dcrat | fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

Resubmissions

30/10/2024, 06:30

241030-g9zgsaycjm 10

05/04/2023, 14:51

230405-r75wwshd6w 10

Analysis

max time kernel
114s
max time network
111s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/04/2023, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26ae5eb4e86ca54a1d338220318c43b.exe
Size

321KB
MD5

a26ae5eb4e86ca54a1d338220318c43b
SHA1

ba66b537f8b7289acf611e67e1f3b20fb5bb48db
SHA256

fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e
SHA512

0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd
SSDEEP

6144:1RmCttlxSX8YOKPnzxx7YyRRYz4OjnYDh+OHYQmrBQ4rQbFZUzEo1V:vmJMYt/czYDh+OOQMQbT

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	Idle.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1112	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	592	schtasks.exe	54
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	592	schtasks.exe	54

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1700-57-0x0000000000870000-0x00000000008C6000-memory.dmp	dcrat

Deletes itself 1 IoCs

pid	Process
852	Idle.exe

Executes dropped EXE 1 IoCs

pid	Process
852	Idle.exe

Loads dropped DLL 1 IoCs

pid	Process
992	a26ae5eb4e86ca54a1d338220318c43b.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\b75386f1303e64	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files\Internet Explorer\images\sppsvc.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files\Internet Explorer\images\0a1fd5f707cd16	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e	a26ae5eb4e86ca54a1d338220318c43b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\cc11b995f2a76d	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Windows\PLA\Rules\en-US\smss.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Windows\PLA\Rules\en-US\69ddcba757bf72	a26ae5eb4e86ca54a1d338220318c43b.exe
File created	C:\Windows\PLA\winlogon.exe	a26ae5eb4e86ca54a1d338220318c43b.exe
File opened for modification	C:\Windows\PLA\winlogon.exe	a26ae5eb4e86ca54a1d338220318c43b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1820	schtasks.exe
1964	schtasks.exe
1756	schtasks.exe
1240	schtasks.exe
616	schtasks.exe
1072	schtasks.exe
1420	schtasks.exe
1596	schtasks.exe
836	schtasks.exe
640	schtasks.exe
852	schtasks.exe
1880	schtasks.exe
1696	schtasks.exe
1256	schtasks.exe
1120	schtasks.exe
1092	schtasks.exe
1992	schtasks.exe
1764	schtasks.exe
1712	schtasks.exe
1916	schtasks.exe
1888	schtasks.exe
1676	schtasks.exe
1704	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1700	a26ae5eb4e86ca54a1d338220318c43b.exe
992	a26ae5eb4e86ca54a1d338220318c43b.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe
852	Idle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	a26ae5eb4e86ca54a1d338220318c43b.exe
Token: SeDebugPrivilege	992	a26ae5eb4e86ca54a1d338220318c43b.exe
Token: SeDebugPrivilege	852	Idle.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 992	1700	a26ae5eb4e86ca54a1d338220318c43b.exe	40
PID 1700 wrote to memory of 992	1700	a26ae5eb4e86ca54a1d338220318c43b.exe	40
PID 1700 wrote to memory of 992	1700	a26ae5eb4e86ca54a1d338220318c43b.exe	40
PID 1700 wrote to memory of 992	1700	a26ae5eb4e86ca54a1d338220318c43b.exe	40
PID 992 wrote to memory of 852	992	a26ae5eb4e86ca54a1d338220318c43b.exe	53
PID 992 wrote to memory of 852	992	a26ae5eb4e86ca54a1d338220318c43b.exe	53
PID 992 wrote to memory of 852	992	a26ae5eb4e86ca54a1d338220318c43b.exe	53
PID 992 wrote to memory of 852	992	a26ae5eb4e86ca54a1d338220318c43b.exe	53
PID 852 wrote to memory of 300	852	Idle.exe	67
PID 852 wrote to memory of 300	852	Idle.exe	67
PID 852 wrote to memory of 300	852	Idle.exe	67
PID 852 wrote to memory of 300	852	Idle.exe	67
PID 300 wrote to memory of 336	300	cmd.exe	69
PID 300 wrote to memory of 336	300	cmd.exe	69
PID 300 wrote to memory of 336	300	cmd.exe	69
PID 300 wrote to memory of 336	300	cmd.exe	69
PID 336 wrote to memory of 1688	336	w32tm.exe	70
PID 336 wrote to memory of 1688	336	w32tm.exe	70
PID 336 wrote to memory of 1688	336	w32tm.exe	70
PID 336 wrote to memory of 1688	336	w32tm.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
"C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe
  "C:\Users\Admin\AppData\Local\Temp\a26ae5eb4e86ca54a1d338220318c43b.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
    "C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43b" /f
1⤵
- Process spawned unexpected child process
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "a26ae5eb4e86ca54a1d338220318c43ba" /f
1⤵
- Process spawned unexpected child process
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
- Process spawned unexpected child process
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
- Process spawned unexpected child process
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhost" /f
1⤵
- Process spawned unexpected child process
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostt" /f
1⤵
- Process spawned unexpected child process
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\6ccacd8608530f

