dcrat | c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Size

1.7MB
MD5

4f75597738cd353a6889438786801bf6
SHA1

63e5b961a8b77dedc46d8420cc78bb2df52c50ba
SHA256

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c
SHA512

3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2080	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2080	schtasks.exe	83

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3876-1-0x00000000004C0000-0x0000000000676000-memory.dmp	dcrat
behavioral2/files/0x0008000000023caa-31.dat	dcrat
behavioral2/files/0x000b000000023caa-64.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4088	powershell.exe
3044	powershell.exe
4284	powershell.exe
2120	powershell.exe
3716	powershell.exe
4248	powershell.exe
2916	powershell.exe
3676	powershell.exe
1412	powershell.exe
4492	powershell.exe
244	powershell.exe
4128	powershell.exe
3616	powershell.exe
1692	powershell.exe
5084	powershell.exe
3948	powershell.exe
4104	powershell.exe
2100	powershell.exe
4976	powershell.exe
3568	powershell.exe
4324	powershell.exe
3264	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 3 IoCs

pid	Process
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
1100	fontdrvhost.exe
2712	fontdrvhost.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\smss.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\dllhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Google\smss.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Google\RCXD47C.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\ModifiableWindowsApps\explorer.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\dllhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Google\69ddcba757bf72	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXD278.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Google\RCXD4EB.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\5940a34987c991	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXD277.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\EventLog\dllhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\SearchApp.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\38384e6a620884	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\SearchApp.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Setup\fontdrvhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Setup\fontdrvhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Setup\5b884080fd4f94	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4288	schtasks.exe
520	schtasks.exe
752	schtasks.exe
2980	schtasks.exe
2728	schtasks.exe
228	schtasks.exe
2064	schtasks.exe
740	schtasks.exe
324	schtasks.exe
4628	schtasks.exe
472	schtasks.exe
5068	schtasks.exe
2032	schtasks.exe
2096	schtasks.exe
4716	schtasks.exe
4048	schtasks.exe
2964	schtasks.exe
1656	schtasks.exe
1212	schtasks.exe
1356	schtasks.exe
3312	schtasks.exe
2128	schtasks.exe
232	schtasks.exe
2840	schtasks.exe
2440	schtasks.exe
4972	schtasks.exe
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4492	powershell.exe
4492	powershell.exe
1412	powershell.exe
1412	powershell.exe
1692	powershell.exe
1692	powershell.exe
3044	powershell.exe
3044	powershell.exe
2120	powershell.exe
2120	powershell.exe
4284	powershell.exe
4284	powershell.exe
5084	powershell.exe
5084	powershell.exe
2100	powershell.exe
2100	powershell.exe
4104	powershell.exe
4104	powershell.exe
4088	powershell.exe
4088	powershell.exe
4284	powershell.exe
3676	powershell.exe
3676	powershell.exe
2100	powershell.exe
1412	powershell.exe
4492	powershell.exe
3044	powershell.exe
1692	powershell.exe
5084	powershell.exe
2120	powershell.exe
4104	powershell.exe
4088	powershell.exe
3676	powershell.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	1100	fontdrvhost.exe
Token: SeDebugPrivilege	2712	fontdrvhost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 4088	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	93
PID 3876 wrote to memory of 4088	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	93
PID 3876 wrote to memory of 3044	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	94
PID 3876 wrote to memory of 3044	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	94
PID 3876 wrote to memory of 3676	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	95
PID 3876 wrote to memory of 3676	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	95
PID 3876 wrote to memory of 4104	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	96
PID 3876 wrote to memory of 4104	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	96
PID 3876 wrote to memory of 4284	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	97
PID 3876 wrote to memory of 4284	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	97
PID 3876 wrote to memory of 1692	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	98
PID 3876 wrote to memory of 1692	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	98
PID 3876 wrote to memory of 2120	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	99
PID 3876 wrote to memory of 2120	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	99
PID 3876 wrote to memory of 2100	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	100
PID 3876 wrote to memory of 2100	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	100
PID 3876 wrote to memory of 1412	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	101
PID 3876 wrote to memory of 1412	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	101
PID 3876 wrote to memory of 5084	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	102
PID 3876 wrote to memory of 5084	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	102
PID 3876 wrote to memory of 4492	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	103
PID 3876 wrote to memory of 4492	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	103
PID 3876 wrote to memory of 312	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	115
PID 3876 wrote to memory of 312	3876	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	115
PID 312 wrote to memory of 4964	312	cmd.exe	117
PID 312 wrote to memory of 4964	312	cmd.exe	117
PID 312 wrote to memory of 4632	312	cmd.exe	118
PID 312 wrote to memory of 4632	312	cmd.exe	118
PID 4632 wrote to memory of 244	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	137
PID 4632 wrote to memory of 244	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	137
PID 4632 wrote to memory of 4976	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	138
PID 4632 wrote to memory of 4976	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	138
PID 4632 wrote to memory of 3948	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	139
PID 4632 wrote to memory of 3948	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	139
PID 4632 wrote to memory of 4128	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	140
PID 4632 wrote to memory of 4128	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	140
PID 4632 wrote to memory of 3716	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	141
PID 4632 wrote to memory of 3716	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	141
PID 4632 wrote to memory of 3568	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	142
PID 4632 wrote to memory of 3568	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	142
PID 4632 wrote to memory of 3616	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	143
PID 4632 wrote to memory of 3616	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	143
PID 4632 wrote to memory of 4324	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	144
PID 4632 wrote to memory of 4324	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	144
PID 4632 wrote to memory of 4248	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	145
PID 4632 wrote to memory of 4248	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	145
PID 4632 wrote to memory of 3264	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	146
PID 4632 wrote to memory of 3264	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	146
PID 4632 wrote to memory of 2916	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	147
PID 4632 wrote to memory of 2916	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	147
PID 4632 wrote to memory of 1100	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	159
PID 4632 wrote to memory of 1100	4632	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	159
PID 1100 wrote to memory of 2188	1100	fontdrvhost.exe	160
PID 1100 wrote to memory of 2188	1100	fontdrvhost.exe	160
PID 1100 wrote to memory of 1316	1100	fontdrvhost.exe	161
PID 1100 wrote to memory of 1316	1100	fontdrvhost.exe	161
PID 2188 wrote to memory of 2712	2188	WScript.exe	168
PID 2188 wrote to memory of 2712	2188	WScript.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
"C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\96hALFZqMa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
    "C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Users\All Users\Application Data\fontdrvhost.exe
      "C:\Users\All Users\Application Data\fontdrvhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb62ce36-c99e-47b3-93b4-30ef2a98b9cc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Users\All Users\Application Data\fontdrvhost.exe
        
