dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
73s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc45f2c5865480a76df2d8f64009673.exe
Size

885KB
MD5

ffc45f2c5865480a76df2d8f64009673
SHA1

ed4d772472682c390f3adcbab5f34758e34255a2
SHA256

2301d9d871089a3d47d66f630934afd65d4be33e3650a14e016275635c2b736b
SHA512

44907f4b8add6cbf4534ef39180c054ac80f47e94e730afb4b5ee53207476bea980fcda1be66283f4fd20ff9d6923e89e74c375fda74068249b2fbe27b8e158a
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6124	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5876	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5996	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5440	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1056	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1056	schtasks.exe	87

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/3016-1-0x0000000000E70000-0x0000000000F54000-memory.dmp	dcrat
behavioral30/files/0x00070000000241da-19.dat	dcrat
behavioral30/files/0x00100000000241b8-118.dat	dcrat
behavioral30/files/0x00110000000241f6-194.dat	dcrat

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	ffc45f2c5865480a76df2d8f64009673.exe

Executes dropped EXE 7 IoCs

pid	Process
748	ffc45f2c5865480a76df2d8f64009673.exe
4744	ffc45f2c5865480a76df2d8f64009673.exe
2032	ffc45f2c5865480a76df2d8f64009673.exe
4996	ffc45f2c5865480a76df2d8f64009673.exe
4784	ffc45f2c5865480a76df2d8f64009673.exe
6120	ffc45f2c5865480a76df2d8f64009673.exe
4572	ffc45f2c5865480a76df2d8f64009673.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\edge_BITS_4416_1771530942\RCX52C5.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\edge_BITS_4416_1771530942\RCX52C6.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCX52E9.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX53B4.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX53D9.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\edge_BITS_4416_1771530942\0a1fd5f707cd16	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX52EB.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX53C8.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX5457.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCX52EA.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX52FB.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX53B5.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX53C9.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\edge_BITS_4416_1771530942\sppsvc.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\edge_BITS_4416_1771530942\sppsvc.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\f3b6ecef712a24	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\fontdrvhost.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\5b884080fd4f94	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows Defender\fr-FR\dwm.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows Defender\fr-FR\6cb0b6c459d5d3	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ea9f0e6c9e2dcd	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\spoolsv.exe	ffc45f2c5865480a76df2d8f64009673.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	ffc45f2c5865480a76df2d8f64009673.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3176	schtasks.exe
3536	schtasks.exe
1060	schtasks.exe
2096	schtasks.exe
2024	schtasks.exe
4472	schtasks.exe
4692	schtasks.exe
4704	schtasks.exe
5876	schtasks.exe
5440	schtasks.exe
4164	schtasks.exe
4776	schtasks.exe
4888	schtasks.exe
3112	schtasks.exe
3500	schtasks.exe
4672	schtasks.exe
4752	schtasks.exe
6020	schtasks.exe
4576	schtasks.exe
4648	schtasks.exe
1088	schtasks.exe
4076	schtasks.exe
5996	schtasks.exe
3428	schtasks.exe
4424	schtasks.exe
4544	schtasks.exe
5804	schtasks.exe
2984	schtasks.exe
2860	schtasks.exe
6124	schtasks.exe
4456	schtasks.exe
6060	schtasks.exe
4352	schtasks.exe
4448	schtasks.exe
1500	schtasks.exe
4824	schtasks.exe
4700	schtasks.exe
2412	schtasks.exe
836	schtasks.exe
2620	schtasks.exe
4644	schtasks.exe
4452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
3016	ffc45f2c5865480a76df2d8f64009673.exe
748	ffc45f2c5865480a76df2d8f64009673.exe
4744	ffc45f2c5865480a76df2d8f64009673.exe
2032	ffc45f2c5865480a76df2d8f64009673.exe
2032	ffc45f2c5865480a76df2d8f64009673.exe
4996	ffc45f2c5865480a76df2d8f64009673.exe
4784	ffc45f2c5865480a76df2d8f64009673.exe
