dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
118s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Size

885KB
MD5

cce068b8de20f89eb28352e1ce50beb0
SHA1

e9a9235ac140112623fc944d139f9940aa2bf082
SHA256

4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e
SHA512

09a04910138dce47f5688c4b210f40299225c1b31514e29ab20a80ab9e177d989c8049274f7d1699ca718bdcf895e171b8bd15917bae0f6d723d07d5c5cf424d
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5532	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6084	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	6068	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	6068	schtasks.exe	87

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral16/memory/864-1-0x0000000000260000-0x0000000000344000-memory.dmp	dcrat
behavioral16/files/0x0007000000024319-19.dat	dcrat
behavioral16/files/0x000700000002431e-32.dat	dcrat
behavioral16/files/0x00080000000242e6-55.dat	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 12 IoCs

pid	Process
664	dwm.exe
5116	dwm.exe
2352	dwm.exe
3876	dwm.exe
5092	dwm.exe
4952	dwm.exe
3004	dwm.exe
3196	dwm.exe
3984	dwm.exe
2828	dwm.exe
1360	dwm.exe
1844	dwm.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\RCX9F40.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\edge_BITS_4692_1191653417\TextInputHost.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\edge_BITS_4552_9044590\f3b6ecef712a24	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\edge_BITS_4552_9044590\RCXA36C.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\edge_BITS_4552_9044590\RCXA37D.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\5b884080fd4f94	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\RCX9EB3.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\edge_BITS_4692_1191653417\22eafd247d37c3	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\edge_BITS_4552_9044590\spoolsv.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\edge_BITS_4692_1191653417\RCXA36A.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\edge_BITS_4692_1191653417\RCXA36B.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OCR\en-us\Registry.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5532	schtasks.exe
3688	schtasks.exe
3660	schtasks.exe
6084	schtasks.exe
4900	schtasks.exe
4616	schtasks.exe
5968	schtasks.exe
4716	schtasks.exe
4704	schtasks.exe
4564	schtasks.exe
3192	schtasks.exe
1484	schtasks.exe
1424	schtasks.exe
4764	schtasks.exe
4708	schtasks.exe
5344	schtasks.exe
2476	schtasks.exe
4572	schtasks.exe
6056	schtasks.exe
3680	schtasks.exe
5988	schtasks.exe
1716	schtasks.exe
2340	schtasks.exe
5824	schtasks.exe
5696	schtasks.exe
4696	schtasks.exe
4736	schtasks.exe
4636	schtasks.exe
4240	schtasks.exe
5312	schtasks.exe
932	schtasks.exe
5024	schtasks.exe
3092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
664	dwm.exe
5116	dwm.exe
2352	dwm.exe
3876	dwm.exe
3876	dwm.exe
5092	dwm.exe
5092	dwm.exe
4952	dwm.exe
4952	dwm.exe
3004	dwm.exe
3004	dwm.exe
3196	dwm.exe
3196	dwm.exe
3984	dwm.exe
3984	dwm.exe
2828	dwm.exe
1360	dwm.exe
1844	dwm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Token: SeDebugPrivilege	4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Token: SeDebugPrivilege	664	dwm.exe
Token: SeDebugPrivilege	5116	dwm.exe
Token: SeDebugPrivilege	2352	dwm.exe
Token: SeDebugPrivilege	3876	dwm.exe
Token: SeDebugPrivilege	5092	dwm.exe
Token: SeDebugPrivilege	4952	dwm.exe
Token: SeDebugPrivilege	3004	dwm.exe
Token: SeDebugPrivilege	3196	dwm.exe
Token: SeDebugPrivilege	3984	dwm.exe
Token: SeDebugPrivilege	2828	dwm.exe
Token: SeDebugPrivilege	1360	dwm.exe
Token: SeDebugPrivilege	1844	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4584	864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	103
PID 864 wrote to memory of 4584	864	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	103
PID 4584 wrote to memory of 664	4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	123
PID 4584 wrote to memory of 664	4584	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	123
PID 664 wrote to memory of 6008	664	dwm.exe	126
PID 664 wrote to memory of 6008	664	dwm.exe	126
PID 664 wrote to memory of 5060	664	dwm.exe	127
PID 664 wrote to memory of 5060	664	dwm.exe	127
