dcrat | b560855a892920c2e65e6d11e71221fe4cab665ecbce9f7871aaa9636c0262dc

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2008	schtasks.exe	30

DCRat payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2668-1-0x0000000000090000-0x000000000025A000-memory.dmp	family_dcrat_v2
behavioral1/files/0x0012000000012118-53.dat	family_dcrat_v2
behavioral1/memory/2968-54-0x00000000003C0000-0x000000000058A000-memory.dmp	family_dcrat_v2
behavioral1/memory/2196-72-0x0000000000B20000-0x0000000000CEA000-memory.dmp	family_dcrat_v2
behavioral1/memory/2780-107-0x00000000010A0000-0x000000000126A000-memory.dmp	family_dcrat_v2
behavioral1/memory/1716-125-0x0000000001190000-0x000000000135A000-memory.dmp	family_dcrat_v2

Executes dropped EXE 5 IoCs

pid	Process
2968	updater.exe
2196	updater.exe
2944	updater.exe
2780	updater.exe
1716	updater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC3380EAE86F7944C1B14A68498E8A926E.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2432	PING.EXE
1340	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2432	PING.EXE
1340	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
2580	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Token: SeDebugPrivilege	2968	updater.exe
Token: SeDebugPrivilege	2196	updater.exe
Token: SeDebugPrivilege	2944	updater.exe
Token: SeDebugPrivilege	2780	updater.exe
Token: SeDebugPrivilege	1716	updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1676	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 2668 wrote to memory of 1676	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 2668 wrote to memory of 1676	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	34
PID 1676 wrote to memory of 1580	1676	csc.exe	36
PID 1676 wrote to memory of 1580	1676	csc.exe	36
PID 1676 wrote to memory of 1580	1676	csc.exe	36
PID 2668 wrote to memory of 1276	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 2668 wrote to memory of 1276	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 2668 wrote to memory of 1276	2668	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	37
PID 1276 wrote to memory of 2880	1276	cmd.exe	39
PID 1276 wrote to memory of 2880	1276	cmd.exe	39
PID 1276 wrote to memory of 2880	1276	cmd.exe	39
PID 1276 wrote to memory of 1808	1276	cmd.exe	40
PID 1276 wrote to memory of 1808	1276	cmd.exe	40
PID 1276 wrote to memory of 1808	1276	cmd.exe	40
PID 1276 wrote to memory of 2968	1276	cmd.exe	41
PID 1276 wrote to memory of 2968	1276	cmd.exe	41
PID 1276 wrote to memory of 2968	1276	cmd.exe	41
PID 2968 wrote to memory of 560	2968	updater.exe	42
PID 2968 wrote to memory of 560	2968	updater.exe	42
PID 2968 wrote to memory of 560	2968	updater.exe	42
PID 560 wrote to memory of 592	560	cmd.exe	44
PID 560 wrote to memory of 592	560	cmd.exe	44
PID 560 wrote to memory of 592	560	cmd.exe	44
PID 560 wrote to memory of 608	560	cmd.exe	45
PID 560 wrote to memory of 608	560	cmd.exe	45
PID 560 wrote to memory of 608	560	cmd.exe	45
PID 560 wrote to memory of 2196	560	cmd.exe	46
PID 560 wrote to memory of 2196	560	cmd.exe	46
PID 560 wrote to memory of 2196	560	cmd.exe	46
PID 2196 wrote to memory of 2036	2196	updater.exe	47
PID 2196 wrote to memory of 2036	2196	updater.exe	47
PID 2196 wrote to memory of 2036	2196	updater.exe	47
PID 2036 wrote to memory of 2952	2036	cmd.exe	49
PID 2036 wrote to memory of 2952	2036	cmd.exe	49
PID 2036 wrote to memory of 2952	2036	cmd.exe	49
PID 2036 wrote to memory of 2432	2036	cmd.exe	50
PID 2036 wrote to memory of 2432	2036	cmd.exe	50
PID 2036 wrote to memory of 2432	2036	cmd.exe	50
PID 2036 wrote to memory of 2944	2036	cmd.exe	52
PID 2036 wrote to memory of 2944	2036	cmd.exe	52
PID 2036 wrote to memory of 2944	2036	cmd.exe	52
PID 2944 wrote to memory of 1604	2944	updater.exe	53
PID 2944 wrote to memory of 1604	2944	updater.exe	53
PID 2944 wrote to memory of 1604	2944	updater.exe	53
PID 1604 wrote to memory of 2784	1604	cmd.exe	55
PID 1604 wrote to memory of 2784	1604	cmd.exe	55
PID 1604 wrote to memory of 2784	1604	cmd.exe	55
PID 1604 wrote to memory of 2788	1604	cmd.exe	56
PID 1604 wrote to memory of 2788	1604	cmd.exe	56
PID 1604 wrote to memory of 2788	1604	cmd.exe	56
PID 1604 wrote to memory of 2780	1604	cmd.exe	57
PID 1604 wrote to memory of 2780	1604	cmd.exe	57
PID 1604 wrote to memory of 2780	1604	cmd.exe	57
PID 2780 wrote to memory of 1060	2780	updater.exe	58
PID 2780 wrote to memory of 1060	2780	updater.exe	58
PID 2780 wrote to memory of 1060	2780	updater.exe	58
PID 1060 wrote to memory of 2856	1060	cmd.exe	60
PID 1060 wrote to memory of 2856	1060	cmd.exe	60
PID 1060 wrote to memory of 2856	1060	cmd.exe	60
PID 1060 wrote to memory of 1340	1060	cmd.exe	61
PID 1060 wrote to memory of 1340	1060	cmd.exe	61
PID 1060 wrote to memory of 1340	1060	cmd.exe	61
PID 1060 wrote to memory of 1716	1060	cmd.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
"C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lanchh3g\lanchh3g.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp" "c:\Windows\System32\CSC3380EAE86F7944C1B14A68498E8A926E.TMP"
    3⤵
    PID:1580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hqwH3CX7HN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2880
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PLxqGDTluw.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:592
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:608
    - - C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vD0ZrSnetJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PLxqGDTluw.bat

