Overview

overview

10

Static

static

10

ab07eea7bf...29.exe

windows7-x64

10

ab07eea7bf...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe

  • Size

    3.4MB

  • MD5

    4626a1483d82cf0be9302c305f6b54c4

  • SHA1

    7f16e6aee9e0967b26e36b11de4654cfbffe2675

  • SHA256

    ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

  • SHA512

    6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

  • SSDEEP

    49152:xZXrXU/5+Zc5SVROVisjq7miG9vv2SNty1kIP2XMxARdpe:xZzU4c5SMXq7miAX2SNty1xPuMyHpe

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 13 IoCs
    persistence
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    evasiontrojan
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 21 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe
    "C:\Users\Admin\AppData\Local\Temp\ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3916
    • C:\Recovery\WindowsRE\sysmon.exe
      "C:\Recovery\WindowsRE\sysmon.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:856
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c24d6476-4f9f-4515-b6a3-b3fcd7fc8b69.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Recovery\WindowsRE\sysmon.exe
          C:\Recovery\WindowsRE\sysmon.exe
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1264
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af3b0d2f-bbe6-4f27-a2f2-8b51bd0341ca.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2328
            • C:\Recovery\WindowsRE\sysmon.exe
              C:\Recovery\WindowsRE\sysmon.exe
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5032
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\886d6634-9540-416c-b7a3-0af13c9b20c8.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4424
                • C:\Recovery\WindowsRE\sysmon.exe
                  C:\Recovery\WindowsRE\sysmon.exe
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1396
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae9a148-8542-4e89-b4d6-b3c792b56225.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5064
                    • C:\Recovery\WindowsRE\sysmon.exe
                      C:\Recovery\WindowsRE\sysmon.exe
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4052
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b47d643-7120-4082-b180-d4eb83156869.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4908
                        • C:\Recovery\WindowsRE\sysmon.exe
                          C:\Recovery\WindowsRE\sysmon.exe
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3332
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dae2402-5724-4acd-b9bc-040b2b9bda7a.vbs"
                            13⤵
                              PID:2328
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75bb81d8-7288-4c39-b82f-fd5140905eae.vbs"
                              13⤵
                                PID:4024
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a38fdf-cac1-4f90-9942-b45e502b6a58.vbs"
                            11⤵
                              PID:4980
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9d4dd9-37cf-4491-a5e6-48e25959686d.vbs"
                          9⤵
                            PID:4824
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35045b1-1441-4dfa-b296-75ca629ce743.vbs"
                        7⤵
                          PID:4532
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b0ec23-063d-4436-aacb-b1f0b6b66f0d.vbs"
                      5⤵
                        PID:3192
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\560efb8c-79ee-4d9a-8f3b-d3dac677f9b8.vbs"
                    3⤵
                      PID:3184
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1996
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4520
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3172
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1812
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4324
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:828
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3816
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1136
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2328
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\backgroundTaskHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1744
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5048
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\backgroundTaskHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4388
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4556
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1864
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:632
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\taskhostw.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:448
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1016
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\taskhostw.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2020
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\sihost.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2088
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1440
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\sihost.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1456
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:5084
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1556
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4024
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3900
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3040
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1088
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1708
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4780
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3200
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:3364
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\sysmon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2172
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1816
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:2920
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:960
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1196
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:4532
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
                  1⤵
                  • Process spawned unexpected child process
                  • Scheduled Task/Job: Scheduled Task
                  PID:1132

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                2
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Winlogon Helper DLL

                1
                T1547.004

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Impair Defenses

                1
                T1562

                Disable or Modify Tools

                1
                T1562.001

                Modify Registry

                4
                T1112

                Credential Access

                Discovery

                Query Registry

                2
                T1012

                System Information Discovery

                3
                T1082

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\regid.1991-06.com.microsoft\StartMenuExperienceHost.exe
                  Filesize