PID 6008 wrote to memory of 5116	6008	WScript.exe	132
PID 6008 wrote to memory of 5116	6008	WScript.exe	132
PID 5116 wrote to memory of 4364	5116	dwm.exe	133
PID 5116 wrote to memory of 4364	5116	dwm.exe	133
PID 5116 wrote to memory of 5600	5116	dwm.exe	134
PID 5116 wrote to memory of 5600	5116	dwm.exe	134
PID 4364 wrote to memory of 2352	4364	WScript.exe	135
PID 4364 wrote to memory of 2352	4364	WScript.exe	135
PID 2352 wrote to memory of 2532	2352	dwm.exe	136
PID 2352 wrote to memory of 2532	2352	dwm.exe	136
PID 2352 wrote to memory of 1580	2352	dwm.exe	137
PID 2352 wrote to memory of 1580	2352	dwm.exe	137
PID 2532 wrote to memory of 3876	2532	WScript.exe	145
PID 2532 wrote to memory of 3876	2532	WScript.exe	145
PID 3876 wrote to memory of 4508	3876	dwm.exe	146
PID 3876 wrote to memory of 4508	3876	dwm.exe	146
PID 3876 wrote to memory of 4988	3876	dwm.exe	147
PID 3876 wrote to memory of 4988	3876	dwm.exe	147
PID 4508 wrote to memory of 5092	4508	WScript.exe	148
PID 4508 wrote to memory of 5092	4508	WScript.exe	148
PID 5092 wrote to memory of 1148	5092	dwm.exe	149
PID 5092 wrote to memory of 1148	5092	dwm.exe	149
PID 5092 wrote to memory of 4752	5092	dwm.exe	150
PID 5092 wrote to memory of 4752	5092	dwm.exe	150
PID 1148 wrote to memory of 4952	1148	WScript.exe	151
PID 1148 wrote to memory of 4952	1148	WScript.exe	151
PID 4952 wrote to memory of 5320	4952	dwm.exe	152
PID 4952 wrote to memory of 5320	4952	dwm.exe	152
PID 4952 wrote to memory of 5144	4952	dwm.exe	153
PID 4952 wrote to memory of 5144	4952	dwm.exe	153
PID 5320 wrote to memory of 3004	5320	WScript.exe	155
PID 5320 wrote to memory of 3004	5320	WScript.exe	155
PID 3004 wrote to memory of 4572	3004	dwm.exe	156
PID 3004 wrote to memory of 4572	3004	dwm.exe	156
PID 3004 wrote to memory of 6104	3004	dwm.exe	157
PID 3004 wrote to memory of 6104	3004	dwm.exe	157
PID 4572 wrote to memory of 3196	4572	WScript.exe	158
PID 4572 wrote to memory of 3196	4572	WScript.exe	158
PID 3196 wrote to memory of 4936	3196	dwm.exe	159
PID 3196 wrote to memory of 4936	3196	dwm.exe	159
PID 3196 wrote to memory of 4924	3196	dwm.exe	160
PID 3196 wrote to memory of 4924	3196	dwm.exe	160
PID 4936 wrote to memory of 3984	4936	WScript.exe	161
PID 4936 wrote to memory of 3984	4936	WScript.exe	161
PID 3984 wrote to memory of 5908	3984	dwm.exe	162
PID 3984 wrote to memory of 5908	3984	dwm.exe	162
PID 3984 wrote to memory of 3148	3984	dwm.exe	163
PID 3984 wrote to memory of 3148	3984	dwm.exe	163
PID 5908 wrote to memory of 2828	5908	WScript.exe	168
PID 5908 wrote to memory of 2828	5908	WScript.exe	168
PID 2828 wrote to memory of 4080	2828	dwm.exe	169
PID 2828 wrote to memory of 4080	2828	dwm.exe	169
PID 2828 wrote to memory of 3076	2828	dwm.exe	170
PID 2828 wrote to memory of 3076	2828	dwm.exe	170
PID 4080 wrote to memory of 1360	4080	WScript.exe	171
PID 4080 wrote to memory of 1360	4080	WScript.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
"C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
  "C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Users\Public\Pictures\dwm.exe
    "C:\Users\Public\Pictures\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\580a1276-30a2-470c-a7c1-9d2c4d420293.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6008
    - - C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ad494ac-c302-461b-9a57-030283b07d0f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08792fae-8087-444a-ae41-78237b1168c1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e48d1a6-dc4b-4a0f-924f-861370c9b852.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\041cda64-95b5-43d7-a45b-05d62ec42cf7.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eace602-ba51-4c0d-bd04-05d23d575ac2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5320
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a922c9e-321a-426d-92b6-f62492a7a421.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1086f1e5-b057-4365-ac22-ea11385a12af.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\416df5f0-43ec-4d5f-b12e-a1e96eefadf1.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33fa39f1-ef94-4d42-bd47-b941a376d2bb.vbs"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47b16255-7de7-4305-8f8e-974ba6078ccc.vbs"
        24⤵
        
