dcrat | b560855a892920c2e65e6d11e71221fe4cab665ecbce9f7871aaa9636c0262dc

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Size

1.8MB
MD5

4f964ada28fa2dde5c75d3c3682e69c4
SHA1

481a0ddc3dfd39147abf684b60b6a0b1dfbbc341
SHA256

7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945
SHA512

ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68
SSDEEP

24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2180	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2180	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2180	schtasks.exe	82

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2816-1-0x0000000000E60000-0x000000000102A000-memory.dmp	family_dcrat_v2
behavioral2/files/0x0012000000023c9a-58.dat	family_dcrat_v2

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	updater.exe

Executes dropped EXE 5 IoCs

pid	Process
1216	updater.exe
5016	updater.exe
4468	updater.exe
2576	updater.exe
3924	updater.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC1A1060893DF14C7096D4FB46969F7B7.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1632	PING.EXE
3496	PING.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE
3496	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3488	schtasks.exe
2184	schtasks.exe
3908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
Token: SeDebugPrivilege	1216	updater.exe
Token: SeDebugPrivilege	5016	updater.exe
Token: SeDebugPrivilege	4468	updater.exe
Token: SeDebugPrivilege	2576	updater.exe
Token: SeDebugPrivilege	3924	updater.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4456	2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	86
PID 2816 wrote to memory of 4456	2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	86
PID 4456 wrote to memory of 924	4456	csc.exe	88
PID 4456 wrote to memory of 924	4456	csc.exe	88
PID 2816 wrote to memory of 4000	2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	89
PID 2816 wrote to memory of 4000	2816	7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe	89
PID 4000 wrote to memory of 712	4000	cmd.exe	91
PID 4000 wrote to memory of 712	4000	cmd.exe	91
PID 4000 wrote to memory of 532	4000	cmd.exe	92
PID 4000 wrote to memory of 532	4000	cmd.exe	92
PID 4000 wrote to memory of 1216	4000	cmd.exe	93
PID 4000 wrote to memory of 1216	4000	cmd.exe	93
PID 1216 wrote to memory of 1496	1216	updater.exe	102
PID 1216 wrote to memory of 1496	1216	updater.exe	102
PID 1496 wrote to memory of 1808	1496	cmd.exe	104
PID 1496 wrote to memory of 1808	1496	cmd.exe	104
PID 1496 wrote to memory of 1624	1496	cmd.exe	105
PID 1496 wrote to memory of 1624	1496	cmd.exe	105
PID 1496 wrote to memory of 5016	1496	cmd.exe	106
PID 1496 wrote to memory of 5016	1496	cmd.exe	106
PID 5016 wrote to memory of 4548	5016	updater.exe	107
PID 5016 wrote to memory of 4548	5016	updater.exe	107
PID 4548 wrote to memory of 1420	4548	cmd.exe	109
PID 4548 wrote to memory of 1420	4548	cmd.exe	109
PID 4548 wrote to memory of 1632	4548	cmd.exe	110
PID 4548 wrote to memory of 1632	4548	cmd.exe	110
PID 4548 wrote to memory of 4468	4548	cmd.exe	111
PID 4548 wrote to memory of 4468	4548	cmd.exe	111
PID 4468 wrote to memory of 2984	4468	updater.exe	112
PID 4468 wrote to memory of 2984	4468	updater.exe	112
PID 2984 wrote to memory of 220	2984	cmd.exe	114
PID 2984 wrote to memory of 220	2984	cmd.exe	114
PID 2984 wrote to memory of 1896	2984	cmd.exe	115
PID 2984 wrote to memory of 1896	2984	cmd.exe	115
PID 2984 wrote to memory of 2576	2984	cmd.exe	116
PID 2984 wrote to memory of 2576	2984	cmd.exe	116
PID 2576 wrote to memory of 1048	2576	updater.exe	117
PID 2576 wrote to memory of 1048	2576	updater.exe	117
PID 1048 wrote to memory of 1944	1048	cmd.exe	119
PID 1048 wrote to memory of 1944	1048	cmd.exe	119
PID 1048 wrote to memory of 3496	1048	cmd.exe	120
PID 1048 wrote to memory of 3496	1048	cmd.exe	120
PID 1048 wrote to memory of 3924	1048	cmd.exe	121
PID 1048 wrote to memory of 3924	1048	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe
"C:\Users\Admin\AppData\Local\Temp\7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3cuap3q\y3cuap3q.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB92E.tmp" "c:\Windows\System32\CSC1A1060893DF14C7096D4FB46969F7B7.TMP"
    3⤵
    PID:924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBjYfmPlAU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:712
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:532
- - C:\Users\Admin\AppData\Local\updater.exe
    "C:\Users\Admin\AppData\Local\updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EKfL32T79I.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1808
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z2ErhzvLoq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updater.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat

Filesize
216B

MD5
916531dafee6fdb6c436b9b75230837b

SHA1
586e0d001e0fc8b96f477576ea16ce1a5a6b29cc

SHA256
48322683941d2f1094774d6fd317fd804107d6b0b376074308aeb43cde0427fe

SHA512
04345574ad772069bdab5204e65ba4abd12ed409b78c18375f35c114e645482d970dd66c2c227b1bcb2dc177e4d8bb445e44993c27402582f683ffac48423266

Download Submit
C:\Users\Admin\AppData\Local\Temp\EKfL32T79I.bat

Filesize
216B

MD5
55205e978a22600d852853886ab37073

SHA1
9846b2026f426bf4f3e195f353fb2689fa096452

SHA256
b4a7b725365a58f5342f6de8385a7c64ede196140b04e4453c79dbff5dd758cb

SHA512
a563540db75c5bd71223d5f6e7af41d823b3732a97b4ec0705b4e4f5f950bccb6d6d406426a7b985291146b6ff40edc16d5d7fe22c27ef12e366f78c7e10a6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB92E.tmp