Filesize
216B

MD5
a845f0bb5a3494715a48c94a53802b36

SHA1
8843eb2eb3596fc866e124de2722c99781493dfe

SHA256
13f96811dde79373c5918a50991db213044a273c0c28febf692dffac64e76a0f

SHA512
d680c024d973dfedba10a3b7f800c3897b22609d06fb9ae31d66a92474bdda8dd35e81f833c5b3861124e15cb6ac13dca94f4b015024dca477f6f08674e94597

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp

Filesize
1KB

MD5
912866e38048c34f5a4ad438f5ce84f4

SHA1
7434a449832f13a7f9af7d8b10f2a3cb337e3d5a

SHA256
f18387c81a1dfe5245e1798d50dbcbe015ee4c8906de8ac707f3d22fc8bde3dd

SHA512
3ca4a8f15062e5fde49d1c179d5111ea8291327909faf7176a2e1703f31aaf440df02fe3e2cb3c8ea055b80ac3083d3b4f07375752721c05623b612c36c88e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIi6EHU90J.bat

Filesize
216B

MD5
5e8a1bbc7af00e4b5bf49469ee8ab4c2

SHA1
6799da03445fdfd0f7efd323ec07e4f946a97c65

SHA256
481b16954efae2bec0182dbdb01c69a17c592489f24ad022184a7cbc035ce053

SHA512
4de9ad3d6019cb09027d7eb90d0f68a2b034c9416e56a2222300b271adf3168721d4c69dc7302ff5ed155a3ad580b0dce1dacba6e97d0880a4ec1c35e39af32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqwH3CX7HN.bat