        PID:1948
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba6bd90-7b64-4208-998a-2c1e9660b17d.vbs"
        26⤵
        
        PID:4388
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        27⤵
        
        PID:5192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9f42b8a-e3f9-44eb-a4fb-2621b0467eeb.vbs"
        28⤵
        
        PID:4800
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        29⤵
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94fc3ba6-42d0-4a09-8d40-2cb7b4b7611e.vbs"
        30⤵
        
        PID:4976
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        31⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11678741-5ca9-4c60-950f-2a486dec6589.vbs"
        32⤵
        
        PID:4256
        
        C:\Users\Public\Pictures\dwm.exe
        
        C:\Users\Public\Pictures\dwm.exe
        33⤵
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3385bf45-0895-4a21-b54b-9c0c3ccc7dbe.vbs"
        34⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f05f11f0-c2d8-453f-be61-ca8705b42ed8.vbs"
        34⤵
        
        PID:3560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31b097a-480f-4494-9231-1ad5998052fc.vbs"
        32⤵
        
        PID:4632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\828254e4-055d-4199-b243-469db1529c0b.vbs"
        30⤵
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9c11c9-d19b-439b-aa45-bcc8e2623e47.vbs"
        28⤵
        
        PID:5336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35673539-3ed0-4164-bf86-ac6b094b883a.vbs"
        26⤵
        
        PID:5248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0c853b-bdbb-4b1e-9a24-11b3eb9e2a93.vbs"
        24⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47173387-3bad-4045-ac01-7dc527ca45ea.vbs"
        22⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c76b601-c9f2-48ac-8395-8e64134d6800.vbs"
        20⤵
        
        PID:3148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6c13ea2-8a8b-464e-82f2-df63952d4f51.vbs"
        18⤵
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa0f72b0-b2c3-4317-a81c-2516ebcf0560.vbs"
        16⤵
        
        PID:6104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04436a75-3ec7-43be-a531-23b05bab14fb.vbs"
        14⤵
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7c2e10a-af91-4415-a657-5ad6dbca582e.vbs"
        12⤵
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc96c69-32cf-43d9-ae82-6828443cc914.vbs"
        10⤵
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6895f41-2ce9-423a-a29b-027189466215.vbs"
        8⤵
        
        PID:1580
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066b9dc7-a4e2-460a-b749-88b1f770df81.vbs"
        6⤵
        
        PID:5600
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d71771ed-cdbd-4c11-8636-88fe717dc30e.vbs"
      4⤵
      PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4692_1191653417\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4692_1191653417\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4692_1191653417\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4552_9044590\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4552_9044590\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4552_9044590\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\lib\ext\fontdrvhost.exe

Filesize
885KB

MD5
1f5930af167ed731f33cfe2847303899

SHA1
804e1f8640073004eddcde107df4a0d91bbbe9df

SHA256
25088c7179c875671a03d365ce0448d1a6c2d7eb563accd9f6328b89dfc0e9a3

SHA512
7869c2e028f79b88273b750b77f2fae652363d832112be092673238a5224c7e4e4fec8545a3bdcd0aded4cac82ccd332a339371c825cca9078dd8e9daa83158c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\041cda64-95b5-43d7-a45b-05d62ec42cf7.vbs

Filesize
708B

MD5
0af5b20ed623b51234bb34cd65e0a2dc

SHA1
8feb0c0870554a5ecb0714b36f1e3d77ff1412bf

SHA256
615dce2482ec9a85dc0e29e414df94b6439b80f171720cc9ebd098a8345bf8a9

SHA512
0a03f55a907dbdc767239da4319aa6718991582f60a915d0904f6fdce502bbdb4c1765fe4c4ce24ad0ef0e5c9392e979fa417211c6d5cca90d83b3f6b3e37df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\08792fae-8087-444a-ae41-78237b1168c1.vbs

