Overview

overview

10

Static

static

1

DCRat Crac...ON.exe

windows7-x64

10

DCRat Crac...ON.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRat Crack Test VERSION.exe

  • Size

    3.7MB

  • MD5

    0cf54aebcc76f09c147863b916a494fc

  • SHA1

    5a41a7060f20f4bc16ba4a60c8f22aa16495cb3e

  • SHA256

    0cac16b9e6b85c3415ebc63def32b4bc999182a7a09197afdcf0851f57aae68d

  • SHA512

    8dc0c4fe4649523e155bf7c57ceccb70524b27a18374e4e5fa1b991ad322181dca131b99729926f9d54dd3a1c1f86fdb40607a4e9790d0acceef2e116ba4712e

  • SSDEEP

    98304:OavNz0cqlVkGIgKuP04hZ9gA2aT3v9f8473v0H:OUNYcqMGIgdrgfaT/p8S3v0H

Score
10/10
dcratagilenetinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat 49 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • .NET Reactor proctector 31 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 6 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRat Crack Test VERSION.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRat Crack Test VERSION.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\DCRatSupport.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatSupport.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
          PID:3812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2688
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1236
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4736
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1244
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Windows\InputMethod\OfficeClickToRun.exe
          "C:\Windows\InputMethod\OfficeClickToRun.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4236
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • DcRat
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2780
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1772
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\OfficeClickToRun.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\InputMethod\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3696
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:268
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Pictures\Registry.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\Registry.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Pictures\Registry.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3652
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Pictures\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1840
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1484
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1452
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\Links\lsass.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\Links\lsass.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2164

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d3e9c29fe44e90aae6ed30ccf799ca8

        SHA1

        c7974ef72264bbdf13a2793ccf1aed11bc565dce

        SHA256

        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

        SHA512

        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d3e9c29fe44e90aae6ed30ccf799ca8

        SHA1

        c7974ef72264bbdf13a2793ccf1aed11bc565dce

        SHA256

        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

        SHA512

        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c6c940df49fc678d1c74fea3c57a32f9

        SHA1

        79edd715358a82e6d29970998ff2e9b235ea4217

        SHA256

        4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

        SHA512

        3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        61e06aa7c42c7b2a752516bcbb242cc1

        SHA1

        02c54f8b171ef48cad21819c20b360448418a068

        SHA256

        5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

        SHA512

        03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        61e06aa7c42c7b2a752516bcbb242cc1

        SHA1

        02c54f8b171ef48cad21819c20b360448418a068

        SHA256

        5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

        SHA512

        03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DCRatSupport.exe
        Filesize

        5.7MB

        MD5

        4bf0c454f9ec3e15308e5f2e362f9e87

        SHA1

        0ba55233e7510c060fc1f62d2a760096fb1b1136

        SHA256

        43f1c47730d2764a0954a14e733605b8d9115bd3d77edfc2652fbdba12c71f6f

        SHA512

        c0eb34ec3cb65c2ae75d99befa1dac84babc9e7c944f46a1650430bcc5935d3aad83b96cf5ab1b0f026de44d10f409fd9498762a53d41737ef3fba1a3c8b077b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DCRatSupport.exe
        Filesize

        5.7MB

        MD5

        4bf0c454f9ec3e15308e5f2e362f9e87

        SHA1

        0ba55233e7510c060fc1f62d2a760096fb1b1136

        SHA256

        43f1c47730d2764a0954a14e733605b8d9115bd3d77edfc2652fbdba12c71f6f

        SHA512

        c0eb34ec3cb65c2ae75d99befa1dac84babc9e7c944f46a1650430bcc5935d3aad83b96cf5ab1b0f026de44d10f409fd9498762a53d41737ef3fba1a3c8b077b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DCRatSupport.exe
        Filesize

        5.7MB

        MD5

        4bf0c454f9ec3e15308e5f2e362f9e87

        SHA1

        0ba55233e7510c060fc1f62d2a760096fb1b1136

        SHA256

        43f1c47730d2764a0954a14e733605b8d9115bd3d77edfc2652fbdba12c71f6f

        SHA512

        c0eb34ec3cb65c2ae75d99befa1dac84babc9e7c944f46a1650430bcc5935d3aad83b96cf5ab1b0f026de44d10f409fd9498762a53d41737ef3fba1a3c8b077b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xafgxpyx.npr.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Windows\InputMethod\OfficeClickToRun.exe
        Filesize

