac7b54cc52b3ccdd1d7e745c132a82eb79b5d1960f8dcc0dc6ac035af3170

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3af7b6c-026f-4227-8d36-8a3dd7bd53f2.vbs

Filesize
723B

MD5
53d2b26df9fecfbb8970f3e3a3983d14

SHA1
5aecded4dc7d90cc5e19bae6bef4233e2b9d9ea0

SHA256
94480d4d4c6fa7ea0b1a31e0d90b40e654cc5c353ffc5e5e91c2cc8ec693519e

SHA512
ecef545422c328c0c758ff15423b07778c547e1c7d7015679b513ddbb6f586d21e50f6cb4e5fb2055662f2ced81d35a464a780ca23a1e115713ee9a84e63197f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cedfe330-0320-492f-bcc9-bffcd3c3e011.vbs

Filesize
723B

MD5
02103f2e82054fffda1d81729c10a3ef

SHA1
006de0f29773b41110ac857fac75e04905443e1d

SHA256
77c8b35e762df9fc405ee7cb6755b2b25452d8e4a3cdf5f94df304c6a93959fe

SHA512
0f692c9b12362e5a2b57516b1c01c14079c6f2491f86cd4b963b3ec2f3ccff708979832b088ae15062f9162300bbf891f70216fa572905569b0ca56790dfefbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3eeda8a6e0d69f1bb78c08ac28cfad72fee5e3e.exe

Filesize
661KB

MD5
0ffe50323bf89abb30a942cc1f7ae1fa

SHA1
db92d3b165b75d211bb130a9a42d27a2dacae4a3

SHA256
dc45715698499d74d0473272b59ed0f16e8b90e9f8b5aee603ab883ef6bb927e

SHA512
f00fe92ed6837320040fd4b62b85a2640ce97ef7a7f14dc05132567f5e9684e40affa7c4cf67e603c65eafe308ce3899a94d7cb78928b10c74656e8e0a50d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee3661a2-b516-49db-9aba-3d9da4961358.vbs

Filesize
723B

MD5
1419efbc782bd7f90f082bd6b9d12035

SHA1
56ff5496fb8fbb4b3a8793f1ca35d5e24f627289

SHA256
d925627dc482c518db3c801571ca0e2b38e31ea81137c1e2675a1b6dfeffe29f

SHA512
dac5cd28a0959cedcdfc7618bb222c27344e62b585a71b92611a36eeb469990562a6038edf92a7c9814c78514d4804bd839a7d5fd0752b82318fe90f6e6c40b5

Download Submit
C:\ebea8a0c5b7ebb8dc5b60da7\backgroundTaskHost.exe

Filesize
885KB

MD5
eac98ebb342782d2e8ef453b3d4006f5

SHA1
b8bfb2496a72d101e9c8f0a86c6a838615b99b72

SHA256
554055083c7aee5ed747c7fad8cd8232365485281f84a05ffb757732b0f323f4

SHA512
f4778728326651083824f1e0023b04959077a722ef333d981e614c8cd45824c357a341d757e0a6427ebd6ac00f7c2b8204f6706f4a047e775ff70269d1112dc2

Download Submit
memory/5372-9-0x000000001AF10000-0x000000001AF18000-memory.dmp

Filesize
32KB

Download
memory/5372-4-0x000000001B480000-0x000000001B4D0000-memory.dmp

Filesize
320KB

Download
memory/5372-5-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/5372-1-0x00000000001C0000-0x00000000002A4000-memory.dmp

Filesize
912KB

Download
memory/5372-7-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/5372-8-0x000000001AF00000-0x000000001AF0E000-memory.dmp

Filesize
56KB

Download
memory/5372-3-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/5372-2-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download
memory/5372-10-0x000000001B430000-0x000000001B43C000-memory.dmp

Filesize
48KB

Download
memory/5372-0-0x00007FFB73EE3000-0x00007FFB73EE5000-memory.dmp

Filesize
8KB

Download
memory/5372-6-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/5372-257-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download