Filesize
708B

MD5
5897f91bde044b8cb5b336943bb97fa4

SHA1
f27bc8cb3dbfda3e1505c193c40f597ab381b3cd

SHA256
94b0bd5953805c8aeb8c79b1539003f6b2e78225bf20a3ae0de379b43594fbb5

SHA512
c62963185318a4c2b760f1cf9479698ba8f2b21d5abb36aca5426bb3d174da3c26683b789fccae9e61ad1adc7eae76f946b8354eaa7112e122dc151a193ca805

Download Submit
C:\Users\Admin\AppData\Local\Temp\1086f1e5-b057-4365-ac22-ea11385a12af.vbs

Filesize
708B

MD5
457b8222ca04d4112987411ef43b1298

SHA1
1673a22b5435134d4a63195a952a440642c49566

SHA256
52c140986a07d395eea78a9d368f0d7bfdda3d33153eff5bae796c4390c6a013

SHA512
b905b9755cab119445d9fb59d39ad9dda3cf92eb96b61720ae43ee6d6d1fcae148e78d0e182fb7c3cf029dcf510814622f2a8733d689645d06630bf65e4ea140

Download Submit
C:\Users\Admin\AppData\Local\Temp\11678741-5ca9-4c60-950f-2a486dec6589.vbs

Filesize
708B

MD5
a72ffb7a3b4983f2f0ca124656cd0f6f

SHA1
39b38c9ebae31beb82a8a7a3e2bad3c579af0c1b

SHA256
67d54e19c8ee76722575ca1a651fb883a1f6d0a8df556ccfcfcdd9db3cca4f1e

SHA512
54dc0eee72001256c1c54cc58a987d50e38240c6dead1c88f57157ac4619c951f7dd21a946c93a320e85e2ca09252a4de5287d35b6819ce100214c7d4adb87ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\33fa39f1-ef94-4d42-bd47-b941a376d2bb.vbs

Filesize
708B

MD5
2f1142b6f2caf9e4150633af10870cab

SHA1
30aaa901c8d3748e5d540cf100b863c8a09154f7

SHA256
7729dd1ea0ce4a6ece8e8518528e72458e390c9d4d879b7347fd201ea1ccb12a

SHA512
4860499cd4c34ba15af47f8d35b1622f2e2b9ac4f42cf86fefe38315738d87fccf500880b3482bb17a293bd7987616be05c1f3687bf5a68cc045152805da77b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\416df5f0-43ec-4d5f-b12e-a1e96eefadf1.vbs

Filesize
708B

MD5
dd9032a4479b3335168e54b57b406666

SHA1
cd12557661e90f1efa9aa5b054c7f6525bbec393

SHA256
086805767fd0586c0b1dda2d8c5b47db40bbcea522825cd2c9e01e29a3fc7dd0

SHA512
6adc53a7fa1c7c82cf6ae520d4526e8c1218d1eaa0fea5f0fee0540d5bc82ee85799d341cc0412709111c67a640b6443e6c25144f827fa5e1fd5784581798411

Download Submit
C:\Users\Admin\AppData\Local\Temp\47b16255-7de7-4305-8f8e-974ba6078ccc.vbs

Filesize
708B

MD5
2a284d97dfbd894e6af7c46a0fd288f9

SHA1
10fb50c7fbe0400c5258f20d7a8f1f8e1b8137b9

SHA256
a3fb24fe3a893474b291ff161687d5f5eb0229838ed8e851b20fa19d822fe0f2

SHA512
ed1ad2340c1be628eb4a71c15e499340e83b05beff9dfdd1668685e1b8bb94e3a48b346c275a461e167f5ba99270a702c71e7a7abf2c77111130624e9bf5bf08

Download Submit
C:\Users\Admin\AppData\Local\Temp\580a1276-30a2-470c-a7c1-9d2c4d420293.vbs

Filesize
707B

MD5
e7de31f2b5c2367f0fcd6e33bc8cf787

SHA1
a1451edfa1ed9eea23b1cf7d25aeb57825789818

SHA256
bfd3021796584ef6ec114eb064e22f3bc25da80ece67818ffdb9bcb3e5b08a9b

SHA512
9d0a7ae3b12d541621293c54414dff88f944ed483809886762b010ae4ff0dc51c183b9993c990533a8817f769d2819194b9836ec7e2e10f12b3c695053ab25ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ad494ac-c302-461b-9a57-030283b07d0f.vbs