6120	ffc45f2c5865480a76df2d8f64009673.exe
4572	ffc45f2c5865480a76df2d8f64009673.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	748	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	4744	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	2032	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	4996	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	4784	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	6120	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	4572	ffc45f2c5865480a76df2d8f64009673.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 832	3016	ffc45f2c5865480a76df2d8f64009673.exe	132
PID 3016 wrote to memory of 832	3016	ffc45f2c5865480a76df2d8f64009673.exe	132
PID 832 wrote to memory of 4548	832	cmd.exe	134
PID 832 wrote to memory of 4548	832	cmd.exe	134
PID 832 wrote to memory of 748	832	cmd.exe	141
PID 832 wrote to memory of 748	832	cmd.exe	141
PID 748 wrote to memory of 4372	748	ffc45f2c5865480a76df2d8f64009673.exe	145
PID 748 wrote to memory of 4372	748	ffc45f2c5865480a76df2d8f64009673.exe	145
PID 748 wrote to memory of 5356	748	ffc45f2c5865480a76df2d8f64009673.exe	146
PID 748 wrote to memory of 5356	748	ffc45f2c5865480a76df2d8f64009673.exe	146
PID 4372 wrote to memory of 4744	4372	WScript.exe	151
PID 4372 wrote to memory of 4744	4372	WScript.exe	151
PID 4744 wrote to memory of 4888	4744	ffc45f2c5865480a76df2d8f64009673.exe	153
PID 4744 wrote to memory of 4888	4744	ffc45f2c5865480a76df2d8f64009673.exe	153
PID 4744 wrote to memory of 4848	4744	ffc45f2c5865480a76df2d8f64009673.exe	154
PID 4744 wrote to memory of 4848	4744	ffc45f2c5865480a76df2d8f64009673.exe	154
PID 4888 wrote to memory of 2032	4888	WScript.exe	159
PID 4888 wrote to memory of 2032	4888	WScript.exe	159
PID 2032 wrote to memory of 2932	2032	ffc45f2c5865480a76df2d8f64009673.exe	164
PID 2032 wrote to memory of 2932	2032	ffc45f2c5865480a76df2d8f64009673.exe	164
PID 2032 wrote to memory of 5176	2032	ffc45f2c5865480a76df2d8f64009673.exe	165
PID 2032 wrote to memory of 5176	2032	ffc45f2c5865480a76df2d8f64009673.exe	165
PID 2932 wrote to memory of 4996	2932	WScript.exe	170
PID 2932 wrote to memory of 4996	2932	WScript.exe	170
PID 4996 wrote to memory of 1372	4996	ffc45f2c5865480a76df2d8f64009673.exe	172
PID 4996 wrote to memory of 1372	4996	ffc45f2c5865480a76df2d8f64009673.exe	172
PID 4996 wrote to memory of 1188	4996	ffc45f2c5865480a76df2d8f64009673.exe	173
PID 4996 wrote to memory of 1188	4996	ffc45f2c5865480a76df2d8f64009673.exe	173
PID 1372 wrote to memory of 4784	1372	WScript.exe	174
PID 1372 wrote to memory of 4784	1372	WScript.exe	174
PID 4784 wrote to memory of 1760	4784	ffc45f2c5865480a76df2d8f64009673.exe	176
PID 4784 wrote to memory of 1760	4784	ffc45f2c5865480a76df2d8f64009673.exe	176
PID 4784 wrote to memory of 4356	4784	ffc45f2c5865480a76df2d8f64009673.exe	177
PID 4784 wrote to memory of 4356	4784	ffc45f2c5865480a76df2d8f64009673.exe	177
PID 1760 wrote to memory of 6120	1760	WScript.exe	178
PID 1760 wrote to memory of 6120	1760	WScript.exe	178
PID 6120 wrote to memory of 5908	6120	ffc45f2c5865480a76df2d8f64009673.exe	180
PID 6120 wrote to memory of 5908	6120	ffc45f2c5865480a76df2d8f64009673.exe	180
PID 6120 wrote to memory of 2552	6120	ffc45f2c5865480a76df2d8f64009673.exe	181
PID 6120 wrote to memory of 2552	6120	ffc45f2c5865480a76df2d8f64009673.exe	181
PID 5908 wrote to memory of 4572	5908	WScript.exe	182
PID 5908 wrote to memory of 4572	5908	WScript.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe
"C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uQGHeBUD3r.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4548
- - C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
    "C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a5bca6-5926-46c2-aae8-91c45b779fbd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\102db9c0-6e5e-40be-8e77-352b23610f19.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543535bc-d7b5-4c1d-909b-8e4cff34cf0e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1cf2d02-cbe3-4182-931e-0a62425fa25c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81c75b0d-e6a3-4d25-be0d-2a806d85df08.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9b21a25-7aa3-4070-a077-05573d8f052b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4bfaad7-a3a7-4d3f-8264-bf71338b50ac.vbs"
        16⤵
        
