dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebe2e28a80ef59e70bca6e005782732e.exe
Size

885KB
MD5

ebe2e28a80ef59e70bca6e005782732e
SHA1

fd22205faabb86821db5c7f5d626ea8784d39731
SHA256

53b4ab4625fc60780e7ef00317080ded6f6ec02dcdbb6d681f8665918abd6b91
SHA512

6e5331f768f709e4f9b5a3a2d85d381e3c6d8b0e04fe3237bae6ade2a3ad4b4831cf93518705119226f70b735d90c44abf4c38ea2eb44d2a8d8c58b7da085aec
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1848	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	1848	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral32/memory/3032-1-0x00000000005B0000-0x0000000000694000-memory.dmp	dcrat
behavioral32/files/0x000d000000024101-91.dat	dcrat
behavioral32/files/0x0008000000024107-101.dat	dcrat
behavioral32/files/0x000d000000024139-176.dat	dcrat
behavioral32/files/0x000d000000024126-225.dat	dcrat
behavioral32/memory/3316-245-0x0000000000740000-0x0000000000824000-memory.dmp	dcrat
behavioral32/files/0x000700000002410c-19.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ebe2e28a80ef59e70bca6e005782732e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 14 IoCs

pid	Process
3316	dllhost.exe
3556	dllhost.exe
1796	dllhost.exe
512	dllhost.exe
5064	dllhost.exe
4424	dllhost.exe
2296	dllhost.exe
2856	dllhost.exe
692	dllhost.exe
1556	dllhost.exe
2004	dllhost.exe
1568	dllhost.exe
4192	dllhost.exe
2912	dllhost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\wininit.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\Reference Assemblies\56085415360792	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXF186.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXF197.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXF198.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXF199.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\Windows Defender\fr-FR\backgroundTaskHost.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\Windows Defender\fr-FR\eddb19405b7ce1	ebe2e28a80ef59e70bca6e005782732e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2944	schtasks.exe
3012	schtasks.exe
692	schtasks.exe
1796	schtasks.exe
1552	schtasks.exe
464	schtasks.exe
1884	schtasks.exe
3472	schtasks.exe
1424	schtasks.exe
4752	schtasks.exe
5068	schtasks.exe
2992	schtasks.exe
3064	schtasks.exe
1600	schtasks.exe
3460	schtasks.exe
1468	schtasks.exe
512	schtasks.exe
540	schtasks.exe
4988	schtasks.exe
220	schtasks.exe
2856	schtasks.exe
3480	schtasks.exe
3196	schtasks.exe
1080	schtasks.exe
2912	schtasks.exe
992	schtasks.exe
868	schtasks.exe
956	schtasks.exe
1668	schtasks.exe
4036	schtasks.exe
3960	schtasks.exe
2444	schtasks.exe
3728	schtasks.exe
1100	schtasks.exe
3056	schtasks.exe
1340	schtasks.exe
4984	schtasks.exe
4332	schtasks.exe
5076	schtasks.exe
3692	schtasks.exe
4832	schtasks.exe
3440	schtasks.exe
4260	schtasks.exe
1756	schtasks.exe
2004	schtasks.exe
2804	schtasks.exe
2276	schtasks.exe
2244	schtasks.exe
2036	schtasks.exe
3372	schtasks.exe
8	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3032	ebe2e28a80ef59e70bca6e005782732e.exe
3316	dllhost.exe
3556	dllhost.exe
1796	dllhost.exe
512	dllhost.exe
5064	dllhost.exe
5064	dllhost.exe
4424	dllhost.exe
2296	dllhost.exe
2856	dllhost.exe
692	dllhost.exe
1556	dllhost.exe
2004	dllhost.exe
1568	dllhost.exe
4192	dllhost.exe
2912	dllhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	ebe2e28a80ef59e70bca6e005782732e.exe
Token: SeDebugPrivilege	3316	dllhost.exe
Token: SeDebugPrivilege	3556	dllhost.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	512	dllhost.exe
Token: SeDebugPrivilege	5064	dllhost.exe
Token: SeDebugPrivilege	4424	dllhost.exe
Token: SeDebugPrivilege	2296	dllhost.exe
Token: SeDebugPrivilege	2856	dllhost.exe
Token: SeDebugPrivilege	692	dllhost.exe
Token: SeDebugPrivilege	1556	dllhost.exe
Token: SeDebugPrivilege	2004	dllhost.exe
Token: SeDebugPrivilege	1568	dllhost.exe
Token: SeDebugPrivilege	4192	dllhost.exe
Token: SeDebugPrivilege	2912	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3316	3032	ebe2e28a80ef59e70bca6e005782732e.exe	141
PID 3032 wrote to memory of 3316	3032	ebe2e28a80ef59e70bca6e005782732e.exe	141
PID 3316 wrote to memory of 4888	3316	dllhost.exe	145
PID 3316 wrote to memory of 4888	3316	dllhost.exe	145
PID 3316 wrote to memory of 3292	3316	dllhost.exe	146
PID 3316 wrote to memory of 3292	3316	dllhost.exe	146
PID 4888 wrote to memory of 3556	4888	WScript.exe	150