Filesize
629B

MD5
3eb774bb6e5e4a9835fd959c11c978af

SHA1
f66469e8076bd342c2299427b186b50fb9f70fdf

SHA256
00fe11debc2e6f425ffad932301c0897eb4f6e3f92e2d1daecde95aeb389886a

SHA512
a9229d484adf7e11654b0a6c99dfff2093f6e60587d04de0d53c29574f4cbf360eeb6ee71f52ed6a77d6c9c6c2641a6cd1d2e4f0dc0bcc64452a8e34862e1795

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\Idle.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\b75386f1303e64

Filesize
873B

MD5
b5ff98415b8c67ec2767948559fd6f03

SHA1
8afe2d812280b1479aa0b40b27137855e8632289

SHA256
5fdc5fa825a540834b281ae0b358e6b1f63f97898c8bb448320b5daba17e3a6d

SHA512
852bd749576e171e8bf26355f20d086bcaf41c67028eb2e4bba53679479e59f495bfb92b9212383a310cb52e5e01582ecd2e7639876afbb677040ca2527070b2

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\taskhost.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\6203df4a6bafc7

Filesize
171B

MD5
b69302340b37e76e74de8d4109602041

SHA1
4bee9f75b6da8e61d6e65ad870863a287233be09

SHA256
3d9b4f3d953752987c4786aedddd4becff9ae0b8d54fd22ce288644a2c71cb79

SHA512
d2f9234cb78da4b48df5dedd5806580f8ac09e5321a242deb648f68a9715652810d0717a93adced03749c4a7123fedc176999420d1ce751f479a959a2082b02e

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\6ccacd8608530f

Filesize
564B

MD5
5da69b9322ea31c0ea607b09226235c5

SHA1
6369954872e29cb5008b31d2c86719715bf2235f

SHA256
9fcce6b17470426b1eb06e5f10d49a01f8094c96d4d3692846f2727fd37cc38b

SHA512
2ca1d8a7277fa4514731049686468f04ae017630eb5376d847ce4890836e35ec71dd09e52fce708e979b28bbcdfa0a6015db7c7c9e5d6275f723c629f649e667

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsass.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
306B

MD5
d56e3c754e4aae93b45349cee7b36926

SHA1
32f21bbdb6ca78fdb7ce7f6583d94a7762de9e7b

SHA256
32aeaf06e325c898a57d59618ba4b91b8bde6a31608fa27ce9bcc77780517920

SHA512
0820f3a1dc972ce9c8267674b2736112a04dbd35ed5620629d7844a39c70c82e17f39e82520c9955397df3f0b4f25111dadf1e3086a2c341d54d202a4cbf802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
306B

MD5
d56e3c754e4aae93b45349cee7b36926

SHA1
32f21bbdb6ca78fdb7ce7f6583d94a7762de9e7b

SHA256
32aeaf06e325c898a57d59618ba4b91b8bde6a31608fa27ce9bcc77780517920

SHA512
0820f3a1dc972ce9c8267674b2736112a04dbd35ed5620629d7844a39c70c82e17f39e82520c9955397df3f0b4f25111dadf1e3086a2c341d54d202a4cbf802b

Download Submit
\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
321KB

MD5
a26ae5eb4e86ca54a1d338220318c43b

SHA1
ba66b537f8b7289acf611e67e1f3b20fb5bb48db

SHA256
fd687a05b13c4f87f139d043c4d9d936b73762d616204bfb090124fd163c316e

SHA512
0d2adc60f34f1d13be88df0034220e41a36f0a2dc8217fe1fc42714834f080c81f033d61f4f23af6c50c74d94d23a689714ef4c8824c96992fd478587cb31ccd

Download Submit
memory/852-81-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/852-82-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/852-83-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/992-66-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/1700-54-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/1700-57-0x0000000000870000-0x00000000008C6000-memory.dmp

Filesize
344KB

Download
memory/1700-56-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/1700-55-0x0000000006E00000-0x0000000006EDC000-memory.dmp

Filesize
880KB

Download