        PID:5900
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        17⤵
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e5fbe15-b2de-47bf-a4ea-599f2439b6a5.vbs"
        18⤵
        
        PID:4000
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        19⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0d2543-738e-4545-95f4-f17cec369c3d.vbs"
        20⤵
        
        PID:4064
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        21⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6985fb6c-1c7f-42eb-8037-c8b197b50d9b.vbs"
        22⤵
        
        PID:4296
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        23⤵
        
        PID:3500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e76a14d-9047-42e1-9e69-ca0069114f64.vbs"
        24⤵
        
        PID:3580
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        25⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcb017ae-e673-4a03-832d-e7f13ea9b10a.vbs"
        26⤵
        
        PID:5248
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        27⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38cf14fb-6929-4ab3-a049-7559811b3da5.vbs"
        28⤵
        
        PID:4656
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        29⤵
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9a8fa89-a7f8-4266-9ccd-41711942a5f4.vbs"
        30⤵
        
        PID:212
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        
        C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe
        31⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec703d3a-468d-4cd1-b8fe-a95e2b85325b.vbs"
        32⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b249e491-ce24-4a80-aaa9-aa60df820388.vbs"
        32⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ed41a23-5177-4aea-9789-6b106477751e.vbs"
        30⤵
        
        PID:5520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\276ff553-307e-460b-847f-0f3d28ae5d21.vbs"
        28⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d1c6fa-530c-488c-b755-d4c09cd6f4fb.vbs"
        26⤵
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\654a7817-606e-4f85-9727-6b5fa425192c.vbs"
        24⤵
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2becfe2b-a317-4c2b-8e16-203bdd033dc1.vbs"
        22⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28da066f-b40f-4624-9cfe-076d3e297591.vbs"
        20⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54529a34-51e8-44a6-b254-d23708f959d4.vbs"
        18⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14a83c4e-b74c-409c-b7f3-f7fe1e2a4fbb.vbs"
        16⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d412e89c-39c2-4210-9488-a839a07590dc.vbs"
        14⤵
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38cd44b8-c1b7-4f16-8720-b5718dca8fa9.vbs"
        12⤵
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b889b6-e595-4c4c-9ab3-69f5aff4b72f.vbs"
        10⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f0330b-ad56-406d-9bb9-a65b2f158e9d.vbs"
        8⤵
        
        PID:5176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8056e02a-1859-4b61-9400-536add7f5e45.vbs"
        6⤵
        
        PID:4848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1de48712-fe76-4fcf-b782-b59eb8264630.vbs"
      4⤵
      PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4416_1771530942\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4416_1771530942\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4416_1771530942\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\34c553de294c1d56d0a800105b\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\34c553de294c1d56d0a800105b\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\34c553de294c1d56d0a800105b\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673f" /sc MINUTE /mo 9 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673f" /sc MINUTE /mo 8 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\ffc45f2c5865480a76df2d8f64009673.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe

