dcrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
66s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dfc71cfc45034d671ac0f319bc080bd.exe
Size

885KB
MD5

3dfc71cfc45034d671ac0f319bc080bd
SHA1

7d8a8faccf06d8ec762bdf56e8842dd069ec3801
SHA256

13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1
SHA512

8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 43 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5348	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5244	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5920	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	1080	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1080	schtasks.exe	87

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/5176-1-0x0000000000860000-0x0000000000944000-memory.dmp	dcrat
behavioral24/files/0x0007000000024271-19.dat	dcrat
behavioral24/files/0x000f00000001f193-87.dat	dcrat
behavioral24/files/0x000800000002426d-96.dat	dcrat
behavioral24/files/0x0009000000024271-106.dat	dcrat
behavioral24/files/0x001200000001f193-127.dat	dcrat
behavioral24/files/0x0010000000024275-192.dat	dcrat
behavioral24/files/0x0007000000024282-369.dat	dcrat
behavioral24/files/0x00080000000242a2-373.dat	dcrat
behavioral24/files/0x0007000000024282-380.dat	dcrat

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	3dfc71cfc45034d671ac0f319bc080bd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 8 IoCs

pid	Process
4992	spoolsv.exe
5804	spoolsv.exe
3576	spoolsv.exe
4124	spoolsv.exe
448	spoolsv.exe
4840	spoolsv.exe
5204	spoolsv.exe
4108	spoolsv.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4664_1902151213\RuntimeBroker.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX84B2.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\edge_BITS_4664_1902151213\RCX8579.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\edge_BITS_4664_1902151213\9e8d7a4ca61bd9	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8434.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\edge_BITS_4596_1110536658\RCX84D8.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\edge_BITS_4596_1110536658\RCX84E9.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\edge_BITS_4664_1902151213\RCX850B.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\edge_BITS_4596_1110536658\dllhost.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\edge_BITS_4596_1110536658\5940a34987c991	3dfc71cfc45034d671ac0f319bc080bd.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\RuntimeBroker.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\es-ES\9e8d7a4ca61bd9	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\security\templates\sppsvc.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\security\templates\0a1fd5f707cd16	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\bcastdvr\sihost.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\bcastdvr\66fc9ff0ee96c2	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\es-ES\RCX8432.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\security\templates\RCX84B3.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\es-ES\RCX8433.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\security\templates\RCX84B4.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\bcastdvr\RCX84D6.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\bcastdvr\RCX84D7.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	3dfc71cfc45034d671ac0f319bc080bd.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4868	schtasks.exe
6104	schtasks.exe
3340	schtasks.exe
5884	schtasks.exe
5368	schtasks.exe
5888	schtasks.exe
5592	schtasks.exe
2392	schtasks.exe
4984	schtasks.exe
4700	schtasks.exe
5192	schtasks.exe
5348	schtasks.exe
4980	schtasks.exe
2676	schtasks.exe
3664	schtasks.exe
3588	schtasks.exe
2492	schtasks.exe
6048	schtasks.exe
4848	schtasks.exe
5244	schtasks.exe
3864	schtasks.exe
4712	schtasks.exe
3348	schtasks.exe
5052	schtasks.exe
1920	schtasks.exe
4684	schtasks.exe
5260	schtasks.exe
5088	schtasks.exe
3576	schtasks.exe
5292	schtasks.exe
2128	schtasks.exe
4644	schtasks.exe
4740	schtasks.exe
6076	schtasks.exe
5920	schtasks.exe
716	schtasks.exe
2328	schtasks.exe
4652	schtasks.exe
4892	schtasks.exe
4808	schtasks.exe
5072	schtasks.exe
5204	schtasks.exe
3472	schtasks.exe
2044	schtasks.exe
5124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
5176	3dfc71cfc45034d671ac0f319bc080bd.exe
4992	spoolsv.exe
5804	spoolsv.exe
3576	spoolsv.exe
4124	spoolsv.exe
448	spoolsv.exe
4840	spoolsv.exe
