dcrat | 97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

Analysis

max time kernel
40s
max time network
93s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a022d070a6aad92cf2c2bd42904450e.exe
Size

1.4MB
MD5

0a022d070a6aad92cf2c2bd42904450e
SHA1

3b50c321894bc0979a237c97bbc9e15cc8fa0060
SHA256

97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64
SHA512

e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740
SSDEEP

12288:CXqxzqntNfrYusEIXwRg1k6+OkJzbS4qUMEsgZN8NGfmurA4tD9j4oI6P+QSvTM9:EOqnzzYuVowK4OkJ/S4qUM7H14Bp+xG

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1060	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1060	schtasks.exe	27

Executes dropped EXE 1 IoCs

pid	Process
2852	WMIADAP.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\WMIADAP.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\Windows Portable Devices\75a57c1bdf437c	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\DVD Maker\sppsvc.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\DVD Maker\0a1fd5f707cd16	0a022d070a6aad92cf2c2bd42904450e.exe
File opened for modification	C:\Program Files\Uninstall Information\spoolsv.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\f3b6ecef712a24	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	0a022d070a6aad92cf2c2bd42904450e.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	0a022d070a6aad92cf2c2bd42904450e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1588	2852	WerFault.exe	70

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1620	schtasks.exe
1944	schtasks.exe
1268	schtasks.exe
552	schtasks.exe
2028	schtasks.exe
816	schtasks.exe
1680	schtasks.exe
900	schtasks.exe
1928	schtasks.exe
336	schtasks.exe
876	schtasks.exe
1548	schtasks.exe
296	schtasks.exe
1992	schtasks.exe
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
956	powershell.exe
912	powershell.exe
1936	powershell.exe
1868	powershell.exe
1232	powershell.exe
1524	powershell.exe
1320	powershell.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1736	powershell.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
1440	powershell.exe
436	powershell.exe
1004	powershell.exe
1532	powershell.exe
1240	0a022d070a6aad92cf2c2bd42904450e.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe
2852	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	0a022d070a6aad92cf2c2bd42904450e.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2852	WMIADAP.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1320	1240	0a022d070a6aad92cf2c2bd42904450e.exe	43
PID 1240 wrote to memory of 1320	1240	0a022d070a6aad92cf2c2bd42904450e.exe	43
PID 1240 wrote to memory of 1320	1240	0a022d070a6aad92cf2c2bd42904450e.exe	43
PID 1240 wrote to memory of 1736	1240	0a022d070a6aad92cf2c2bd42904450e.exe	66
PID 1240 wrote to memory of 1736	1240	0a022d070a6aad92cf2c2bd42904450e.exe	66
PID 1240 wrote to memory of 1736	1240	0a022d070a6aad92cf2c2bd42904450e.exe	66
PID 1240 wrote to memory of 912	1240	0a022d070a6aad92cf2c2bd42904450e.exe	45
PID 1240 wrote to memory of 912	1240	0a022d070a6aad92cf2c2bd42904450e.exe	45
PID 1240 wrote to memory of 912	1240	0a022d070a6aad92cf2c2bd42904450e.exe	45
PID 1240 wrote to memory of 956	1240	0a022d070a6aad92cf2c2bd42904450e.exe	47