Filesize
885KB

MD5
88d6da88d0d216d12418961d7029fc5c

SHA1
68373ecce423361d3a70bb8f0efbe53f65be3e55

SHA256
c23a7e6bb41714f49a75f6f35152d0cd13980a50b0f95460edc2813ec4545309

SHA512
a1e64efc35c65188d41b66378489c16c2d1fbce9b05d4436afc83204e0e1161a0d54dda611263ef1a77722c6c913b67dafb6bc0bfe80356731bf163d67828ac4

Download Submit
C:\34c553de294c1d56d0a800105b\taskhostw.exe

Filesize
885KB

MD5
ffc45f2c5865480a76df2d8f64009673

SHA1
ed4d772472682c390f3adcbab5f34758e34255a2

SHA256
2301d9d871089a3d47d66f630934afd65d4be33e3650a14e016275635c2b736b

SHA512
44907f4b8add6cbf4534ef39180c054ac80f47e94e730afb4b5ee53207476bea980fcda1be66283f4fd20ff9d6923e89e74c375fda74068249b2fbe27b8e158a

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe

Filesize
885KB

MD5
3f5e90c491c3b7ead259de8fcfca8b70

SHA1
a0f8f8521947b00f7a379fcbf24d0f955d630c69

SHA256
84f1f357db3b994e8e42debb51c289455c56e93a7b3f23add3bdfaf0d48b84d5

SHA512
65f161005eccfab5da1a1783ec69a8a118ec0376f538e5568e98d6feb15523cb0fb2ecc77e1f8ce586faac7b19677e3b141cecc3e805cfe2b041eaad171106dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ffc45f2c5865480a76df2d8f64009673.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\102db9c0-6e5e-40be-8e77-352b23610f19.vbs

Filesize
748B

MD5
c168bd73cbc9d36cfe015b219e9b2adb

SHA1
1ff996c536842fb5f2474c047d1aa6a966e44593

SHA256
037a82f4ff318d1975cccd9948b2235ddf2767fcf74bab17db5eb1a109245219

SHA512
04b37405a833b846f0478460a6e97fa11834605214ec25e93c6e29533b05ba41df1215d567a917923de36325b3c7e8a45e9fb4dccefa029579add08e0b1d9c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1de48712-fe76-4fcf-b782-b59eb8264630.vbs

Filesize
524B

MD5
2bfdf2ffd09273f686e2d6206af241a9

SHA1
c0b77108448046907132640e0e5cf16ecd2c6947

SHA256
72c5bf21670b3b0f13c66460414bc1c708692a20a8ec8204d3d993eb6681367d

SHA512
3f62880d4acf94913c63bde3f169f0788eab2036d2be02821c1e645e3034be34a66c31146214bc2e0bb3d65b22af5f2380bb40e11e2f77f7d89ca8b2b82de572

Download Submit
C:\Users\Admin\AppData\Local\Temp\38cf14fb-6929-4ab3-a049-7559811b3da5.vbs

Filesize
748B

MD5
0342fbdaaa516f8afbafc19fad991965

SHA1
d77a0b1e22def06b700b922f1b86db3413ff200f

SHA256
6d9bacf37a716df1b7ab2c7273e2a87078737b218a101451fe53c5e9336bb73e

SHA512
e0f9c9db1f8c75299115b226f742355f39a2a8b4c0eaebc813af9fa6ee55a4379a196277114434fae7ce25ea06f7dc6d8b37563d251be6e99e5da2984106aaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e5fbe15-b2de-47bf-a4ea-599f2439b6a5.vbs

Filesize
748B

MD5
fb67e44a1647236024631a57d8d0f757

SHA1
06d908531a5409626ce144ba6d90a220ab7a81ea

SHA256
55e661c94db9e15ffe247a7afaccd1a62413424d3cb4430b0ca567bcb86a6403

SHA512
c3bfa11ce148a93ffc4a352e275dc6a49ef069d994bd5cbb993113163b35a71b0d310cdf4dd15486f895f2c8f705dec14595de3d5026909a87d9e86f0ec89dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\543535bc-d7b5-4c1d-909b-8e4cff34cf0e.vbs

