Malware Analysis Report

2024-10-10 13:00

Sample ID 240617-xf4gmstfrq
Target c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe
SHA256 c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a

Threat Level: Known bad

The file c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:48

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:48

Reported

2024-06-17 18:51

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Providerfontdriver\chainSvc.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\sppsvc.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\0a1fd5f707cd16 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\ebf1f9fa8afd6d C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Icons\explorer.exe C:\Providerfontdriver\chainSvc.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Providerfontdriver\chainSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 3000 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 1544 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 2256 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 2256 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 2256 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 2572 wrote to memory of 2096 N/A C:\Providerfontdriver\chainSvc.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe
PID 2572 wrote to memory of 2096 N/A C:\Providerfontdriver\chainSvc.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe
PID 2572 wrote to memory of 2096 N/A C:\Providerfontdriver\chainSvc.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe

"C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Providerfontdriver\GtJGZIQMbL.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Providerfontdriver\YASZsbGc.bat" "

C:\Providerfontdriver\chainSvc.exe

"C:\Providerfontdriver\chainSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Providerfontdriver\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Providerfontdriver\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Providerfontdriver\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Providerfontdriver\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Providerfontdriver\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Providerfontdriver\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Providerfontdriver\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Providerfontdriver\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Providerfontdriver\lsm.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0994027.xsph.ru udp
RU 141.8.192.93:80 a0994027.xsph.ru tcp

Files

C:\Providerfontdriver\GtJGZIQMbL.vbe

MD5 24b8265d3cd891db791289555c7b2a1e
SHA1 dab7151ae005977649502e2d802d534d91b551c9
SHA256 bae06d4f4d86008f5e819ac12fec723f02c287b3b97a5054cc54fb43bfd93607
SHA512 bbb81d82bde4d63ef5cd6f278718a837ad72c371ba9d6a9bd744cf8bf5df01ba38cf29e7ff160c2d5f5ca41ade56e56e488a9e223c23bffab1728113a1ef43e3

C:\Providerfontdriver\YASZsbGc.bat

MD5 862188e9595cc7d0acea9902053aa556
SHA1 ca1548b27642e3d5e3fb2ef42e28b2ca23c1867f
SHA256 922711a6daeda8fdb60b24fae327e12fbaab7c5004b104097c452d244b2351be
SHA512 cbeaa38afebb291b81e9fa4dc1c39cd89ce41f41870250a43ec9a0b6b1a473262ec236e31ac169911447eb6cb5c16f0438aea42abe4a8f10a239d6e7d72cbc3f

C:\Providerfontdriver\chainSvc.exe

MD5 36df704fcce9f3a1aa122d452715db6e
SHA1 085509e9406493e52718d29ec24f32aa36d967f3
SHA256 4a369e21290f35af7d98a5e32ad7a99d7f628f54a6e5093cecf38b7fd37ec136
SHA512 5e2bdffcd42cd9f53714e8d8b775abf278cbdc02564254eb9b0244a04fa8068d2992782e40ee354c6b30e8b8f34892255fedad83e16cbeb998a700cbb0e1b475

memory/2572-13-0x0000000000DC0000-0x0000000000E96000-memory.dmp

memory/2096-40-0x0000000000C50000-0x0000000000D26000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 18:48