PID 4888 wrote to memory of 3556	4888	WScript.exe	150
PID 3556 wrote to memory of 4464	3556	dllhost.exe	151
PID 3556 wrote to memory of 4464	3556	dllhost.exe	151
PID 3556 wrote to memory of 4300	3556	dllhost.exe	152
PID 3556 wrote to memory of 4300	3556	dllhost.exe	152
PID 4464 wrote to memory of 1796	4464	WScript.exe	153
PID 4464 wrote to memory of 1796	4464	WScript.exe	153
PID 1796 wrote to memory of 2144	1796	dllhost.exe	154
PID 1796 wrote to memory of 2144	1796	dllhost.exe	154
PID 1796 wrote to memory of 764	1796	dllhost.exe	155
PID 1796 wrote to memory of 764	1796	dllhost.exe	155
PID 2144 wrote to memory of 512	2144	WScript.exe	156
PID 2144 wrote to memory of 512	2144	WScript.exe	156
PID 512 wrote to memory of 1976	512	dllhost.exe	158
PID 512 wrote to memory of 1976	512	dllhost.exe	158
PID 512 wrote to memory of 816	512	dllhost.exe	159
PID 512 wrote to memory of 816	512	dllhost.exe	159
PID 1976 wrote to memory of 5064	1976	WScript.exe	168
PID 1976 wrote to memory of 5064	1976	WScript.exe	168
PID 5064 wrote to memory of 2088	5064	dllhost.exe	169
PID 5064 wrote to memory of 2088	5064	dllhost.exe	169
PID 5064 wrote to memory of 4320	5064	dllhost.exe	170
PID 5064 wrote to memory of 4320	5064	dllhost.exe	170
PID 2088 wrote to memory of 4424	2088	WScript.exe	171
PID 2088 wrote to memory of 4424	2088	WScript.exe	171
PID 4424 wrote to memory of 3904	4424	dllhost.exe	172
PID 4424 wrote to memory of 3904	4424	dllhost.exe	172
PID 4424 wrote to memory of 2560	4424	dllhost.exe	173
PID 4424 wrote to memory of 2560	4424	dllhost.exe	173
PID 3904 wrote to memory of 2296	3904	WScript.exe	174
PID 3904 wrote to memory of 2296	3904	WScript.exe	174
PID 2296 wrote to memory of 540	2296	dllhost.exe	175
PID 2296 wrote to memory of 540	2296	dllhost.exe	175
PID 2296 wrote to memory of 4116	2296	dllhost.exe	176
PID 2296 wrote to memory of 4116	2296	dllhost.exe	176
PID 540 wrote to memory of 2856	540	WScript.exe	177
PID 540 wrote to memory of 2856	540	WScript.exe	177
PID 2856 wrote to memory of 1600	2856	dllhost.exe	178
PID 2856 wrote to memory of 1600	2856	dllhost.exe	178
PID 2856 wrote to memory of 1116	2856	dllhost.exe	179
PID 2856 wrote to memory of 1116	2856	dllhost.exe	179
PID 1600 wrote to memory of 692	1600	WScript.exe	180
PID 1600 wrote to memory of 692	1600	WScript.exe	180
PID 692 wrote to memory of 3316	692	dllhost.exe	182
PID 692 wrote to memory of 3316	692	dllhost.exe	182
PID 692 wrote to memory of 3840	692	dllhost.exe	183
PID 692 wrote to memory of 3840	692	dllhost.exe	183
PID 3316 wrote to memory of 1556	3316	WScript.exe	184
PID 3316 wrote to memory of 1556	3316	WScript.exe	184
PID 1556 wrote to memory of 1512	1556	dllhost.exe	185
PID 1556 wrote to memory of 1512	1556	dllhost.exe	185
PID 1556 wrote to memory of 2144	1556	dllhost.exe	186
PID 1556 wrote to memory of 2144	1556	dllhost.exe	186
PID 1512 wrote to memory of 2004	1512	WScript.exe	187
PID 1512 wrote to memory of 2004	1512	WScript.exe	187
PID 2004 wrote to memory of 3828	2004	dllhost.exe	188
PID 2004 wrote to memory of 3828	2004	dllhost.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe
"C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Public\Libraries\dllhost.exe
  "C:\Users\Public\Libraries\dllhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09bd2e6e-f8c8-40c7-96cb-8da6824a3b48.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Users\Public\Libraries\dllhost.exe
      C:\Users\Public\Libraries\dllhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb46a57e-62f9-48a2-b7f8-45f824f53ea7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a38c2a6c-9cfe-40d9-b6b0-3322ef45d88b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e92fefd6-f502-48f9-b172-2ca8180035d0.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c002b44-123d-4292-b9c9-a2de524af287.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3400e6af-2fd5-429e-9ab4-07ceb713e9a6.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbaa11f1-d4e4-49e9-8e7b-eca6d8ed31b7.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\643c2ba5-325a-4da4-bc6c-22a0387274b6.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5665ca53-b628-44e6-8882-17e97781abd8.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f376bcb-cd15-4193-a15a-f08de3bbad50.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc79019-2591-42be-bcb0-e945bfc33d9c.vbs"
        23⤵
        
