dcrat | f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Size

885KB
MD5

63fa59f7c83ec1df2eac00cc85696830
SHA1

799e9ea365e4ad95c05d21e275e72438882ad776
SHA256

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6
SHA512

0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5948	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1800	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	1800	schtasks.exe	86

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5088-1-0x0000000000580000-0x0000000000664000-memory.dmp	dcrat
behavioral2/files/0x000700000002429b-19.dat	dcrat
behavioral2/files/0x000d0000000242c3-117.dat	dcrat

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 16 IoCs

pid	Process
1940	fontdrvhost.exe
3232	fontdrvhost.exe
4560	fontdrvhost.exe
2764	fontdrvhost.exe
5588	fontdrvhost.exe
4032	fontdrvhost.exe
5616	fontdrvhost.exe
2844	fontdrvhost.exe
4008	fontdrvhost.exe
4444	fontdrvhost.exe
4060	fontdrvhost.exe
3528	fontdrvhost.exe
2856	fontdrvhost.exe
5348	fontdrvhost.exe
5312	fontdrvhost.exe
4328	fontdrvhost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Recovery\66fc9ff0ee96c2	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\System32\Recovery\RCX5339.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\System32\Recovery\RCX533A.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\System32\Recovery\sihost.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX53EC.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\edge_BITS_4492_4245689\services.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\RCX534B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX5325.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX5326.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX53DB.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files\edge_BITS_4492_4245689\c5b4cb5e9653cc	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\RCX534A.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX53C8.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX53C9.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX53DA.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\7a0fd90576e088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX53CA.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\fr-FR\5940a34987c991	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\INF\.NET Data Provider for Oracle\7a0fd90576e088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\PrintDialog\dwm.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\PrintDialog\6cb0b6c459d5d3	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\OCR\ja-jp\RuntimeBroker.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCX5327.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCX5338.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\RCX536F.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\PLA\Reports\fr-FR\dllhost.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\INF\.NET Data Provider for Oracle\explorer.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\RCX535E.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PrintDialog\RCX5381.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PrintDialog\RCX5382.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4884	schtasks.exe
6076	schtasks.exe
3052	schtasks.exe
2772	schtasks.exe
4540	schtasks.exe
548	schtasks.exe
4856	schtasks.exe
5948	schtasks.exe
1484	schtasks.exe
112	schtasks.exe
3280	schtasks.exe
3176	schtasks.exe
4832	schtasks.exe
4732	schtasks.exe
4492	schtasks.exe
3164	schtasks.exe
4780	schtasks.exe
2992	schtasks.exe
4728	schtasks.exe
4796	schtasks.exe
4788	schtasks.exe
1816	schtasks.exe
456	schtasks.exe
4436	schtasks.exe
4948	schtasks.exe
4864	schtasks.exe
3252	schtasks.exe
1500	schtasks.exe
3396	schtasks.exe
5036	schtasks.exe
4568	schtasks.exe
3908	schtasks.exe
3504	schtasks.exe
5400	schtasks.exe
388	schtasks.exe
2240	schtasks.exe
3760	schtasks.exe
2468	schtasks.exe
1948	schtasks.exe
1400	schtasks.exe
4616	schtasks.exe
4920	schtasks.exe
5732	schtasks.exe
4600	schtasks.exe
6100	schtasks.exe
4668	schtasks.exe
368	schtasks.exe
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
1940	fontdrvhost.exe
3232	fontdrvhost.exe
4560	fontdrvhost.exe
2764	fontdrvhost.exe
5588	fontdrvhost.exe
5588	fontdrvhost.exe
4032	fontdrvhost.exe
4032	fontdrvhost.exe
5616	fontdrvhost.exe
5616	fontdrvhost.exe
2844	fontdrvhost.exe
4008	fontdrvhost.exe
4444	fontdrvhost.exe
4060	fontdrvhost.exe
3528	fontdrvhost.exe
2856	fontdrvhost.exe
5348	fontdrvhost.exe
5312	fontdrvhost.exe
4328	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	1940	fontdrvhost.exe
Token: SeDebugPrivilege	3232	fontdrvhost.exe
Token: SeDebugPrivilege	4560	fontdrvhost.exe
Token: SeDebugPrivilege	2764	fontdrvhost.exe
Token: SeDebugPrivilege	5588	fontdrvhost.exe
Token: SeDebugPrivilege	4032	fontdrvhost.exe
Token: SeDebugPrivilege	5616	fontdrvhost.exe
Token: SeDebugPrivilege	2844	fontdrvhost.exe
Token: SeDebugPrivilege	4008	fontdrvhost.exe
Token: SeDebugPrivilege	4444	fontdrvhost.exe
Token: SeDebugPrivilege	4060	fontdrvhost.exe
Token: SeDebugPrivilege	3528	fontdrvhost.exe