                  3.4MB

                  MD5

                  4626a1483d82cf0be9302c305f6b54c4

                  SHA1

                  7f16e6aee9e0967b26e36b11de4654cfbffe2675

                  SHA256

                  ab07eea7bfd0a6fea819ab73e1bc6c75b681b7cf044199ed7c38d410b7c5d729

                  SHA512

                  6381dab004c7d96449554626bbc53d4d7d20a55d21c930a987e1e866803c34a0f6e964ec7a74fc3649f7a9fe9d490a535a59280875605ef950673d83bdd15f54

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log
                  Filesize

                  1KB

                  MD5

                  49b64127208271d8f797256057d0b006

                  SHA1

                  b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                  SHA256

                  2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                  SHA512

                  f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1dae2402-5724-4acd-b9bc-040b2b9bda7a.vbs
                  Filesize

                  708B

                  MD5

                  51d67327676884c40e9eab598ad17e0e

                  SHA1

                  79b99bff325c4736e01169880e3374b7266df766

                  SHA256

                  e93d26ec2acb9f3a905f4bf5ed99c3e4e9603bde26a9b964bfe5eadef5d6a16e

                  SHA512

                  50df35f2f256fb32a0fd90a5b8e0c760450eb3fc441baa5d73b7001080cf4dffe34623db70329d3f372368e33c69070824574874cb9c0a0919831cf6a90eafeb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\4b47d643-7120-4082-b180-d4eb83156869.vbs
                  Filesize

                  708B

                  MD5

                  f9adb3303995eaaf448ae15fef49a661

                  SHA1

                  d72ece102ba769ade9750797c6d014b544234895

                  SHA256

                  b37d3966bef6c0243e76b0e933a9e9719a07a9453d67eedc22df3ef9929c9b21

                  SHA512

                  62d0b3a5bd2696612c4d90769fbbc14ef94f8a989aad32b776b6fcfb59631d5359e3a85751c82720dd2b5e36808518f4f64894523340f9dfdff9d28d6e8a095e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\560efb8c-79ee-4d9a-8f3b-d3dac677f9b8.vbs
                  Filesize

                  484B

                  MD5

                  64ef158cffa5f3ba62703fe07f62436f

                  SHA1

                  36ce5db302ec3a871b53352dadaea640cdc276ea

                  SHA256

                  c473386c48757e7a2452295fe34a1065c21351b44a1c118617125e411584cc45

                  SHA512

                  a0c76e706dc148e8d011b9024dc6c0575d6fc3c7e947c3ca54f8049f83ac549c9129d8cc6232835582ff9efa39bcef94b15aa503f3ed02b055e64b6391fd86ce

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\6ae9a148-8542-4e89-b4d6-b3c792b56225.vbs
                  Filesize

                  708B

                  MD5

                  142fd5adc203493d9dcf98cc36a98050

                  SHA1

                  01845c78c3b3ff237e5964d6f82d78239cc70f5c

                  SHA256

                  79f4a3fa3722a86ec63d9919c2f52c461073f4af74024e9d4743d2c3bbd4ed99

                  SHA512

                  c8e984809808f7bcfbf59de3f14c5d1157b2ad0606fc8ffdf89ff7409b455c3db76462f0e24eeae862bb478d20dd802098c705b4fa2aece2a43f0afeb6b8b6ad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\886d6634-9540-416c-b7a3-0af13c9b20c8.vbs
                  Filesize

                  708B

                  MD5

                  d8c0d7f270250f9c4e3ce27f91511ba5

                  SHA1

                  86e7d3986393fbc5a425d38f8ed236a7fccc2525

                  SHA256

                  83bf036f573493063423fb34c9d493ca618a1416629af9e68c9223430780b118

                  SHA512

                  43da405cb3b66dcbbd213daaae1147b8d093b670543344cce3a16dd91b35e87c0be7d504e7c0595127b7b47fdd99263f6e832d402cf91bb40bd18164ba472e34

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\af3b0d2f-bbe6-4f27-a2f2-8b51bd0341ca.vbs
                  Filesize