4840	spoolsv.exe
5204	spoolsv.exe
5204	spoolsv.exe
4108	spoolsv.exe
4108	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5176	3dfc71cfc45034d671ac0f319bc080bd.exe
Token: SeDebugPrivilege	4992	spoolsv.exe
Token: SeDebugPrivilege	5804	spoolsv.exe
Token: SeDebugPrivilege	3576	spoolsv.exe
Token: SeDebugPrivilege	4124	spoolsv.exe
Token: SeDebugPrivilege	448	spoolsv.exe
Token: SeDebugPrivilege	4840	spoolsv.exe
Token: SeDebugPrivilege	5204	spoolsv.exe
Token: SeDebugPrivilege	4108	spoolsv.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5176 wrote to memory of 428	5176	3dfc71cfc45034d671ac0f319bc080bd.exe	133
PID 5176 wrote to memory of 428	5176	3dfc71cfc45034d671ac0f319bc080bd.exe	133
PID 428 wrote to memory of 5832	428	cmd.exe	135
PID 428 wrote to memory of 5832	428	cmd.exe	135
PID 428 wrote to memory of 4992	428	cmd.exe	139
PID 428 wrote to memory of 4992	428	cmd.exe	139
PID 4992 wrote to memory of 5212	4992	spoolsv.exe	140
PID 4992 wrote to memory of 5212	4992	spoolsv.exe	140
PID 4992 wrote to memory of 2516	4992	spoolsv.exe	141
PID 4992 wrote to memory of 2516	4992	spoolsv.exe	141
PID 5212 wrote to memory of 5804	5212	WScript.exe	147
PID 5212 wrote to memory of 5804	5212	WScript.exe	147
PID 5804 wrote to memory of 4812	5804	spoolsv.exe	149
PID 5804 wrote to memory of 4812	5804	spoolsv.exe	149
PID 5804 wrote to memory of 3880	5804	spoolsv.exe	150
PID 5804 wrote to memory of 3880	5804	spoolsv.exe	150
PID 4812 wrote to memory of 3576	4812	WScript.exe	154
PID 4812 wrote to memory of 3576	4812	WScript.exe	154
PID 3576 wrote to memory of 1240	3576	spoolsv.exe	156
PID 3576 wrote to memory of 1240	3576	spoolsv.exe	156
PID 3576 wrote to memory of 5504	3576	spoolsv.exe	157
PID 3576 wrote to memory of 5504	3576	spoolsv.exe	157
PID 1240 wrote to memory of 4124	1240	WScript.exe	158
PID 1240 wrote to memory of 4124	1240	WScript.exe	158
PID 4124 wrote to memory of 4800	4124	spoolsv.exe	162
PID 4124 wrote to memory of 4800	4124	spoolsv.exe	162
PID 4124 wrote to memory of 3584	4124	spoolsv.exe	163
PID 4124 wrote to memory of 3584	4124	spoolsv.exe	163
PID 4800 wrote to memory of 448	4800	WScript.exe	165
PID 4800 wrote to memory of 448	4800	WScript.exe	165
PID 448 wrote to memory of 3648	448	spoolsv.exe	168
PID 448 wrote to memory of 3648	448	spoolsv.exe	168
PID 448 wrote to memory of 5968	448	spoolsv.exe	169
PID 448 wrote to memory of 5968	448	spoolsv.exe	169
PID 3648 wrote to memory of 4840	3648	WScript.exe	177
PID 3648 wrote to memory of 4840	3648	WScript.exe	177
PID 4840 wrote to memory of 4128	4840	spoolsv.exe	179
PID 4840 wrote to memory of 4128	4840	spoolsv.exe	179
PID 4840 wrote to memory of 4816	4840	spoolsv.exe	180
PID 4840 wrote to memory of 4816	4840	spoolsv.exe	180
PID 4128 wrote to memory of 5204	4128	WScript.exe	181
PID 4128 wrote to memory of 5204	4128	WScript.exe	181
PID 5204 wrote to memory of 5748	5204	spoolsv.exe	183
PID 5204 wrote to memory of 5748	5204	spoolsv.exe	183
PID 5204 wrote to memory of 5008	5204	spoolsv.exe	184
PID 5204 wrote to memory of 5008	5204	spoolsv.exe	184
PID 5748 wrote to memory of 4108	5748	WScript.exe	185
PID 5748 wrote to memory of 4108	5748	WScript.exe	185
PID 4108 wrote to memory of 4240	4108	spoolsv.exe	187
PID 4108 wrote to memory of 4240	4108	spoolsv.exe	187
PID 4108 wrote to memory of 3096	4108	spoolsv.exe	188
PID 4108 wrote to memory of 3096	4108	spoolsv.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe
"C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YArNZ2cMSU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5832
- - C:\Recovery\WindowsRE\spoolsv.exe
    "C:\Recovery\WindowsRE\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d396b86-f555-4d24-8b9f-8820f133c226.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5212
    - - C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\355dacbb-df41-471e-ae46-7cfd9f4ea2fb.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57ee88ea-e138-403c-8d30-a2c8867594eb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5252c996-ae43-4844-9fc0-6dd271662def.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54b55712-9617-4eff-a7fc-795b527f0521.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e26846f-a709-4cc3-a8c8-c4ea87cdfc26.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620f9407-d2bb-4ab1-9e22-c39ea5d04e74.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5748
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f28f8d6c-aa6f-4bad-af60-66e4b5eee6dd.vbs"
        18⤵
        