Token: SeDebugPrivilege	2856	fontdrvhost.exe
Token: SeDebugPrivilege	5348	fontdrvhost.exe
Token: SeDebugPrivilege	5312	fontdrvhost.exe
Token: SeDebugPrivilege	4328	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1060	5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	136
PID 5088 wrote to memory of 1060	5088	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	136
PID 1060 wrote to memory of 2096	1060	cmd.exe	138
PID 1060 wrote to memory of 2096	1060	cmd.exe	138
PID 1060 wrote to memory of 1940	1060	cmd.exe	144
PID 1060 wrote to memory of 1940	1060	cmd.exe	144
PID 1940 wrote to memory of 4440	1940	fontdrvhost.exe	146
PID 1940 wrote to memory of 4440	1940	fontdrvhost.exe	146
PID 1940 wrote to memory of 4404	1940	fontdrvhost.exe	147
PID 1940 wrote to memory of 4404	1940	fontdrvhost.exe	147
PID 4440 wrote to memory of 3232	4440	WScript.exe	150
PID 4440 wrote to memory of 3232	4440	WScript.exe	150
PID 3232 wrote to memory of 3760	3232	fontdrvhost.exe	151
PID 3232 wrote to memory of 3760	3232	fontdrvhost.exe	151
PID 3232 wrote to memory of 464	3232	fontdrvhost.exe	152
PID 3232 wrote to memory of 464	3232	fontdrvhost.exe	152
PID 3760 wrote to memory of 4560	3760	WScript.exe	153
PID 3760 wrote to memory of 4560	3760	WScript.exe	153
PID 4560 wrote to memory of 4664	4560	fontdrvhost.exe	154
PID 4560 wrote to memory of 4664	4560	fontdrvhost.exe	154
PID 4560 wrote to memory of 4832	4560	fontdrvhost.exe	155
PID 4560 wrote to memory of 4832	4560	fontdrvhost.exe	155
PID 4664 wrote to memory of 2764	4664	WScript.exe	158
PID 4664 wrote to memory of 2764	4664	WScript.exe	158
PID 2764 wrote to memory of 4948	2764	fontdrvhost.exe	159
PID 2764 wrote to memory of 4948	2764	fontdrvhost.exe	159
PID 2764 wrote to memory of 5520	2764	fontdrvhost.exe	160
PID 2764 wrote to memory of 5520	2764	fontdrvhost.exe	160
PID 4948 wrote to memory of 5588	4948	WScript.exe	162
PID 4948 wrote to memory of 5588	4948	WScript.exe	162
PID 5588 wrote to memory of 4268	5588	fontdrvhost.exe	164
PID 5588 wrote to memory of 4268	5588	fontdrvhost.exe	164
PID 5588 wrote to memory of 3168	5588	fontdrvhost.exe	165
PID 5588 wrote to memory of 3168	5588	fontdrvhost.exe	165
PID 4268 wrote to memory of 4032	4268	WScript.exe	167
PID 4268 wrote to memory of 4032	4268	WScript.exe	167
PID 4032 wrote to memory of 3880	4032	fontdrvhost.exe	168
PID 4032 wrote to memory of 3880	4032	fontdrvhost.exe	168
PID 4032 wrote to memory of 5636	4032	fontdrvhost.exe	169
PID 4032 wrote to memory of 5636	4032	fontdrvhost.exe	169
PID 3880 wrote to memory of 5616	3880	WScript.exe	170
PID 3880 wrote to memory of 5616	3880	WScript.exe	170
PID 5616 wrote to memory of 5252	5616	fontdrvhost.exe	174
PID 5616 wrote to memory of 5252	5616	fontdrvhost.exe	174
PID 5616 wrote to memory of 5924	5616	fontdrvhost.exe	175
PID 5616 wrote to memory of 5924	5616	fontdrvhost.exe	175
PID 5252 wrote to memory of 2844	5252	WScript.exe	176
PID 5252 wrote to memory of 2844	5252	WScript.exe	176
PID 2844 wrote to memory of 1672	2844	fontdrvhost.exe	177
PID 2844 wrote to memory of 1672	2844	fontdrvhost.exe	177
PID 2844 wrote to memory of 3396	2844	fontdrvhost.exe	178
PID 2844 wrote to memory of 3396	2844	fontdrvhost.exe	178
PID 1672 wrote to memory of 4008	1672	WScript.exe	180
PID 1672 wrote to memory of 4008	1672	WScript.exe	180
PID 4008 wrote to memory of 1948	4008	fontdrvhost.exe	181
PID 4008 wrote to memory of 1948	4008	fontdrvhost.exe	181
PID 4008 wrote to memory of 4632	4008	fontdrvhost.exe	182
PID 4008 wrote to memory of 4632	4008	fontdrvhost.exe	182
PID 1948 wrote to memory of 4444	1948	WScript.exe	183
PID 1948 wrote to memory of 4444	1948	WScript.exe	183
PID 4444 wrote to memory of 4932	4444	fontdrvhost.exe	184
PID 4444 wrote to memory of 4932	4444	fontdrvhost.exe	184
PID 4444 wrote to memory of 3504	4444	fontdrvhost.exe	185
PID 4444 wrote to memory of 3504	4444	fontdrvhost.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
"C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOMmdGlRcK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2096
- - C:\Users\Default User\fontdrvhost.exe
    "C:\Users\Default User\fontdrvhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab83b9a-49d0-47ac-9575-9499965ea305.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd1b7d94-3093-4a65-9e91-ac6a2ce9f9b5.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa4e4112-2ba0-426a-b0ad-3d2043454f94.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\048ef436-6125-426e-929b-beb0c21239b2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef4d0f22-a12f-4714-9529-e5168416f6f1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e438f31a-0e9c-40dc-b132-2a5054484108.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2667553f-5aa5-47ad-9f42-d9e2c78bbcc3.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5252
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2585bcd-24c9-4a4b-94e3-e463c0cb421d.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22be606b-99cd-494e-a8ef-11636c7ba2dd.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbd7d350-fb94-4114-9356-c9f1c09383f3.vbs"
        22⤵
        