Filesize
708B

MD5
7bcf23b7cf0fa04b84e6cd5af287b201

SHA1
739f43fb2bb04b1bc35dbfce4a1efd2595c44112

SHA256
483278e7d1b9e456d1af5939ab3fdead61140b49eea83b93b2edf73eecebbe29

SHA512
b610670e2efbdaebb7d6e9221ea6d35f529ffb587d89e6c2ba7c9b34eeee5dab29909a11a772f8bdea383b75410c5814c597a650873596f0555b5ed39eee7f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eace602-ba51-4c0d-bd04-05d23d575ac2.vbs

Filesize
708B

MD5
9fca63bda85074a3891bc7b01b411232

SHA1
a5928bcb560ba76016552fdc21b05ab4cf6aa216

SHA256
9c4b900a03fda852ec1a5fbcb783ac736571e56c4936c513bef300e15b5af174

SHA512
c388d681ea7d8e712cb425d4da0695f29f092b8022ac900f71d9e1b1ff55fd3c1965ab4859622e1c949c97ec08cf79ceb99b6e1061aca1c95398b1cf8cd51357

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e48d1a6-dc4b-4a0f-924f-861370c9b852.vbs

Filesize
708B

MD5
c984da29e93bbd1f26216594880b33da

SHA1
594062ac76d1c10fa33745aead825ae5ca9c5bcf

SHA256
879c6a20044a300298b55eaa280ff06e541c7a01235cc988cca0e666a1abd3e0

SHA512
9fefe13e5613e1541187947335168de3fdaef36229654289bec068461b19c308b9d7b354f02bfeba0bf001fab53ed3f99239693a5e73c6e0fc4402186c99d5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a922c9e-321a-426d-92b6-f62492a7a421.vbs

Filesize
708B

MD5
25d46ed0a3138d948eb0d33121e4f0c3

SHA1
6c488a5db8abdfe0693127898b7fb6fe683b290f

SHA256
5c19fbfd64da4259e4dd1fb81ca79054954fe0f5ecb41735eef36a20dc4d541c

SHA512
df4372ab6f96fb0dd96586b923f06d4c0499552877360b984b69576278ad5135fda3a8009490b929b8045ae42ef3285262370271b501bdaa2189140ef929371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\94fc3ba6-42d0-4a09-8d40-2cb7b4b7611e.vbs

Filesize
708B

MD5
686bb738b2dfcb0dacd49a103689fc03

SHA1
cd1e0a2958ebe042d2d225a33dad0a884a9a567a

SHA256
2113d958bae85fe4c1cae00815b7f9fe2481c8c7a96d9189514276ca237b92d1

SHA512
b748acb5f194defc8d188adb1149f24dbdc756f7b4de0b68f82df1aef28bf22f5a37abfdc421db91333fe125e3477e1400bcb989d2457e923e592ae1cf8657e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bba6bd90-7b64-4208-998a-2c1e9660b17d.vbs

Filesize
708B

MD5
2a90b5037eea2a798fd3d333128b53eb

SHA1
2bd05473d29bc52b60a86e8a7fc7fad55eae1716

SHA256
27431c910394950f3612c16af592c5627b87bbfe5471e75283f21a5f48ccd073

SHA512
35d2c6ef24feb469aad78abbb37dadcb8dee42337c66cbf58fdb48212f061b3c3c747365699b7fc9e589f760b9a09d3e79a9202d2fac2c7fa253b10f69f1c598

Download Submit
C:\Users\Admin\AppData\Local\Temp\d71771ed-cdbd-4c11-8636-88fe717dc30e.vbs

Filesize
484B

MD5
ab1386f899c531c7de34ee28b399a3a8

SHA1
896afcd8a87fe382954174f1f999080d5cdd909b

SHA256
6f8951ffd610bd0900882553ad98b7a82772c183f2decec8b12aaf483eb198ec

SHA512
9798b41a47d356b2b20583715f04223b6377b62a01cf6f0f93b39a7e2a640adbddfdd3c4fe5d1ee2f3dabfeb47880940ea29c8ddea7e9041c064904bed251eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9f42b8a-e3f9-44eb-a4fb-2621b0467eeb.vbs