        PID:4240
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        19⤵
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b04a0a73-c982-41d3-b640-da76ec769240.vbs"
        20⤵
        
        PID:2168
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        21⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a0e029f-ff67-4274-8fe1-993e79f26431.vbs"
        22⤵
        
        PID:4436
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        23⤵
        
        PID:5692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c4ace1d-c89a-4ce8-802a-f59dd1ea7396.vbs"
        24⤵
        
        PID:4756
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        25⤵
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ec89f3-cf38-4ce9-a4e7-0a072623a39b.vbs"
        26⤵
        
        PID:5552
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        27⤵
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\815848ba-6c6e-4d93-9e98-18576f743370.vbs"
        28⤵
        
        PID:1676
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        29⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743f5798-836e-4d0b-9a83-267fc94ba949.vbs"
        30⤵
        
        PID:5064
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        31⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd527a8-b649-402f-96bb-50c7ebff24a9.vbs"
        32⤵
        
        PID:2564
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        33⤵
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bec9cb8-0fc1-4e45-80f6-83d0346fe60f.vbs"
        34⤵
        
        PID:4240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f04b379-3983-4b7c-ba08-d9648efd7bfd.vbs"
        34⤵
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d803ee-22bf-4def-9999-4c047b29f39e.vbs"
        32⤵
        
        PID:5284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b14c693c-18a1-4f12-9a07-899d309905f0.vbs"
        30⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\143649d3-91f9-4b5f-8f1e-7894014b25fb.vbs"
        28⤵
        
        PID:3588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84eda337-e426-45c2-8e88-2f250fda0965.vbs"
        26⤵
        
        PID:5252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fdacaf-cff9-43a5-a988-346b73cf55ba.vbs"
        24⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e8da3a1-61e4-49bc-b728-2356082ad8c2.vbs"
        22⤵
        
        PID:5716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f95121b8-f7de-40b0-b9fb-92d642f62498.vbs"
        20⤵
        
        PID:5420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f75fc2bc-d3cf-4ad1-8fbb-e735a63cf82c.vbs"
        18⤵
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f4ba5a-42bb-4f34-bd04-0d2336fef49a.vbs"
        16⤵
        
        PID:5008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d7dfc1-a00b-4bc8-a885-5e391b8ec109.vbs"
        14⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a872124f-ba25-436f-9d56-f10c954c2381.vbs"
        12⤵
        
        PID:5968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc605506-2d47-4a81-a57c-f0e7f194ce2b.vbs"
        10⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\380e1a50-fc83-4c29-a492-419d5b8e0650.vbs"
        8⤵
        
        PID:5504
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\609c5a63-55e9-4213-956f-089d8a04a0d3.vbs"
        6⤵
        