        PID:4932
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1b06f3-9b67-46e1-9f95-b1cc17298d04.vbs"
        24⤵
        
        PID:5584
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603c1109-ef0f-4ed1-bbd8-fee049552a79.vbs"
        26⤵
        
        PID:3096
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e342aeb-4ecc-47f6-b9fc-52a66f27d917.vbs"
        28⤵
        
        PID:5740
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c889e6-6e5a-42be-9d78-0b935c81dd33.vbs"
        30⤵
        
        PID:3984
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ddfdd5-4d19-40e4-aad0-4b8da5bdb27b.vbs"
        32⤵
        
        PID:468
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bba8720-ce3b-44b8-8f83-8803567997e1.vbs"
        34⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\366a2ada-f470-454f-b1e0-b32da6740506.vbs"
        34⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f52013-a88f-44ac-9af6-7c6c785daabb.vbs"
        32⤵
        
        PID:5192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63ead4de-80e8-4f5b-94ea-6a9b11da2a7f.vbs"
        30⤵
        
        PID:3924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9afadc-fe84-4ad2-8f1a-861a7809b7d2.vbs"
        28⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6afb3507-a6fc-49fd-89ee-f2e5618dfac2.vbs"
        26⤵
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d179cac-c1ea-44ae-aaf2-c3acf30feb0d.vbs"
        24⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\182d24c7-6c3b-45ae-9778-9465ae1430e1.vbs"
        22⤵
        
        PID:3504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a343d8f-3e74-49d3-ae23-47509c1ec1fe.vbs"
        20⤵
        
        PID:4632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f28952-3536-4b4a-87c2-bdb7e9a96c11.vbs"
        18⤵
        
        PID:3396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15337ad3-d954-4fbb-be0f-4bb84e4ae63b.vbs"
        16⤵
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e264e83f-0da1-421b-86ec-6212de42f44c.vbs"
        14⤵
        