                  708B

                  MD5

                  f77738954c3824c0f89149795188a501

                  SHA1

                  62fcec5bfdc99b8151b49f1fda63684ecc693a99

                  SHA256

                  48e02e5f9f4c78262093bbdd0784403b9370c72aa51e0194ad322686f8ae59fd

                  SHA512

                  6d1978919c3ac956ad523aad630c2723298f022f92535f23d991325c53bca7aaf989ecd76aa8ad0c060086df360b90c758c5ad28dd0ebfd0066666e269ab0aef

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\c24d6476-4f9f-4515-b6a3-b3fcd7fc8b69.vbs
                  Filesize

                  707B

                  MD5

                  cfca06416ec8df26dd53956653899800

                  SHA1

                  0b1f462fb581d409268e8d2a21a3a8b7fe1e447b

                  SHA256

                  181e4b1637e25902da2b6246930c9a3cca62a18bfea8a98fc9b413fc8c5898d3

                  SHA512

                  cd12e74c5ca50c5fcca5b8b823a05e9387d9f1acfeb3262b167170a4b364933bd163ece26bf47a34f0431d23bf08fc03bb84e0699f02b04ccf11eba49b16263f

                  Download Submit

                • memory/856-78-0x0000000002600000-0x0000000002612000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3916-27-0x000000001BFD0000-0x000000001BFDC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-31-0x0000000001360000-0x000000000136A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3916-7-0x000000001BD60000-0x000000001BDB0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/3916-13-0x000000001BEC0000-0x000000001BECC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-15-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3916-14-0x0000000002D00000-0x0000000002D08000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-16-0x000000001BED0000-0x000000001BEDA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3916-17-0x000000001BEE0000-0x000000001BF36000-memory.dmp

                  Filesize

                  344KB

                  Download

                • memory/3916-18-0x000000001BF30000-0x000000001BF3C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-19-0x000000001BF40000-0x000000001BF48000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-20-0x000000001BF50000-0x000000001BF5C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-21-0x000000001BF60000-0x000000001BF68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-22-0x000000001BF70000-0x000000001BF82000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3916-23-0x000000001C4D0000-0x000000001C9F8000-memory.dmp

                  Filesize

                  5.2MB

                  Download

                • memory/3916-24-0x000000001BFA0000-0x000000001BFAC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-25-0x000000001BFB0000-0x000000001BFBC000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-0-0x00007FFE586C3000-0x00007FFE586C5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3916-26-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-28-0x0000000001340000-0x000000000134C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-29-0x000000001C200000-0x000000001C208000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-30-0x0000000001350000-0x000000000135C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-10-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3916-32-0x0000000001370000-0x000000000137E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3916-33-0x000000001C1E0000-0x000000001C1E8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-34-0x000000001C1F0000-0x000000001C1FE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3916-35-0x000000001C210000-0x000000001C218000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-36-0x000000001C220000-0x000000001C22C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-37-0x000000001C230000-0x000000001C238000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-38-0x000000001C340000-0x000000001C34A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3916-39-0x000000001C240000-0x000000001C24C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3916-12-0x0000000002CF0000-0x0000000002D02000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3916-77-0x00007FFE586C0000-0x00007FFE59181000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3916-11-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-9-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3916-8-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-6-0x0000000002C80000-0x0000000002C9C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3916-5-0x0000000002C70000-0x0000000002C78000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3916-1-0x00000000005A0000-0x000000000090A000-memory.dmp

                  Filesize

                  3.4MB

                  Download

                • memory/3916-2-0x00007FFE586C0000-0x00007FFE59181000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3916-4-0x0000000002C60000-0x0000000002C6E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3916-3-0x0000000002C50000-0x0000000002C5E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/5032-103-0x000000001BE40000-0x000000001BE52000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/5032-102-0x000000001BD70000-0x000000001BD82000-memory.dmp

                  Filesize

                  72KB

                  Download