        5.7MB

        MD5

        4bf0c454f9ec3e15308e5f2e362f9e87

        SHA1

        0ba55233e7510c060fc1f62d2a760096fb1b1136

        SHA256

        43f1c47730d2764a0954a14e733605b8d9115bd3d77edfc2652fbdba12c71f6f

        SHA512

        c0eb34ec3cb65c2ae75d99befa1dac84babc9e7c944f46a1650430bcc5935d3aad83b96cf5ab1b0f026de44d10f409fd9498762a53d41737ef3fba1a3c8b077b

        Download Submit
      • C:\Windows\InputMethod\OfficeClickToRun.exe
        Filesize

        5.7MB

        MD5

        4bf0c454f9ec3e15308e5f2e362f9e87

        SHA1

        0ba55233e7510c060fc1f62d2a760096fb1b1136

        SHA256

        43f1c47730d2764a0954a14e733605b8d9115bd3d77edfc2652fbdba12c71f6f

        SHA512

        c0eb34ec3cb65c2ae75d99befa1dac84babc9e7c944f46a1650430bcc5935d3aad83b96cf5ab1b0f026de44d10f409fd9498762a53d41737ef3fba1a3c8b077b

        Download Submit
      • memory/1236-2011-0x00000154429B0000-0x00000154429C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1236-1955-0x00000154429B0000-0x00000154429C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1236-1977-0x00000154429B0000-0x00000154429C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1244-1954-0x000001ABA5B10000-0x000001ABA5B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1244-1975-0x000001ABA5B10000-0x000001ABA5B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1852-1947-0x00000284E09C0000-0x00000284E09D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1852-2009-0x00000284E09C0000-0x00000284E09D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1852-1976-0x00000284E09C0000-0x00000284E09D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2128-2000-0x000002C220340000-0x000002C220350000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2128-1971-0x000002C220340000-0x000002C220350000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2128-1952-0x000002C220340000-0x000002C220350000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2128-1953-0x000002C220340000-0x000002C220350000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2688-1884-0x000001F0D8F30000-0x000001F0D8F40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2688-1874-0x000001F0D8F30000-0x000001F0D8F40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-164-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-170-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-194-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-188-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-197-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-186-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-199-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-375-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-377-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-379-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-381-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-1730-0x0000000006460000-0x00000000064F2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2692-1731-0x0000000006670000-0x000000000667A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2692-184-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-182-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-180-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-178-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-133-0x0000000005C60000-0x0000000006204000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2692-176-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-174-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-172-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-190-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-168-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-166-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-162-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-160-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-158-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-156-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-154-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-152-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-150-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-148-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-146-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-144-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-138-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-142-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-141-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-139-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-137-0x0000000002600000-0x0000000002610000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-135-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2692-134-0x00000000054D0000-0x000000000588A000-memory.dmp
        Filesize

        3.7MB

        Download
      • memory/2708-1744-0x00000161870F0000-0x0000016187100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2708-1743-0x00000161866D0000-0x0000016186C8A000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2708-1745-0x00000161A31F0000-0x00000161A3240000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2712-1928-0x000001C3CAFC0000-0x000001C3CAFD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2712-1974-0x000001C3CAFC0000-0x000001C3CAFD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2780-196-0x000002BD73700000-0x000002BD73701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2780-191-0x000002BD73700000-0x000002BD73701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2780-193-0x000002BD73700000-0x000002BD73701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3296-1873-0x000001E1768F0000-0x000001E176900000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3296-1862-0x000001E1768F0000-0x000001E176900000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3984-2024-0x0000018955BB0000-0x0000018955BC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3984-1918-0x0000018955BB0000-0x0000018955BC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3984-1995-0x0000018955BB0000-0x0000018955BC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3984-1899-0x0000018955BB0000-0x0000018955BC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3984-1853-0x0000018955B60000-0x0000018955B82000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3984-1973-0x0000018955BB0000-0x0000018955BC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4128-1972-0x0000028AAEB50000-0x0000028AAEB60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4236-2020-0x000002D4B9BF0000-0x000002D4B9DB2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4236-1970-0x000002D4B8A90000-0x000002D4B8AA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4236-2021-0x000002D4BA710000-0x000002D4BAC38000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4236-2022-0x000002D4B8A90000-0x000002D4B8AA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4236-2072-0x000002D4B8A90000-0x000002D4B8AA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4736-2004-0x00000239A7110000-0x00000239A7120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4736-1962-0x00000239A7110000-0x00000239A7120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4736-2023-0x00000239A7110000-0x00000239A7120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4736-1964-0x00000239A7110000-0x00000239A7120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5076-2006-0x000001F2CC7F0000-0x000001F2CC800000-memory.dmp
        Filesize

        64KB

        Download