Filesize
216B

MD5
395cda72f61db678a8731af169bd755e

SHA1
f29f553ff2b95437019bebced7e9f9fb800eac26

SHA256
6534504b3c6e15e4386991da785b219afb2211bcc5103528af5c72c68de7eee5

SHA512
462e0c561f15add03c89b551dd9a525c3281180d23d31693b9a4932dac0d79b2a0481105d1f6133901c5b33b8976f1e96d62f46891b123c847eed2f7b9ef509f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUe3m5ImHN.bat

Filesize
168B

MD5
086797f7bde2e5d6c7005d5575a9a23d

SHA1
98426149b170fdb0ba09ebc2348817be0173e8e1

SHA256
772eefa7b39bd25e153b2a031fd8643a92d8e2581c13608c130970b886e1b25b

SHA512
e2ddd6ca3a9dc50689b7351f3e177f2ff933d90ba550c3e41c317b877b979af2a74b131c011ba43ec64edf06beecef3ef2405fa467087a4d2a6f6ed08cd217ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vD0ZrSnetJ.bat

Filesize
168B

MD5
638c9d757a633d88c0a7338ed20efa28

SHA1
57e01f89128c7ef95b3baa48d96680f50f2f5994

SHA256
13eab42c9e02f5b8026e8de5d4519a90475169be72c20ff4be579eb49cda7ebb

SHA512
1edaeac1a81c0396c8cca190d9094a66d4acfb92766ed4f4c64f8269a5dcce75a3f17a910998f71c72b2696f5e06c5548e6c8a16c8c56bf15a5fdd908ed68095

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lanchh3g\lanchh3g.0.cs

Filesize
372B

MD5
2d7c234d04b7a328c944fcadfcdd5df7

SHA1
d9cad48a8fc5ee8c02970b6487ee41edd051df68

SHA256
d2e3a5f98b9fa3ec14c58e77d7cdff2e653dfaa41fa336f0f79e131b62589891

SHA512
add2eb8ebb480ad8bd1b9bfaf43ea20c512f910f3f0cd9fd462aaeffba7179cab6f5b14e6a8e0b3c8625a3d5b1f74f773317542012d8895861d1e79bb285a58e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lanchh3g\lanchh3g.cmdline

Filesize
235B

MD5
d53742bcaecd8002ebdd114b543bd4f0

SHA1
d3075f17fdc4f707e31761865d6b33aebc4433b7

SHA256
a8d87e04ec3ffcb9f87358d5cd4579264a52ede0328fde3bb0053a10e4dfb1cc

SHA512
8b644c368c347de2b07305a6ced8b4e4d02e091d1042934778d8963423c4f62b3bc9f5c6a6b358c6e6846d31e8cecfb44f8fe5d2acd0f3c89adcc9c48c7f1044

Download Submit
\??\c:\Windows\System32\CSC3380EAE86F7944C1B14A68498E8A926E.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/1716-125-0x0000000001190000-0x000000000135A000-memory.dmp

Filesize
1.8MB

Download
memory/2196-72-0x0000000000B20000-0x0000000000CEA000-memory.dmp

Filesize
1.8MB

Download
memory/2668-14-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2668-16-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/2668-24-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-23-0x00000000007B0000-0x000000000080A000-memory.dmp

Filesize
360KB

Download
memory/2668-26-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/2668-28-0x00000000021C0000-0x000000000220E000-memory.dmp

Filesize
312KB

Download
memory/2668-29-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-32-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-33-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-19-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2668-17-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-21-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2668-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

Filesize
4KB

Download
memory/2668-50-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-12-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2668-10-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-1-0x0000000000090000-0x000000000025A000-memory.dmp

Filesize
1.8MB

Download
memory/2668-9-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/2668-7-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2668-6-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2668-4-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2668-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-107-0x00000000010A0000-0x000000000126A000-memory.dmp

Filesize
1.8MB

Download
memory/2968-54-0x00000000003C0000-0x000000000058A000-memory.dmp

Filesize
1.8MB

Download