        PID:5636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6951238-4e1c-493f-ae51-06fdae8e0559.vbs"
        12⤵
        
        PID:3168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\526eb299-2292-4eae-9aaf-e270234151cd.vbs"
        10⤵
        
        PID:5520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efb4579e-d5a0-4086-81dc-2812556620fa.vbs"
        8⤵
        
        PID:4832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fb0b7c7-f61f-4a99-a42e-10420934a725.vbs"
        6⤵
        
        PID:464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95098c1b-d89c-49a0-8034-f61c76aff049.vbs"
      4⤵
      PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Recovery\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\Recovery\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Recovery\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6f" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6f" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\.NET Data Provider for Oracle\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\.NET Data Provider for Oracle\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PrintDialog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default\Favorites\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\edge_BITS_4492_4245689\services.exe

Filesize
885KB

MD5
63fa59f7c83ec1df2eac00cc85696830

SHA1
799e9ea365e4ad95c05d21e275e72438882ad776

SHA256
f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

SHA512
0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\048ef436-6125-426e-929b-beb0c21239b2.vbs

Filesize
713B

MD5
c95f0bd521cc373d7dde59ae1b41bfe7

SHA1
d016db3e86574c0d2eb95e448c047a7d6ef1f104

SHA256
89ed2c70eb8d61cdb8fadb0967fc9ff7c2a5adeca3f350e8bb42b4418cd496e4

SHA512
71e3cf02d12f47492f9b7736be8d2be717930d601e99645f9a7f8ea4d6258c100605526b48fba4083a65e4ccde05643932696659c6963081e743a3cb5bf9e61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\22be606b-99cd-494e-a8ef-11636c7ba2dd.vbs

Filesize
713B

MD5
a91e0b7f0dd80b795c9cdef41872c7c9

SHA1
091869a9acd20494670f33d0d0d0c90a7b066a72

SHA256
724031bedabc9ead51efb5d7001c56ffd95f79a2e57f5ab1c872ebaa7a4a3ff0

SHA512
49fb94decda3dc0fe987b284b33f01ef03f1f27ad3781718c46ea802dd129ca003f0604bf2897567418bc44c377f0a0fea9b6c49ec959f0df9954e32337ee54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2667553f-5aa5-47ad-9f42-d9e2c78bbcc3.vbs

Filesize
713B

MD5
ca5c15ac42f756044a53c2dc4bfdeecf

SHA1
1cf9083cdbe9cece2f6cd4deb44c3bbaf6f797db

SHA256
6aaac96190cea509235e0923f79d9d9308dee9c3f2a3b908b19dbd7b2b2691f8

SHA512
bdb69e3944aff3d7e3d901f406ecd41e6a1dd887d334a1b58bd7e95c450b9863a638426ef34bcfcde3a11b7695d1f328d77cc898436214619b6b65aea3c8cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\34ddfdd5-4d19-40e4-aad0-4b8da5bdb27b.vbs

Filesize
713B

MD5
7cb629fb8e89eb382bd85c9cbb0df136

SHA1
a92c4b5927402ccead9ad330e45dd47d32822f33

SHA256
293d8801a75adf4bee35740a5e4abaf644ba7057149ecbd2980e9fbdeb94cfcb

SHA512
b6080f74739bd4c653adad035e765dceb020fdc55ec0830ec8b7f78db1775bf918cd1f40f126a098b03e2a0ea3625026c784fd7f5ccabf192f4aa326dd4d667d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e1b06f3-9b67-46e1-9f95-b1cc17298d04.vbs

Filesize
713B

MD5
5499547592e5acfe0d69f740f812750b

SHA1
b5933052536725e7c823bce5ac332b511c750297

SHA256
7153eb2e784ce716c03cffcd058c010b7f6197229b6ecb5c6261490d0d229944

SHA512
fe11a1fb7316dd35077ceefe7b578223bfcb09a72e987c9c9f0e322109527f8b9017bd3ecb52330f7115517da11086936b4fc3d269e31b189fa5b8391715d242

Download Submit
C:\Users\Admin\AppData\Local\Temp\55c889e6-6e5a-42be-9d78-0b935c81dd33.vbs