        PID:3880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c4f073-7c38-40ae-8817-b4db6223f775.vbs"
      4⤵
      PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\34c553de294c1d56d0a800105b\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\34c553de294c1d56d0a800105b\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\security\templates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4596_1110536658\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_1110536658\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4596_1110536658\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4664_1902151213\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_1902151213\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4664_1902151213\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\lsass.exe

Filesize
885KB

MD5
ce9a554c427e0fdc276cecf82a6ffb8e

SHA1
3fc4ff9aae9c7f8b7ea55bff52e6d47105261c26

SHA256
a37525f6773cc1432dcc63b44db7755b6a3c4979a5c276617b708b81ffd836b4

SHA512
ee8ddb935fcf572ce3b2f29d1eef946e00ece03d8e5c407665953c40d1bcc46a1f427e72cea46af2da2193f2c2fedcdb096bdfcd47d045da18835df8a362a60b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe

Filesize
885KB

MD5
d3670eb5c76c0a2090e5401505676bab

SHA1
a4bebedf6806afca8aac8518db90e82696b4e0e8

SHA256
1be15f428a89bc0b37e4c1d5696d18f8c574fe9dbdaff8029da1f771ec8f87e4

SHA512
6a3e32eef77c8c86d1bdea8ffeec886a2827949572b8472e4d7d425fd2d447673ea300f3aa8fb07b6cea2d8542521f9c95d8ac29fbbbecf831c7790d281a52dd

Download Submit
C:\Program Files\edge_BITS_4664_1902151213\RuntimeBroker.exe

Filesize
885KB

MD5
c6851d35223f9d127a1f3afa89a29391

SHA1
012188d801c76f03b1f4eb6723ff9de3520734a2

SHA256
8f85ec5c44929735d4bc55b75d571c933b762aabd737aff5bc61c04ac0632ff3

SHA512
a5f18c3e329a0d93a786c959306e670f250eafa5c4a54a05d951c2bc76d32cc1f4059952c6e6f13e63abe5b4478dcb2946409f4984b62e77c935f341f3e2f79b

Download Submit
C:\Recovery\WindowsRE\RCX8314.tmp

Filesize
885KB

MD5
f031a619e0f159c11d10ab6b482e3057

SHA1
1ea2c09767b129d4b3c04173b01892aef9e9a44c

SHA256
4f3c3cd1c1480bfb0977cd2990ea9ed5301b1be6fa6ce9c241228cb2ede7a510

SHA512
7606904a588d589cff4b3182e5cbe83025135d6984726e720d053413db40a1f9ee905c2b9314357ade8283d393a9f11769a8ab24d07f033168d4a354cc0afc37

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
411KB

MD5
89bacb7be065743aeacd5208464a6e36

SHA1
6e92f20c7ae1288dd1c1da99d63cae3fffdb5da8

SHA256
a7f796fc6f65b87cd7893f6211e4b773937026123afd821117d0f778758088db

SHA512
6c496075fbcba7f34549127258e9abffe53da3e597f34752ed9bf1eca6bfbb0399fcddc82d6783992b995757e5cb845a12e9092c70668764543ef6dffdd09a4f

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
411KB

MD5
7e84a8c5be871954f6da39303d26dded

SHA1
de7b70c61a12850d1ae9ddf67437c6b5e9ba9ac4

SHA256
303fb21faf258befdefeba65484ac3cd9d814b96935b45a7aa4345e09b14c298

SHA512
a0183bea2c58b3e666d99d38ad217a979ecba24a59c0625db2f8c36a50b5940b9d3bdc61b5bb9e3de4f4c18b15d957d38f0daccea52399add18c1b265f6c96d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a0e029f-ff67-4274-8fe1-993e79f26431.vbs

Filesize
709B

MD5
7dc1b00f3e0204bf7162c7ee82db300b

SHA1
7616d11fa2b9d45f4669a63186b3d2ff4d0fa45c

SHA256
982998e54bdf9cceb53ed668f3b53ea025df723feacb5574fd17c81552ea5f3e

SHA512
1154503b8494ef9de6db225810f6f15fb6aa5132ad201081c7234f099d83b8c084543c266c3ce02c32274ba078ce2107410b9cd672925a20250facfc9c4f368a