PID 1240 wrote to memory of 956	1240	0a022d070a6aad92cf2c2bd42904450e.exe	47
PID 1240 wrote to memory of 956	1240	0a022d070a6aad92cf2c2bd42904450e.exe	47
PID 1240 wrote to memory of 1868	1240	0a022d070a6aad92cf2c2bd42904450e.exe	48
PID 1240 wrote to memory of 1868	1240	0a022d070a6aad92cf2c2bd42904450e.exe	48
PID 1240 wrote to memory of 1868	1240	0a022d070a6aad92cf2c2bd42904450e.exe	48
PID 1240 wrote to memory of 1532	1240	0a022d070a6aad92cf2c2bd42904450e.exe	63
PID 1240 wrote to memory of 1532	1240	0a022d070a6aad92cf2c2bd42904450e.exe	63
PID 1240 wrote to memory of 1532	1240	0a022d070a6aad92cf2c2bd42904450e.exe	63
PID 1240 wrote to memory of 1524	1240	0a022d070a6aad92cf2c2bd42904450e.exe	62
PID 1240 wrote to memory of 1524	1240	0a022d070a6aad92cf2c2bd42904450e.exe	62
PID 1240 wrote to memory of 1524	1240	0a022d070a6aad92cf2c2bd42904450e.exe	62
PID 1240 wrote to memory of 1936	1240	0a022d070a6aad92cf2c2bd42904450e.exe	61
PID 1240 wrote to memory of 1936	1240	0a022d070a6aad92cf2c2bd42904450e.exe	61
PID 1240 wrote to memory of 1936	1240	0a022d070a6aad92cf2c2bd42904450e.exe	61
PID 1240 wrote to memory of 1232	1240	0a022d070a6aad92cf2c2bd42904450e.exe	60
PID 1240 wrote to memory of 1232	1240	0a022d070a6aad92cf2c2bd42904450e.exe	60
PID 1240 wrote to memory of 1232	1240	0a022d070a6aad92cf2c2bd42904450e.exe	60
PID 1240 wrote to memory of 1440	1240	0a022d070a6aad92cf2c2bd42904450e.exe	59
PID 1240 wrote to memory of 1440	1240	0a022d070a6aad92cf2c2bd42904450e.exe	59
PID 1240 wrote to memory of 1440	1240	0a022d070a6aad92cf2c2bd42904450e.exe	59
PID 1240 wrote to memory of 436	1240	0a022d070a6aad92cf2c2bd42904450e.exe	58
PID 1240 wrote to memory of 436	1240	0a022d070a6aad92cf2c2bd42904450e.exe	58
PID 1240 wrote to memory of 436	1240	0a022d070a6aad92cf2c2bd42904450e.exe	58
PID 1240 wrote to memory of 1004	1240	0a022d070a6aad92cf2c2bd42904450e.exe	51
PID 1240 wrote to memory of 1004	1240	0a022d070a6aad92cf2c2bd42904450e.exe	51
PID 1240 wrote to memory of 1004	1240	0a022d070a6aad92cf2c2bd42904450e.exe	51
PID 1240 wrote to memory of 2500	1240	0a022d070a6aad92cf2c2bd42904450e.exe	67
PID 1240 wrote to memory of 2500	1240	0a022d070a6aad92cf2c2bd42904450e.exe	67
PID 1240 wrote to memory of 2500	1240	0a022d070a6aad92cf2c2bd42904450e.exe	67
PID 2500 wrote to memory of 2540	2500	cmd.exe	69
PID 2500 wrote to memory of 2540	2500	cmd.exe	69
PID 2500 wrote to memory of 2540	2500	cmd.exe	69
PID 2500 wrote to memory of 2852	2500	cmd.exe	70
PID 2500 wrote to memory of 2852	2500	cmd.exe	70
PID 2500 wrote to memory of 2852	2500	cmd.exe	70
PID 2852 wrote to memory of 1588	2852	WMIADAP.exe	71
PID 2852 wrote to memory of 1588	2852	WMIADAP.exe	71
PID 2852 wrote to memory of 1588	2852	WMIADAP.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe
"C:\Users\Admin\AppData\Local\Temp\0a022d070a6aad92cf2c2bd42904450e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TRM44fU9tn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2540
- - C:\Users\Public\Music\Sample Music\WMIADAP.exe
    "C:\Users\Public\Music\Sample Music\WMIADAP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2852 -s 1444
      4⤵
      Program crash
      PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\sppsvc.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRM44fU9tn.bat