        PID:3828
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9bcdf9a-10fd-4b0a-bac5-8e32db8f7c78.vbs"
        25⤵
        
        PID:920
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd42f105-5eaa-4835-b043-49db19540e6c.vbs"
        27⤵
        
        PID:4956
        
        C:\Users\Public\Libraries\dllhost.exe
        
        C:\Users\Public\Libraries\dllhost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d2460dd-e319-4cc2-b148-d264202b477c.vbs"
        29⤵
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ee4c757-dda7-4fbc-b2e3-04739ad06aaf.vbs"
        29⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27cd3893-e85f-4d13-8b2c-4f6172de93dc.vbs"
        27⤵
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03209be-3986-401a-915a-4f5d64079225.vbs"
        25⤵
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef81f27-9ee3-4b0c-86e6-54e86463253f.vbs"
        23⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eacbd798-e3e1-449c-bfa9-e0b4be1859ae.vbs"
        21⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef17a7d-c9d3-477e-a30e-9f203cf3425d.vbs"
        19⤵
        
        PID:3840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c4280b7-458c-474d-b3f0-40b8a3057307.vbs"
        17⤵
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef6833f4-ead6-4bf4-bd87-8a7c0a8fdbbf.vbs"
        15⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f42eefe-f1a0-40e1-a387-c1293d8a1178.vbs"
        13⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596b1ed8-4ddc-4f5b-a7a2-d2db53a53f19.vbs"
        11⤵
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0160a0fe-bfe4-4fb4-b85b-5d355ab380fa.vbs"
        9⤵
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29845a4d-e303-4e52-8155-52014df0f765.vbs"
        7⤵
        
        PID:764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd94f389-eded-441d-81a1-03af9b14b01d.vbs"
        5⤵
        
        PID:4300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60b9990-82a2-40ba-99d7-006922168fe2.vbs"
    3⤵
    PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXF2CF.tmp

Filesize
885KB

MD5
f48557b2439b2cccae584a6f0c10a2f1

SHA1
c748e32b660a246f15598e84003e62baf6adebd7

SHA256
867305d19f53897fc9476fc13dbf756cafb3caeabe90e6ad8122208a5881fd3d

SHA512
bdfbba7944c488f51737ccda94cfb724cba5e667fa37a5838b3e3fbc0823b732ea4e36d36e03d07fc4eb071da184370aacf2b8ec3ec4cdc21694dddeb58bd9c2

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
885KB

MD5
ebe2e28a80ef59e70bca6e005782732e

SHA1
fd22205faabb86821db5c7f5d626ea8784d39731

SHA256
53b4ab4625fc60780e7ef00317080ded6f6ec02dcdbb6d681f8665918abd6b91

SHA512
6e5331f768f709e4f9b5a3a2d85d381e3c6d8b0e04fe3237bae6ade2a3ad4b4831cf93518705119226f70b735d90c44abf4c38ea2eb44d2a8d8c58b7da085aec