Filesize
748B

MD5
e336b4860a9b8097d00baac9fcba3315

SHA1
7a9846d9e38bdb45886fa62d3307516fad13a2cc

SHA256
887e0e462bed868cdcaa8f4a5a5927cd75435b2e2adb83ae5b707d095e7400eb

SHA512
b1779699032a6f78bfbbf3fb454dd3a6a5b5a1755556b222271d7aa238f1430b5e193ec4577217cab72ab775a24db12ee49ea9b1b8e3b526dc7c840c955a6a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\68a5bca6-5926-46c2-aae8-91c45b779fbd.vbs

Filesize
747B

MD5
1e0a1316496262107ea4d6bf05912dfa

SHA1
1766f58c43dd861cd65062f2b187e125e38cebfb

SHA256
1a46360a799fac70c8294bb24339cbb8bc43ff44782b4b3d45c01e5a1f1bd046

SHA512
36d33cbc1845081c7aa2711f91f0f8a107317475772b9719027e5fe8ef2c64359300cfbd5a531be1c3b44905820b7d2d14187caddc1938b160d5968360b7113f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6985fb6c-1c7f-42eb-8037-c8b197b50d9b.vbs

Filesize
747B

MD5
1403fd57e83c7a8d15458dacc02bd846

SHA1
59de416ad1983bf4602ef8639fffcdcb9276de28

SHA256
e36129e5f92742c883a260a7ba3698fe0157f60a45603df8c775f5e06962f1a0

SHA512
26ec32226e78665b2e20227aa0205953a6d2ba8f474b87c4fda241034ba2e4fc42e57824e560d911abf841a1068361d2d32cf2b681c6bffa2ca8a74704f4f34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e76a14d-9047-42e1-9e69-ca0069114f64.vbs

Filesize
748B

MD5
632ec4942d0a49aa9377c48561538ab1

SHA1
3f669dd1c1696d374d5cb6e8ddf7e813bffc4491

SHA256
1c40f67cdb69c08f551b9d0977e21ab401c4bb0338f20addebfb3907d0fcbcac

SHA512
c806e867057bdcbaef334f8ebf6006cb10026d44eaf1292bd329caf79642856218d2cfaca914f261605f8bb5c09e998a2e6b346eb843a53558ee8d59972d6c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c75b0d-e6a3-4d25-be0d-2a806d85df08.vbs

Filesize
748B

MD5
787bbe92ef5fa4fe6b039a03ed6069be

SHA1
679771f63419e87a7ccd140ac2987965738da8c3

SHA256
980c0c94a62f9832b0fae08e48bd7e83562f69a462a54b23cdf4343b2f03d105

SHA512
08c833d190fcb649aa15939d3728a181f412e2b8c43cf38f3749686e14c5fa64bfb7c61f02bf5c64f6edac7c2d7fc20e9645551e8b0af7ed97848622c82c1187

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1cf2d02-cbe3-4182-931e-0a62425fa25c.vbs

Filesize
748B

MD5
fd919efe095682af0effa5c26d210639

SHA1
c543cd409ee46765eedad6fcebed68964df7cc6b

SHA256
053e6a1c6ef3ea31520e41c1a80fa907c4e602d2589f725eb86420b5062f7d07

SHA512
a8f1992f7e1acab856c5771260fa0db1dda34d7843d7cac8c00c894267631fb1e9c69491a28692a75af86df0b36f2876f321aff3aad23155e4438009794dc32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0d2543-738e-4545-95f4-f17cec369c3d.vbs

Filesize
748B

MD5
94ac1c04febe087b2909029ba531190a

SHA1
0790f466fdd11a7eab87d393006fd12d9052da3d

SHA256
1c16101e92fe442f5c5b70c4feb068f42b77bb0cba0a80cd1fbc5ef32821f975

SHA512
b7e6efc3a0c3f7f4d90584ed3f860ecd269ef995635cf89f60d9ae923ee83d56dad3e23b4988aa83dbbd0b2bcff359a6b274af0571dc3ca34277c52ead27a298

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4bfaad7-a3a7-4d3f-8264-bf71338b50ac.vbs