Filesize
713B

MD5
37ec679ae033fac55b955753dd6510bd

SHA1
890f9caab334be5cd3ae9ff6b5ca400f4f0d3c31

SHA256
01b5d3d43911dc7a07bfab8106cbaea73c0fbd83ec8d70b1f40157654d90c5e3

SHA512
fa039dfe4077b8bcb01ff8d26c873e0c290f408060c14e60c0a38790bcec08c4c964096fcb556780f2b3af18f5d995210e441be6dac12a5de0da004263bf4be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c1109-ef0f-4ed1-bbd8-fee049552a79.vbs

Filesize
713B

MD5
30734f4fdad7c7f4238cda49116bd256

SHA1
6c4d3dee20ac2c040d296e2b41160fd4e0977c54

SHA256
ce0c1326e706a33b4aaddc09670568e4c01ae8999d32282a4f95f6b2cb063a7b

SHA512
4cdff1351c2a5654b3b40bc9380a1b5849daf4707080c2e799db521c9299d13fa092eb5a081f92379a7ca03b8a59135cc40b203785ef1e3f3bc476f174e3469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95098c1b-d89c-49a0-8034-f61c76aff049.vbs

Filesize
489B

MD5
41cf8de79361ebea6bff5d097d146bf5

SHA1
74a2ac1fa22881a042ac2c4c946b934a53fbcd64

SHA256
cf7168d02878aaae62db8a86f6acf0c6f5906e1620c5d6b21d4762c6da7d86b9

SHA512
75bd2292d1ca5e4dcace7641c28a1e7a43d8d2d776ba4e9e206c24fe74eed3808316586fde0a749b163d48ed7a589dec4bb33587b02350476e56a913091c0786

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e342aeb-4ecc-47f6-b9fc-52a66f27d917.vbs

Filesize
713B

MD5
69b36c65a937520362da5ec0bb24da76

SHA1
6c38dd51e2d0df6c39a478a1af76dc452144c125

SHA256
044f88745719ae845c8caaf713bdc32a8c71e485146bf125ee43cd2dae6e7dbd

SHA512
3f53761186b3207af38c117c21f17c118e726dcb06b553b47a290fbb6f66b0006d6984dbc994d5e2608b06afb7f719f6d4ac2d2e96adaa3e5cbebc39ae6514e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOMmdGlRcK.bat

Filesize
202B

MD5
eb5574a7442205bb6e3ac5f79f99d84a

SHA1
3470d10944b65c4bf908d351e5d6703fd5a315a3

SHA256
8afc7d91632bc0b969d705257edf764eb13124f3bc851a9ebfb29d66fa84411b

SHA512
7ef5093cb8c144711d21d645c7d1461ee4908505122a843e2b350e1b93a7a6909289646ad86dafd7f9bea0a1f95c2535b7a3fc0cc3330d05b72666cd7aedaf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab83b9a-49d0-47ac-9575-9499965ea305.vbs

Filesize
713B

MD5
3071001333ea7e03813f208d9e596745

SHA1
fa2854d16e74fb02e5ddc7ccfc175fea843e4351

SHA256
d0c4238abdea1e484be5f6603a414dc8fdc4c5f04cebe657fd3401eab179dc90

SHA512
47d6b2c87e0c7aaf5babc6fb1fdaece32a606f587acbf5bfd9f39e2afbae904e44095ee7f90ccbf8592becfa631d0aadc18096f035407c34921f2b7ee6dfb4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2585bcd-24c9-4a4b-94e3-e463c0cb421d.vbs

Filesize
713B

MD5
7f64a8ff4e5f3d6ab7505ecd4d70609b

SHA1
dc9e83bc4aa05915003375b2a11a216bb59d663f

SHA256
58b92eb3f49c3ac00c301e44f9f223fbc6582325ead520c29112fc34c0ef89ef

SHA512
0bbdf21b501d35b32041c3999a1717ecbae5ea2be3c263f626a5de9becf80a650129334e101a74c748733c3a03188417c1ab7eb1a3e8d8400422bcc5f14c5f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\e438f31a-0e9c-40dc-b132-2a5054484108.vbs