Download Submit
C:\Users\Admin\AppData\Local\Temp\355dacbb-df41-471e-ae46-7cfd9f4ea2fb.vbs

Filesize
709B

MD5
64a643904f87f11e7d246377f3572904

SHA1
ea7904ff58c98704d439e9b858c440bb059a56b7

SHA256
c4df3c37c31cb7065d64adc22596a5fdcc34f6e24910852121f41481d022d6f2

SHA512
a864198217f17717b3db5a8e2ef33915d659d8af59bfda93ffdfb66049547d28d6614bcff43cc8aa2787919d3c2a6ca708e01d12feeb156ba84f485f332e9e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\35ec89f3-cf38-4ce9-a4e7-0a072623a39b.vbs

Filesize
709B

MD5
aa0222ee0a3f4bc2318e686204f0c314

SHA1
b1d7d13c8a344cbf464e601c3f1a58ddeeb511ea

SHA256
667eaf22b01bda78e0a5453075b514eba029fa4cbb3e31fa6105c23025c2999d

SHA512
345d05ee58c5b4882ae98a9a14932af3ff10c352fb3c06e3d27e9d5be8ee119df0cefd751984ca6b9d74525967e6057bd8f9d9a2a21f607e3478ac2c6e6fc3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5252c996-ae43-4844-9fc0-6dd271662def.vbs

Filesize
709B

MD5
704fc4c143795e20a31eb1e7df1338cb

SHA1
5e5954f5ba265c4a86d41aad00c76bba0c2a3212

SHA256
3e09a5b0153a8be0c93ac5d9c6a342a442941f93cbdc55046ccf7ddc79f493fa

SHA512
f665df3aa289f7eed4728e541b24e8d370d6f396ea4c53314cb7e8bcefaa52cf3b3d510d3fbc83470299d2f30c4ae64735e88d00ad3abb58121434152c7839c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\54b55712-9617-4eff-a7fc-795b527f0521.vbs

Filesize
708B

MD5
9f6eb9c23e4b4b61c5f8a1240b2964e6

SHA1
3f3fdde08883911d3ba616a063d6627fa9076b61

SHA256
478335f77897dbfd5998811e0e2c23466e083c77d4e2bb159be9af13968c34df

SHA512
310c03769ffff087da2f1c75b528503c599446f0bbf078d153b7e774d9fe59bef7b2b2ff2023dc8e07afec6fdb4defafbbc643a627e29c5b44a3cf44c8f838d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\57ee88ea-e138-403c-8d30-a2c8867594eb.vbs

Filesize
709B

MD5
9359fcd4698b454eb61db17af6cc4f6c

SHA1
9730408475863a1496d2b33554bdbd12ac51bb49

SHA256
e2bd188fdcb96ac30353e1a11e984445c16b2598624178bbf784f56ec5ff902a

SHA512
61f6df51080daf193b652f5c7792d59e6712c090641dddf62efc415516f986541adc059deb793ac01d4e672803c952d30ff85669faa10e5b2924239fe811cdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\620f9407-d2bb-4ab1-9e22-c39ea5d04e74.vbs

Filesize
709B

MD5
d65729ecfd86c5b4b5db379f91472a1b

SHA1
8eaa1dc447995ea230dd3563eca6d342ab099c19

SHA256
1559be7c23a4dce8217acdea6886841a144523318043e947a05b8ae2469ee95c

SHA512
f06cf0e89c9c427c70208b495534470f2079531467c15c4149d3d5a0a3b3715a9d1acd1d2bffae704510695c4c658f3c5923b5fbe7212ae9c0ae01e6e5f598e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e26846f-a709-4cc3-a8c8-c4ea87cdfc26.vbs