Filesize
708B

MD5
f21ab24d436f8874fed2b78d082d7596

SHA1
41ba80ea61a78e19764242fe9290ec4e701a20ee

SHA256
2b4a951315edb7c0a591d410e1e1ea630d339eefd79f2ab4a1f8645b99a25e11

SHA512
85b653dcfb5763c4e62eb8f263af2f624c0522206c66b1e4ef8b9c64d92f71b5b29b7ad88cbab5ae3ab23fc1147002913c190d997257f58ec90c415040348f39

Download Submit
C:\aff403968f1bfcc42131676322798b50\backgroundTaskHost.exe

Filesize
885KB

MD5
cce068b8de20f89eb28352e1ce50beb0

SHA1
e9a9235ac140112623fc944d139f9940aa2bf082

SHA256
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e

SHA512
09a04910138dce47f5688c4b210f40299225c1b31514e29ab20a80ab9e177d989c8049274f7d1699ca718bdcf895e171b8bd15917bae0f6d723d07d5c5cf424d

Download Submit
C:\f9532e701a889cdd91b8\unsecapp.exe

Filesize
885KB

MD5
ea1c88df33fdf00b7841f7855ac676e6

SHA1
1bd336a42bcae0b1efb3be9e2471f922272876c7

SHA256
66121a07dbf619f35eb183d4b788cb9e65245f21c04626a1263a56ec287ab427

SHA512
93e07f805c4ef707af6529169b3b0331d99a355a5d557fdc69982d85d983cf02a75c728825a986047a2e2a8e5b0e012db5d1fc4c98224e076bdfe8ee9d7e12eb

Download Submit
memory/864-8-0x000000001AFA0000-0x000000001AFAE000-memory.dmp

Filesize
56KB

Download
memory/864-5-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/864-6-0x000000001AF70000-0x000000001AF86000-memory.dmp

Filesize
88KB

Download
memory/864-81-0x00007FFF33490000-0x00007FFF33F51000-memory.dmp

Filesize
10.8MB

Download
memory/864-1-0x0000000000260000-0x0000000000344000-memory.dmp

Filesize
912KB

Download
memory/864-2-0x00007FFF33490000-0x00007FFF33F51000-memory.dmp

Filesize
10.8MB

Download
memory/864-0-0x00007FFF33493000-0x00007FFF33495000-memory.dmp

Filesize
8KB

Download
memory/864-7-0x000000001AF90000-0x000000001AF9A000-memory.dmp

Filesize
40KB

Download
memory/864-3-0x0000000002500000-0x000000000251C000-memory.dmp

Filesize
112KB

Download
memory/864-10-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/864-9-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

Filesize
32KB

Download
memory/864-4-0x000000001B520000-0x000000001B570000-memory.dmp

Filesize
320KB

Download
memory/1580-215-0x000002B062CB0000-0x000002B062CEB000-memory.dmp

Filesize
236KB

Download
memory/2352-211-0x000000001BC90000-0x000000001BCC5000-memory.dmp

Filesize
212KB

Download
memory/2912-370-0x000002357F0C0000-0x000002357F0FB000-memory.dmp

Filesize
236KB

Download
memory/3076-353-0x0000025025C60000-0x0000025025C9B000-memory.dmp

Filesize
236KB

Download
memory/3148-335-0x000002609CA20000-0x000002609CA5B000-memory.dmp

Filesize
236KB

Download
memory/4572-282-0x0000011D154C0000-0x0000011D154FB000-memory.dmp

Filesize
236KB

Download
memory/4752-246-0x000001D215480000-0x000001D2154BB000-memory.dmp

Filesize
236KB

Download
memory/4924-317-0x000001E8535C0000-0x000001E8535FB000-memory.dmp

Filesize
236KB

Download
memory/4988-230-0x0000026373710000-0x000002637374B000-memory.dmp

Filesize
236KB

Download
memory/5060-187-0x000001AC90280000-0x000001AC902BB000-memory.dmp

Filesize
236KB

Download
memory/5144-263-0x0000022DB2E20000-0x0000022DB2E5B000-memory.dmp

Filesize
236KB

Download
memory/5320-262-0x000001FC0F5D0000-0x000001FC0F60B000-memory.dmp

Filesize
236KB

Download
memory/5600-200-0x00000147E7860000-0x00000147E789B000-memory.dmp

Filesize
236KB

Download
memory/6104-283-0x000002B21B170000-0x000002B21B1AB000-memory.dmp

Filesize
236KB

Download