        "C:\Users\All Users\Application Data\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc16f30f-fb2e-402e-a196-2eee9505657b.vbs"
        5⤵
        
        PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\es-ES\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\smss.exe

Filesize
1.7MB

MD5
e515ddb52237f05c8ca9825d51730d10

SHA1
89ea71ef8f8e003becc68bcafdf97665df784cd4

SHA256
5ff6dc71849dac7718c2687d50404010789381e06972313762b2f73d69e40b1d

SHA512
b3c5a22b89889871f8ba393c5f6bab569c9b28261861a6ff987f7317554fdf22f441308db9d149393091a9fd0ef9206f81590d78adb1d96f7e6ab38c270bf37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f473e15a0686d0c819ad40b5f232368

SHA1
a769892ae2e8203e7d4a992a317189b56723da33

SHA256
53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237

SHA512
d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0a7dafd4af6ce4631e060c6f6896935e

SHA1
6d56bec43b43f2141b581c28d1928689b556df25

SHA256
ca04a16d6f41b98c5df52fe878d44d913c7b4400497441e6d11a1b41d4298119

SHA512
8159d4de8ff4f425b3ffbede9b420f749f0394183df823e39dba01e1d511b697ed4b60f84c46f7165c473610e1699882b4109af5c4ccfafa000c3846a08d3fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\96hALFZqMa.bat