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
885KB

MD5
d450fd6dc6d830e311b12636e6be0303

SHA1
62e1a3e4c039598b7c7a8a0d295227db43a934b6

SHA256
3eefa545d85c9c9eed76c6fc4b783ffd3d616394a26546aa842fedb83cd38eb5

SHA512
fc7987665360f5640deecf95e466d92f58b66196c88a6844c090ac3d63d74cadb227cc623c2f4cbb665cd017349a782a5f20a29ed9cc92b0365685a7df0d3174

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
885KB

MD5
6f5be715abbdb41711bd0aadd1a373f3

SHA1
803a7b145691d100835887852b2f2e575e43ef06

SHA256
678f91881313f7cc53676be2e20253df0487c15832950f623f2eb6089bb1c77a

SHA512
d2b18adff9c490e71140c2a892cdabefdf2856472677b778260646d2c0e4d296f8b67f80718a0dc5b9ca17ac1e82e81d4897693df275b1847b77998e046b1002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\09bd2e6e-f8c8-40c7-96cb-8da6824a3b48.vbs

Filesize
713B

MD5
612ac8d9dd83302773f9ae565a65288d

SHA1
3ecf837e437e6a192b60bc6be20d791a652e1ecf

SHA256
99de7729fecf9c936963d2ef954d5ab407b20b56072333477ae13cd71093a83d

SHA512
cf15d1552c43bc7108854217ef7abe85653a3bc3295986206e77d2e9e06d66e91b2d36417663ee27075d8eba63a8d90df9f3ec287837aae81ca4c46912c90e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c002b44-123d-4292-b9c9-a2de524af287.vbs

Filesize
713B

MD5
495404861a746c336da5def440741147

SHA1
c13a98ca105786fb8dfde8b492e81021f491c6d2

SHA256
4bd5321f2dbd4eb6199306b55bbf7aba09bf1f102bfcf7667a76adddce3e100a

SHA512
d8a607fe1d16f7b7e3133c95a49fb0c93b791bd40d1c3472ab46f31fb26b9cfd645f989cf44bc0b8bf9e01df67c3965b9dfce969f30e5e0521969a8d0f99678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cc79019-2591-42be-bcb0-e945bfc33d9c.vbs

Filesize
713B

MD5
124321667688ef8f34745ebd85bb8858

SHA1
9a78a3cb68702bf398a1d0ff7dad68ce0ee9cba7

SHA256
ee2c3cd352e1563e44f2575af88d165c89792669487fbf3f73699f349dec4fa6

SHA512
26f9afc8d6f2dfe0d3d43b30221d75e734bd9cb78f17cac1ab3fb9adb7029e5c3ea590940654299412c2194f815b268f867016545651b3635c1b7f80ca852f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f376bcb-cd15-4193-a15a-f08de3bbad50.vbs

Filesize
713B

MD5
803ea945d6174389006de4898b00a9aa

SHA1
e78a885173ffb9de0f0e294f5d53d8aff8d44d08

SHA256
b67e1a06da31521171163014cf0de4773410c835715fa1df1b08aff85472ec74

SHA512
1360923c2f23969e6164f991227fc74699d6bf9ed0f70470a1696b8be03759291f14c5cc59028d092dc03cbaac0f728f2bc6694042636787b84deb270afe1f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3400e6af-2fd5-429e-9ab4-07ceb713e9a6.vbs

Filesize
713B

MD5
d5441ce76986699a215ef4a160b45cf5

SHA1
5f43990a41b2ea7eea32556ac75d825d494dd97c

SHA256
338a16247bd4a7dcf283ca29f164b4fe16749b5d7f4fb28710743be314e84b68

SHA512
7f61d2760ff37907b22c8e96e6825f13edd4f5b36c2ec38152a518255fcc8077c8860fc08e0a8c6a97f9e35432654176dee637520e04c74bdb4610fa26a60573

Download Submit
C:\Users\Admin\AppData\Local\Temp\5665ca53-b628-44e6-8882-17e97781abd8.vbs

Filesize
712B

MD5
fced581469abe64fd6b305309e0f0fed

SHA1
4ab0cc05bbd4236d8981f0de6632de9032f3eb70

SHA256
ff834bda9c32a0e8938bfba53733b5c1c863f3c0afcfd18090302d92244c9c59

SHA512
2733a129ff22f0201f28871815360e440a54d2936ad1e9fd7bbbf2f2e014a4cc8334af474755f981c318c07b90998cb26626dd8e1a7a2f615b7723549a67b766