Filesize
709B

MD5
07ea037a7e700771846c674734529d08

SHA1
5988f7d55c7a6249437657097ba36b74967fb889

SHA256
475f00ef3c0a7d1872cc31b7b8f3c95dab25fdd75a5ab13d89503655211b9d27

SHA512
253d6797e6bf8e8be02cf82d5c2298e5db161f44e618d9db1975479db6a6203dee1eefb5ebf9f3f4df08f73a109de9b29e6de2a830a90b35ef25742aac8a51a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\743f5798-836e-4d0b-9a83-267fc94ba949.vbs

Filesize
709B

MD5
4b3ec7638f44f930b9537c836fd8be99

SHA1
10570bd2aab353d5fe609fd32a6b4bf9440ac3ba

SHA256
7693bd71d363f2aaa8751339dd7d5c236c54c61dd332e38a964293d7f232b55e

SHA512
f21816483afef6d33793ab00da58a0c6f80a2ae3731d29cf811dec0221172c66ea60616a57bf96a2663b6d6603b461ef4c279e186b46a000fc28dab5f0deb3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c4ace1d-c89a-4ce8-802a-f59dd1ea7396.vbs

Filesize
709B

MD5
ed63641a0c8fbf5d996fb9400825a07b

SHA1
23886c4d777b85bc39d7666f7e54896c59ea81d6

SHA256
938e261300958579ec0456251ea4a9eeed8f46cdf95364c3e5b0c68182401e40

SHA512
0a63d96ea91d8b4c2a8082cd34b5a051f285b925970f2cfdf51baefae4ecfe9bfdb8b5da38511cec94496b460c53e90861fcab0e9a361eea8275f5b12299ceb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\815848ba-6c6e-4d93-9e98-18576f743370.vbs

Filesize
709B

MD5
4085eb006d297fadbb4dcffc394d383e

SHA1
57739921667f4bd3d6c70611ea271cef04898aa8

SHA256
77bc5bccbedf4ac1da3ec5a6ff7ab9719442a4fe2f0ee8b7982286f37bd6a6bf

SHA512
3a76f51fee841d8367e7d78f6f9ece5a62bc34aa254758bfea07a9604dda2351fcab09ad79b0388e4451713b91105e6d6826e8824599b9fe13eed4383a8497fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bab4def34df863fdb06ae560e5739d2f8c29051.exe

Filesize
661KB

MD5
41b8993560a528fc75b5aaa35986afa8

SHA1
18cdeaf277064f8ab4c72bcdf49855455d51c53b

SHA256
de68578a8000b213806a04155813b4f6247ad62ccd89ba4c9d2620c06c8c9493

SHA512
e3ae90dbb6b97ebacc268721b9a05298d15c4baa3db085fd935b530fcfa804a5661c8ad7dbde1fe3b7117b96315a80a629b2194da2e15b56be5f484eb2da97d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d396b86-f555-4d24-8b9f-8820f133c226.vbs

Filesize
709B

MD5
37b9eee41320c9136ca6d149b2cc476c

SHA1
5908ddd8f36487077f7d5b1a12c9d2acf9f00672

SHA256
90daa277cf2f9b327886b3c31f6dcc63d4132aa52575cc3dd2de39652f16d852

SHA512
6cc24f433b24d24e1dd157f6e8fa8ec70049983cdcbccdb3bb687e3526ad5b79a95135399c76f0a97ec824b9bbbe7e2c75b7fe5a45d46f7a354b52d90c9e9ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YArNZ2cMSU.bat

Filesize
198B

MD5
cca3b4a91f6be40c54b6055774452c4f

SHA1
e024e788a1fd8eb34fefef56aab75babeb195ad1

SHA256
d9ad08884396fed87e0fd45a8772d955569f994f986c8de491a2ddbebcfde1eb

SHA512
ff690160f4a6100325ffcb73358b730190b713ed8906aed473f0f75f8dbffc5894b15e19d09ed5843c29a8cd480e5244f3fe1ff2aea11a1438d4ba16641d9372

Download Submit
C:\Users\Admin\AppData\Local\Temp\b04a0a73-c982-41d3-b640-da76ec769240.vbs