Filesize
267B

MD5
01fe7638748a35ee03e397c76509da58

SHA1
051c01bb985398376ceee1bf748042401bc12b69

SHA256
166dd06e0807ae781cc72a756b13b2c58bb2c7804d6e499334c085c2ca422b15

SHA512
1485504b6d1f037944a1144b4ff85621baaf78444f7993fa04369743071383204ec64de60d573bc245842c0917cdca17a8d8fca5ffbacc70a603ab661539fa46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXCE4D.tmp

Filesize
1.7MB

MD5
4f75597738cd353a6889438786801bf6

SHA1
63e5b961a8b77dedc46d8420cc78bb2df52c50ba

SHA256
c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

SHA512
3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2grle24.gu0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc16f30f-fb2e-402e-a196-2eee9505657b.vbs

Filesize
503B

MD5
6de3ca39ea5bdf7fb89389ad6b8384cd

SHA1
0b783d0480e726a47ccb40f0b0b9e98c2823cd19

SHA256
2488ac1d4ed42d5ff8805ba0b5252acf76a0ddfcda793bec343869405616058f

SHA512
5dd48f9153f4721894dfc060deefb7b349aab7accef35b9c538d966e034bd5ab3988a1889a2050a41753870f2192784903aa077e6951629ad6d2d6586ab7a8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb62ce36-c99e-47b3-93b4-30ef2a98b9cc.vbs

Filesize
727B

MD5
d75b96e24996a947ae5d6ada0d012759

SHA1
db5779e1a071b86f4b02f02090651681a1b4aef4

SHA256
18bcfa51db0c9f25cc2388e1fd9c3d76c80c02260a5e0cdeccd0a29433cf490f

SHA512
4627720a6d4a87c5ce7abb2973aa5d25d6600e373cd5d7a4d14eef8e62abf1bae59e7988bc7c7f8c065cd9dc56ec8600cecf01168cf0ae3c48e9ccc3706bd25b

Download Submit
memory/2712-418-0x0000000002E70000-0x0000000002E82000-memory.dmp

Filesize
72KB

Download
memory/3876-18-0x00000000029E0000-0x00000000029EC000-memory.dmp

Filesize
48KB

Download
memory/3876-83-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/3876-2-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/3876-22-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/3876-14-0x00000000029A0000-0x00000000029AC000-memory.dmp

Filesize
48KB

Download
memory/3876-16-0x00000000029C0000-0x00000000029C8000-memory.dmp

Filesize
32KB

Download
memory/3876-19-0x00007FFD8D480000-0x00007FFD8DF41000-memory.dmp

Filesize
10.8MB

Download
memory/3876-17-0x00000000029D0000-0x00000000029DC000-memory.dmp

Filesize
48KB

Download
memory/3876-15-0x00000000029B0000-0x00000000029BA000-memory.dmp

Filesize
40KB

Download
memory/3876-13-0x0000000002990000-0x000000000299C000-memory.dmp

Filesize
48KB

Download
memory/3876-11-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/3876-10-0x0000000002800000-0x000000000280C000-memory.dmp

Filesize
48KB

Download
memory/3876-9-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/3876-7-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/3876-8-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/3876-5-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/3876-6-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/3876-4-0x0000000002930000-0x0000000002980000-memory.dmp

Filesize
320KB

Download
memory/3876-3-0x0000000002790000-0x00000000027AC000-memory.dmp

Filesize
112KB

Download
memory/3876-0-0x00007FFD8D483000-0x00007FFD8D485000-memory.dmp

Filesize
8KB

Download
memory/3876-1-0x00000000004C0000-0x0000000000676000-memory.dmp

Filesize
1.7MB

Download
memory/4492-78-0x0000020677AE0000-0x0000020677B02000-memory.dmp

Filesize
136KB

Download
memory/4632-200-0x0000000002890000-0x00000000028A2000-memory.dmp

Filesize
72KB

Download