Filesize
713B

MD5
a318762e1e8fb970d4593536449f3925

SHA1
1f2b5d804376f1c1e135f3b4b3ff62d0817cda1d

SHA256
37b6a91470f502f88e00ab00a5e01618cb61b3eb2b38a580e97dad8c940eed1a

SHA512
d66dd67ef68988223a6e03f8908a967cab43b5c604a85a5d3df7663be920886d604472f0a84aad9c98e3afddb23fd7b1d78694b9b8ca6b6e08401ed49bd4b018

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef4d0f22-a12f-4714-9529-e5168416f6f1.vbs

Filesize
713B

MD5
cfff08bf0f736a70906d767a57ba6a84

SHA1
dcb5cec568bb7c1d79c927e064e2ed964ca8d8ed

SHA256
f604158d0b783b698163647dd0aab651fbc150ff3d67c9bc970858e470427dd8

SHA512
ff6f054492eeebeaba0221128478d81a84acb4a584af41b6b4c1c019f1eaa952dd762973069cada02527c376d4bc8d57bff0e1f271bd868fb8c4f04bb37629cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa4e4112-2ba0-426a-b0ad-3d2043454f94.vbs

Filesize
713B

MD5
44b9f2a4338a7b19f28084d032add489

SHA1
a4a9f54db00b269addd0a23891d187a0aa1bde39

SHA256
b63b59aae0cc3e6e0d1dfd052d9a9dd724a7c2d04890c729a0275450152b0042

SHA512
eb984e3be21025642c0e85e5d5ff06ed0d7dc7f850f22234d0cb780db8851105671598ca3839f529a92edaf4240ebdcf80911ea52b33d4cfd7b32efef5e5c6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbd7d350-fb94-4114-9356-c9f1c09383f3.vbs

Filesize
713B

MD5
abe5ef1edf662e0c525d246bd93e1015

SHA1
a9cf961ea84af13d22971e13738a799b825e5b74

SHA256
a863e3fe646854b40ca5f8c06a2a1340e46949684b898403baf1b5e07eb8ef98

SHA512
002fd9eed18f83842aa4ffc4bae274d4bd52ae71c91d542bba96b3cc065d2806b36b5a144bcefd4b79b6b388c9c608db2c07609651feb0c2b570cbaa8fbec7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd1b7d94-3093-4a65-9e91-ac6a2ce9f9b5.vbs

Filesize
713B

MD5
b79438cb6fbf4ea15c22f3781fb5ba0c

SHA1
70d66e60e47b16b8c5daf56587dc1f774b913e3c

SHA256
aab311127b62e5da6f99f6bf0abefea3d3eb8481fea00adeaad4aa86584f5001

SHA512
b8874c171a8bc9cba8bb410be9bfa337d8614f295ddabbffe0a2ed882f8a7b154f7238ab2a2db35223ff660c4aacc90f954854c5ea897ce5cc0e64d35aaae9ef

Download Submit
C:\Windows\INF\.NET Data Provider for Oracle\RCX535E.tmp

Filesize
885KB

MD5
820aacf0339504c151f50824661d04cf

SHA1
7dd5d11abd7b4278ff5b151c3e2a959865755d69

SHA256
bc079b530a35a8e2a67b25b679d1a44e2c87140bbe42f777cd70be2cd374c3a7

SHA512
dc907a44c8207596ddf4e8e9234043f6b74cf767e6a0aaa41d36d7015376599707e57df78d2759c557e50f0cf64283a8f85f5cc8e082a88dc3b85229e4bcbe03

Download Submit
memory/5088-0-0x00007FFFF8A33000-0x00007FFFF8A35000-memory.dmp

Filesize
8KB

Download
memory/5088-8-0x00000000029B0000-0x00000000029BE000-memory.dmp

Filesize
56KB

Download
memory/5088-10-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

Filesize
48KB

Download
memory/5088-7-0x00000000029A0000-0x00000000029AA000-memory.dmp

Filesize
40KB

Download
memory/5088-9-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/5088-6-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/5088-230-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-5-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/5088-4-0x000000001B880000-0x000000001B8D0000-memory.dmp

Filesize
320KB

Download
memory/5088-3-0x00000000027D0000-0x00000000027EC000-memory.dmp

Filesize
112KB

Download
memory/5088-2-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-1-0x0000000000580000-0x0000000000664000-memory.dmp

Filesize
912KB

Download