Filesize
748B

MD5
c7cdecec50cd4f14f87ae08d9016bbef

SHA1
39326474d7d0628431f57a0542efb019bc09e6e8

SHA256
78eef41d3d8b86ba3165d93f98f488d7bf072f98d21e6dcdc0b694ea9553e82c

SHA512
862daec730483aadfa8076dfee1e5a5e61dac6a141fd6c37f3a215d0bca21b3a850b0e1dc4baf20f743a8974f4d39e7e6e160e33b60e27b3f2c6228f89fc95f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9b21a25-7aa3-4070-a077-05573d8f052b.vbs

Filesize
748B

MD5
06d01a638c981b08f45cc5c0dae13a35

SHA1
66481a527ffce6c22b1c896edd167c091de13884

SHA256
f789b9b26a8aef7ef0a8ba3f1e555c49436407b18d02ae754baedba000489f9b

SHA512
641422e6ded489a112ab867c301ef439f6983ba1a2a9608bdad090a76b01a67c7c422099769701795c47e87a46093432063fbc1ebfee293a2bd6c9fc59a643bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec703d3a-468d-4cd1-b8fe-a95e2b85325b.vbs

Filesize
748B

MD5
6f79d943a8894aaa2938b0378e505ce3

SHA1
6afca6535ce98c94529cdcb4f1ab36effb64c90f

SHA256
b52561a74fc055b58cae6cc8e5b336ba81e58d67a9571a50e5075583422b70fd

SHA512
c3116e3575b3ef730f271cec9b37fa6775593c9b97ea9bce2a197537c1436160630f64865d18ae09843c0ee8416342e199fa4468716e15e11c5e6af8281742da

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcb017ae-e673-4a03-832d-e7f13ea9b10a.vbs

Filesize
748B

MD5
58a6f2652cbcb3ab2ddf47c2539f5087

SHA1
94759f375d4f86f29e1eb571eebcb9d9a9a4f347

SHA256
15604cff6ec3db612a6009ecdc48529eb87afaa1bfda7e96e34c537681ab357e

SHA512
8482fe70f40c1ab1a93df8cc5c07fc12f27ab671905c8a48f7584a83bf15b2f2131710590e57631b36a76f8da36b6bc5e0a7735e988f71c470b01adf50b3d066

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQGHeBUD3r.bat

Filesize
237B

MD5
a86cbfa49a40fb6636e3874099da34fe

SHA1
2aa34af366ce5c04b5a39011d7459cf9ba8f824c

SHA256
d7ba911271dee32d5d2658c37765845f45dfab99348cab7728150e6288280d0a

SHA512
0fc1ff02ae73465e66b25a76f9d89fa757aae39660a43e34b05126747102c77b64953be9c47e2c3dcca4216c6f9093a8be57e70f4019f7b590ad6c39493ac167

Download Submit
memory/3016-0-0x00007FFA7CC53000-0x00007FFA7CC55000-memory.dmp

Filesize
8KB

Download
memory/3016-6-0x0000000003010000-0x0000000003026000-memory.dmp

Filesize
88KB

Download
memory/3016-7-0x00000000030D0000-0x00000000030DA000-memory.dmp

Filesize
40KB

Download
memory/3016-5-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/3016-4-0x000000001BB30000-0x000000001BB80000-memory.dmp

Filesize
320KB

Download
memory/3016-8-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/3016-9-0x00000000030F0000-0x00000000030F8000-memory.dmp

Filesize
32KB

Download
memory/3016-10-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/3016-2-0x00007FFA7CC50000-0x00007FFA7D711000-memory.dmp

Filesize
10.8MB

Download
memory/3016-3-0x0000000002FD0000-0x0000000002FEC000-memory.dmp

Filesize
112KB

Download
memory/3016-1-0x0000000000E70000-0x0000000000F54000-memory.dmp

Filesize
912KB

Download
memory/3016-203-0x00007FFA7CC50000-0x00007FFA7D711000-memory.dmp

Filesize
10.8MB

Download