Reported

2024-06-17 18:51

Platform

win10v2004-20240611-en

Max time kernel

98s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Providerfontdriver\chainSvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Providerfontdriver\chainSvc.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\images\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Schema\9e8d7a4ca61bd9 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\MsEdgeCrashpad\121e5b5079f7c0 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\MsEdgeCrashpad\sysmon.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\dwm.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\6cb0b6c459d5d3 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\ModifiableWindowsApps\unsecapp.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\chainSvc.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Providerfontdriver\chainSvc.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Internet Explorer\images\9e8d7a4ca61bd9 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\27d1bcfc3c54e0 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\bb1bb4e1bbf501 C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\9e8d7a4ca61bd9 C:\Providerfontdriver\chainSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CbsTemp\RuntimeBroker.exe C:\Providerfontdriver\chainSvc.exe N/A
File created C:\Windows\CbsTemp\9e8d7a4ca61bd9 C:\Providerfontdriver\chainSvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Providerfontdriver\chainSvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Providerfontdriver\chainSvc.exe N/A
N/A N/A C:\Providerfontdriver\chainSvc.exe N/A
N/A N/A C:\Providerfontdriver\chainSvc.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Providerfontdriver\chainSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4140 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 4140 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 4140 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe C:\Windows\SysWOW64\WScript.exe
PID 1168 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 1632 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Providerfontdriver\chainSvc.exe
PID 2784 wrote to memory of 3448 N/A C:\Providerfontdriver\chainSvc.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 3448 N/A C:\Providerfontdriver\chainSvc.exe C:\Windows\System32\cmd.exe
PID 3448 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3448 wrote to memory of 3844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3448 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe
PID 3448 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe

"C:\Users\Admin\AppData\Local\Temp\c2cf72416cd1a5cba005636dfa5ca341c92ed72a62ca0423ed55d3d4eb33721a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Providerfontdriver\GtJGZIQMbL.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Providerfontdriver\YASZsbGc.bat" "

C:\Providerfontdriver\chainSvc.exe

"C:\Providerfontdriver\chainSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Providerfontdriver\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Providerfontdriver\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Providerfontdriver\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\MsEdgeCrashpad\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\MsEdgeCrashpad\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Providerfontdriver\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Providerfontdriver\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Providerfontdriver\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Providerfontdriver\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Providerfontdriver\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Providerfontdriver\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainSvcc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\chainSvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\chainSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainSvcc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\chainSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u9PQn3G5zR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System.exe"

Network

Country Destination Domain Proto
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 a0994027.xsph.ru udp
RU 141.8.192.93:80 a0994027.xsph.ru tcp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp

Files

C:\Providerfontdriver\GtJGZIQMbL.vbe

MD5 24b8265d3cd891db791289555c7b2a1e
SHA1 dab7151ae005977649502e2d802d534d91b551c9
SHA256 bae06d4f4d86008f5e819ac12fec723f02c287b3b97a5054cc54fb43bfd93607
SHA512 bbb81d82bde4d63ef5cd6f278718a837ad72c371ba9d6a9bd744cf8bf5df01ba38cf29e7ff160c2d5f5ca41ade56e56e488a9e223c23bffab1728113a1ef43e3

C:\Providerfontdriver\YASZsbGc.bat

MD5 862188e9595cc7d0acea9902053aa556
SHA1 ca1548b27642e3d5e3fb2ef42e28b2ca23c1867f
SHA256 922711a6daeda8fdb60b24fae327e12fbaab7c5004b104097c452d244b2351be
SHA512 cbeaa38afebb291b81e9fa4dc1c39cd89ce41f41870250a43ec9a0b6b1a473262ec236e31ac169911447eb6cb5c16f0438aea42abe4a8f10a239d6e7d72cbc3f

C:\Providerfontdriver\chainSvc.exe

MD5 36df704fcce9f3a1aa122d452715db6e
SHA1 085509e9406493e52718d29ec24f32aa36d967f3
SHA256 4a369e21290f35af7d98a5e32ad7a99d7f628f54a6e5093cecf38b7fd37ec136
SHA512 5e2bdffcd42cd9f53714e8d8b775abf278cbdc02564254eb9b0244a04fa8068d2992782e40ee354c6b30e8b8f34892255fedad83e16cbeb998a700cbb0e1b475

memory/2784-12-0x00007FFE5A443000-0x00007FFE5A445000-memory.dmp

memory/2784-13-0x0000000000150000-0x0000000000226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u9PQn3G5zR.bat

MD5 27755c163e31ff9950d2000007f04067
SHA1 3225b1233eb8133052d2b193b7e8abda523afe64
SHA256 5522c81fd61ae442dfe84d3ff822a025a97fe7e4528b2bbbe61fd53bc663e4e2
SHA512 3e17cbfce8a08c6099d8caeb7584de88306d79fe8ad8e381ccfc44275ffd46321c817391b71dc29b46af579d6ed3ec9f4c9ca757c27b9ff2630979db060d94f6