Download Submit
C:\Users\Admin\AppData\Local\Temp\643c2ba5-325a-4da4-bc6c-22a0387274b6.vbs

Filesize
713B

MD5
e511dacd9c6aca037180db87f0bfb78c

SHA1
2b480c5c41f8c04a0acafe40b1c89822d20fb40d

SHA256
919aacfd48f1454951395da587fe670c735ebc4a41cf8247ee1a8aabbfc61620

SHA512
37dec21477edbb0ed18f6da94a739e7d4d84f3babba63f72ec0d5f0dea08d8764d8d78032e87e739d84a43f6309e0ccc471cf0e19d84c5230de26cc4ecc32d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d2460dd-e319-4cc2-b148-d264202b477c.vbs

Filesize
713B

MD5
cbab25d9cbad63ad5906757501bd9ac1

SHA1
4f67ccda386478725318ec2fc7c46d153ed4b437

SHA256
0377e229ca9cfcc7dc5d95d6157b0f4dd87215dd2acb24ba527cf8a55a670bcc

SHA512
5efdaeffbcd0d82c2c5c018653631884d472c2f9f94529c65440deb107caaa8d6748463620daf3af2e0fe26c40e4f3d9ba07fa43990e672455bd4f5b5d3be40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a38c2a6c-9cfe-40d9-b6b0-3322ef45d88b.vbs

Filesize
713B

MD5
626e0ec5877b6587640206c5ca7cddb8

SHA1
4f8cc7fb41cbf9d0f2c39051985314e4a0d4dd5e

SHA256
44ad3570a491638c52029e2b9f338634a4b5af0f523397a5763270d4c1591987

SHA512
9db4bd0a910d50cb873073810b7b974c0b2eea664d69dba72611fc4d640bc18c3d07bca8b3fb0f57fa4f9ee510a6f187463db7f244b61f77c77498c7ae62b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9bcdf9a-10fd-4b0a-bac5-8e32db8f7c78.vbs

Filesize
713B

MD5
a5b14401260c232a7aa7f3435ddc2965

SHA1
8d500ac2ce56a6dc687a9ec34e0736d64e9baeb5

SHA256
704d15d9ff22f6cc6a46dc0c587bfb992a4b8e400f12696ca0f92850aa88abea

SHA512
3cdc44f3d6700e74e59c3946910f30e4e9aa51596d5616dde8afb6c8962a42241b38ca5dc96d2b436f997f7f1326daef900a90148d817fbaa66b67fef0343343

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb46a57e-62f9-48a2-b7f8-45f824f53ea7.vbs

Filesize
713B

MD5
facd6bc4552bab818cd62aa80bde759d

SHA1
7111dc4e1a0265eb1ee41e030b02867130e0969d

SHA256
09232000bae7f6ae23905f247955bb8b2ab400a6218fea699be1f9d9af01ee4c

SHA512
f37610018b6b0e612ce68c75afb02620011271f3655f612378f0eb983aea97286883913f3be340f2e9ce62efb1aaa287c30662e625c3becd9f818f0f16547c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbaa11f1-d4e4-49e9-8e7b-eca6d8ed31b7.vbs

Filesize
713B

MD5
1775bca48ee71aa7f01869fafb3bc9c4

SHA1
9d29d7dffc185b24c2ba0f71e70a4e731fc317b7

SHA256
4ab3040377de6bd8559026c18e0316486e36250b5d87c4ad40f1b9c4bff71b21

SHA512
8a81f1752e865d2aa195dcf9b952fb59af56ba1d5ca7b8592d678671b96b9d010a525341be06fd876e5240729e0d102bc6a43fb2c0cdf9b133ada216178df210

Download Submit
C:\Users\Admin\AppData\Local\Temp\c60b9990-82a2-40ba-99d7-006922168fe2.vbs

Filesize
489B

MD5
4958476f551ec6d910b1c3aff2e34622

SHA1
32716c2ad005babca61e83fcd2315fa7385e649e

SHA256
2f3a3e81e1e8fca9837196975478d9b21de560ad7d60fe15ec004624fae1a0d5

SHA512
f87daa5d556da71aecb1cad7c80f3dc854066e887a597d9afa0ac94d469a6f0e0397618ba5daae0fb304c957491b1c240803c07f24121d60178e9c89f69da46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e92fefd6-f502-48f9-b172-2ca8180035d0.vbs