Filesize
708B

MD5
b7f40d020902144b4aa60c32828e91f3

SHA1
35968af8aa5cc66e65738be75d611675a29b7c18

SHA256
f800c265cd09cc0a71c93f73334cd1f63f3efe411c63ad2ad88a66f305477a77

SHA512
f215a522b5f40c714f87d065f016c8898b8f8b74c4dd6d2cc43c0b6a422cfbe816f61508eeb2d49f48911b03989b3a99444dd99e54c0191cfc8c8cfbe4d33008

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdd527a8-b649-402f-96bb-50c7ebff24a9.vbs

Filesize
709B

MD5
0a16e2c6c2895fbdc026ca3466f3729e

SHA1
77a74d73cba1c30631fc4b896278c7d1d704836f

SHA256
d46228acc1965e1dcb6433de11353b0478e1e0115fbfeee874fb886c9f33d68b

SHA512
03407bd2db1e30e9053c6784604751bb4caa257f7ae79238bfa3e02168efdf683ce232d9148f288946b3dbeed243ef4fcec5c7d821a4a6cc42c87cbbdba40394

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6c4f073-7c38-40ae-8817-b4db6223f775.vbs

Filesize
485B

MD5
b1788135ce2e26e3d6d69cc7f4df52f1

SHA1
cd5c7f2fd7e75b11fe4b5edec13641081401bb30

SHA256
7de1b9f05bb896f7a8ee143b9e2bc997d7f97acfc37b8944adb5fd19fa004f65

SHA512
f4aa41c409fcb3bc2a572d8e1840072d535fb565930c595c3228114535ecc12c560d919973a9f16d7774ce1b44cfe27916f19f63ff7821f525322be30eeb4ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f28f8d6c-aa6f-4bad-af60-66e4b5eee6dd.vbs

Filesize
709B

MD5
2064675aeb8b102d6a1105d260cb1940

SHA1
f0c931a4cfbdb282907202cae5addf97017173ff

SHA256
3305ccca69e1d40c37e3683846b2461300f94a99323655e6a60354c380234e49

SHA512
7f8472f8923dc4b9bd736e1bde66dfa2ddaf3e41784b4997f94653a286695e02535122d29cc0c848fd15b7b88b9ae2391c1a4eb79d8e61002e0b81d6bc2fdcfb

Download Submit
C:\Users\Admin\unsecapp.exe

Filesize
885KB

MD5
3dfc71cfc45034d671ac0f319bc080bd

SHA1
7d8a8faccf06d8ec762bdf56e8842dd069ec3801

SHA256
13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1

SHA512
8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e

Download Submit
C:\Users\Admin\unsecapp.exe

Filesize
885KB

MD5
a3e2272f0f0574f6031d07e5dd3208b3

SHA1
ccb903106e05c90cef7cd5ecddb4ec554afb1f25

SHA256
3ea4d7ce02f991d8abc9c22f7cb5162a23c838d9fd78e785a2ae4a0805566374

SHA512
512402423f82bfeed5d45a198d49b6e529188aff7108ebaa1e11f023aa0c584d80d982a7f37cacd7abd6ad402a79f42951499d074dd931bd2f62a3d9412e5774

Download Submit
memory/5176-7-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download
memory/5176-211-0x00007FFD10400000-0x00007FFD10EC1000-memory.dmp

Filesize
10.8MB

Download
memory/5176-6-0x0000000002A90000-0x0000000002AA6000-memory.dmp

Filesize
88KB

Download
memory/5176-0-0x00007FFD10403000-0x00007FFD10405000-memory.dmp

Filesize
8KB

Download
memory/5176-8-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

Filesize
56KB

Download
memory/5176-9-0x0000000002AD0000-0x0000000002AD8000-memory.dmp

Filesize
32KB

Download
memory/5176-10-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/5176-3-0x0000000002A70000-0x0000000002A8C000-memory.dmp

Filesize
112KB

Download
memory/5176-5-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/5176-4-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/5176-2-0x00007FFD10400000-0x00007FFD10EC1000-memory.dmp

Filesize
10.8MB

Download
memory/5176-1-0x0000000000860000-0x0000000000944000-memory.dmp

Filesize
912KB

Download