Filesize
211B

MD5
fa541145817fd3de79463e2eef4c55e2

SHA1
08956f33e67e61df2a17ec9664594758bf03f926

SHA256
8fae4147839a7e3118c3900f9014304ee78efc7a0c12c2741b998cece7dde7cb

SHA512
7751c08f784aa65edfda3c9f807a40857589fb656b7cb6ba6c5e49e547fc19475ce8803c204facbf62816f5586d36bb268061049b6cd76ef9a72ea5720756cec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N6TNWS25GNKUEAXJ2LSX.temp

Filesize
7KB

MD5
d68171c7304ae9e7b59c4426c8fec179

SHA1
7697132829371a669972c9d950dd41289d3ba2d5

SHA256
8f5b810d5d660a0780ded40d94e4b1a455ced67e2ffda8fc01c4f0e6e8da0588

SHA512
ce3895ffbb8c0a581f0c69e3167484f10c4f5c50f004ad164f6913db1e89d8f1d7c9ea1b0c5283d6b0df56ad2358e8ac98b8a5d468d45dd01143aee754c50311

Download Submit
C:\Users\Public\Music\Sample Music\WMIADAP.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
C:\Users\Public\Music\Sample Music\WMIADAP.exe

Filesize
1.4MB

MD5
0a022d070a6aad92cf2c2bd42904450e

SHA1
3b50c321894bc0979a237c97bbc9e15cc8fa0060

SHA256
97cd6974b24b7e82fc2ae0caf4ed7aef3228a16c625c5091a50098208fbc8c64

SHA512
e61387efb8c998934c6dbfdba0e119f5fa58a289774c0481cd7d880f6362ded13dbefc5a788170666c3403b43a256e1de2baad519e3e00b82a86c848136ea740

Download Submit
memory/436-180-0x000000000280B000-0x0000000002842000-memory.dmp

Filesize
220KB

Download
memory/436-159-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/436-160-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/436-158-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/912-142-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/912-179-0x000000000290B000-0x0000000002942000-memory.dmp

Filesize
220KB

Download
memory/912-151-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/912-139-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/956-148-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/956-176-0x000000000235B000-0x0000000002392000-memory.dmp

Filesize
220KB

Download
memory/956-128-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/956-155-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1004-174-0x000000000290B000-0x0000000002942000-memory.dmp

Filesize
220KB

Download
memory/1004-164-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1004-162-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1004-163-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1232-154-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1232-175-0x000000000290B000-0x0000000002942000-memory.dmp

Filesize
220KB

Download
memory/1240-58-0x0000000000C40000-0x0000000000C5C000-memory.dmp

Filesize
112KB

Download
memory/1240-54-0x0000000000EE0000-0x0000000001046000-memory.dmp

Filesize
1.4MB

Download
memory/1240-59-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/1240-64-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/1240-60-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1240-61-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/1240-62-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/1240-57-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/1240-63-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/1240-56-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/1240-55-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1320-149-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/1320-169-0x00000000026FB000-0x0000000002732000-memory.dmp

Filesize
220KB

Download
memory/1320-157-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/1320-150-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/1440-145-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/1440-165-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/1440-172-0x000000000231B000-0x0000000002352000-memory.dmp

Filesize
220KB

Download
memory/1524-170-0x000000000298B000-0x00000000029C2000-memory.dmp

Filesize
220KB

Download
memory/1524-152-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1524-147-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/1532-177-0x00000000027EB000-0x0000000002822000-memory.dmp

Filesize
220KB

Download
memory/1532-167-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1532-168-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1532-166-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1736-122-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1736-178-0x00000000026BB000-0x00000000026F2000-memory.dmp

Filesize
220KB

Download
memory/1736-161-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1868-173-0x00000000029DB000-0x0000000002A12000-memory.dmp

Filesize
220KB

Download
memory/1868-153-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1868-141-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/1936-171-0x00000000027EB000-0x0000000002822000-memory.dmp

Filesize
220KB

Download
memory/1936-156-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1936-144-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1936-146-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2852-183-0x0000000001140000-0x00000000012A6000-memory.dmp

Filesize
1.4MB

Download
memory/2852-184-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download
memory/2852-185-0x00000000010C0000-0x0000000001140000-memory.dmp

Filesize
512KB

Download