Filesize
712B

MD5
001408a87ce73bfcd90710d0e06f3bb9

SHA1
3f977f517cfef83db97947556d53a65dbf2033db

SHA256
226aaef945b6a6716bd94be5b6324f41cbeb156f5279b482de7f042255d38e72

SHA512
f2740afa1a715806f9731beb163d835f94006e43cae261a968195c451b0bbbc476b3542a33723cfec1e789b2359f9381899baa972458690fe55e750d39940f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd42f105-5eaa-4835-b043-49db19540e6c.vbs

Filesize
713B

MD5
ebf004c88fb352669f7ae18c219cbc12

SHA1
072be5762578f8811a985213550cdc97a9b647ee

SHA256
f647636b34c941981bc17e2facc22d5d2e5bf72d2f3441d19dc4fe52bedc4b47

SHA512
c77a0780b33c06d8f4d44979043083f202d8a666168298f690c75117ef8e071d474a6e8da9133575b79c814f4d619df2f8231dc78fb6b55a7a2122f1c4a3a95c

Download Submit
C:\Users\Public\Libraries\dllhost.exe

Filesize
885KB

MD5
59c2eac1da33a918c56f969b1b984c15

SHA1
1706e3c07cadc85a8aeafbb4fe7881b0032349dc

SHA256
af70eb48f42d8d5279792e86b603ded46ab0bb1a6c80102396c8fd4a9a4a41ce

SHA512
d2393a7c021862b2062507558a6f9090dec3399e610dfa7d135a66123a708e0d0d13380dd2ad6888a8bd770f59f1c52f8b5e4e86fbf7b453c3e436d33a187807

Download Submit
memory/764-294-0x0000024DAA150000-0x0000024DAA18B000-memory.dmp

Filesize
236KB

Download
memory/816-298-0x0000013262840000-0x000001326287B000-memory.dmp

Filesize
236KB

Download
memory/1116-375-0x0000021AB33A0000-0x0000021AB33DB000-memory.dmp

Filesize
236KB

Download
memory/1952-430-0x000001741C2B0000-0x000001741C2EB000-memory.dmp

Filesize
236KB

Download
memory/1976-297-0x0000018F92EE0000-0x0000018F92F1B000-memory.dmp

Filesize
236KB

Download
memory/2144-406-0x000002100CAF0000-0x000002100CB2B000-memory.dmp

Filesize
236KB

Download
memory/2560-331-0x0000012C5A450000-0x0000012C5A48B000-memory.dmp

Filesize
236KB

Download
memory/3032-5-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3032-1-0x00000000005B0000-0x0000000000694000-memory.dmp

Filesize
912KB

Download
memory/3032-246-0x00007FFF7DD40000-0x00007FFF7E801000-memory.dmp

Filesize
10.8MB

Download
memory/3032-2-0x00007FFF7DD40000-0x00007FFF7E801000-memory.dmp

Filesize
10.8MB

Download
memory/3032-9-0x000000001B200000-0x000000001B208000-memory.dmp

Filesize
32KB

Download
memory/3032-0-0x00007FFF7DD43000-0x00007FFF7DD45000-memory.dmp

Filesize
8KB

Download
memory/3032-10-0x000000001B210000-0x000000001B21C000-memory.dmp

Filesize
48KB

Download
memory/3032-4-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/3032-6-0x000000001B1D0000-0x000000001B1E6000-memory.dmp

Filesize
88KB

Download
memory/3032-3-0x0000000002770000-0x000000000278C000-memory.dmp

Filesize
112KB

Download
memory/3032-8-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

Filesize
56KB

Download
memory/3032-7-0x0000000002790000-0x000000000279A000-memory.dmp

Filesize
40KB

Download
memory/3292-259-0x00000272F22A0000-0x00000272F22DB000-memory.dmp

Filesize
236KB

Download
memory/3316-245-0x0000000000740000-0x0000000000824000-memory.dmp

Filesize
912KB

Download
memory/3828-429-0x000001CC91080000-0x000001CC910BB000-memory.dmp

Filesize
236KB

Download
memory/3840-384-0x00000269FAEB0000-0x00000269FAEEB000-memory.dmp

Filesize
236KB

Download
memory/4116-359-0x0000021A7CC40000-0x0000021A7CC7B000-memory.dmp

Filesize
236KB

Download
memory/4300-282-0x000001C128AA0000-0x000001C128ADB000-memory.dmp

Filesize
236KB

Download
memory/4320-326-0x000001B654810000-0x000001B65484B000-memory.dmp

Filesize
236KB

Download