Filesize
1KB

MD5
deed653616a97682e6aab8301952fc72

SHA1
bc59c55b1ec88a34a4042eb85089344cdce17cb8

SHA256
77f555797d0e6aee50afcb0b5dc6a8632951052ed05d7ada43d031343462144f

SHA512
ae000ea78225170488183eeac1ff61477e112dbc9799de4202658e5f426332dac53a2049922c1484a767eb146fee85ee86eb9fad5e0996c11da300a0050dab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat

Filesize
168B

MD5
64451edadb45aa6b1a0d30189078ea80

SHA1
bb72d95dc4c5b6837af0a84a04a99a92a6df422c

SHA256
9156331c42b5f39ba18ad35f3244e8587ff72565d77deb5a397d9893c5c1310e

SHA512
f641811f99f3307973ceae2c8e2f3603d2f0dc016dae87455b4fb786c821858168f30433d5a9ea26ce34c945c975e820820f7d1daa68510c5b3df897c49f4377

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBjYfmPlAU.bat

Filesize
216B

MD5
4f00e162cf3478714f0fac34e81c7e40

SHA1
f80769eb476548c2d0da22d0bce7dc688642dc01

SHA256
67306fe3f348c5a66bf3218d54106076e57a081b8228462ee99be2c6a36601e7

SHA512
e1c56eef89ee5b4052bb7378474efefb5a217da7bf182f2a81797bd8e4e8160407de68f75b689dff37ee9a10e63d919c9ac1fe717556159fe70842d7d34d2e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2ErhzvLoq.bat

Filesize
168B

MD5
86966c14f1c2ac168583b8d0aff5e23e

SHA1
b0906783fc46e8c3019a67d6e60cabb17f42066f

SHA256
a9456647c45b3f8fd7bbbe773e4e5113562084301718f63b671058075a909520

SHA512
db0fc574afba24796c7edd99994ae1504e48e991fbf27e0188a973d6672b798848850ce8309cb83b6c7a12d9ee9af998c6bef2000a429811fb86c2816fbb791f

Download Submit
C:\Users\Admin\AppData\Local\updater.exe

Filesize
1.8MB

MD5
4f964ada28fa2dde5c75d3c3682e69c4

SHA1
481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

SHA256
7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

SHA512
ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y3cuap3q\y3cuap3q.0.cs

Filesize
372B

MD5
ea9c610e7f722c65aced40586dfceec3

SHA1
b87002b5b5035c81b158e7bbca0b28549275d292

SHA256
79f0855c40daa3741a2f3e5b83856c78f27de675a73e4f73906b160f06d81980

SHA512
01374815dca48c396e5b17eb25d9535e510a204678aeb019d34190ba0713989a9dd0581b6322ab43a6dcb480a2d16898490a6a320e82ba773d3e56a738786adc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y3cuap3q\y3cuap3q.cmdline

Filesize
235B

MD5
3deb3e2dcd887070a8375edccbb25638

SHA1
e1ef913897769a4ec830649461f5312363d70c2a

SHA256
65db425e80e119bab6f296206367934bd7c61dc83b7f875a6f0b2fd10647459e

SHA512
c44fee4c0ca8ea1fb248ea87e1f1f1c3be7b37563d0c073ec8f1ac8dc5ac67434f784eaa03aa38b08795ba6f6d3842906f5166922e96099f16c01aac3594ea48

Download Submit
\??\c:\Windows\System32\CSC1A1060893DF14C7096D4FB46969F7B7.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/1216-78-0x000000001C360000-0x000000001C462000-memory.dmp

Filesize
1.0MB

Download
memory/1216-71-0x000000001C360000-0x000000001C462000-memory.dmp

Filesize
1.0MB

Download
memory/2576-137-0x000000001C0C0000-0x000000001C22A000-memory.dmp

Filesize
1.4MB

Download
memory/2816-19-0x000000001BD50000-0x000000001BD66000-memory.dmp

Filesize
88KB

Download
memory/2816-16-0x000000001BC90000-0x000000001BCA2000-memory.dmp

Filesize
72KB

Download
memory/2816-25-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/2816-23-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-27-0x000000001BDD0000-0x000000001BE2A000-memory.dmp

Filesize
360KB

Download
memory/2816-29-0x000000001BB50000-0x000000001BB5E000-memory.dmp

Filesize
56KB

Download
memory/2816-30-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-32-0x000000001BE30000-0x000000001BE7E000-memory.dmp

Filesize
312KB

Download
memory/2816-35-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-39-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-40-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-22-0x000000001BB30000-0x000000001BB3E000-memory.dmp

Filesize
56KB

Download
memory/2816-20-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-17-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

Filesize
8KB

Download
memory/2816-7-0x000000001BAC0000-0x000000001BADC000-memory.dmp

Filesize
112KB

Download
memory/2816-56-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-14-0x00000000031B0000-0x00000000031BE000-memory.dmp

Filesize
56KB

Download
memory/2816-8-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-12-0x000000001BC70000-0x000000001BC88000-memory.dmp

Filesize
96KB

Download
memory/2816-9-0x000000001BB10000-0x000000001BB2C000-memory.dmp

Filesize
112KB

Download
memory/2816-10-0x000000001BCC0000-0x000000001BD10000-memory.dmp

Filesize
320KB

Download
memory/2816-1-0x0000000000E60000-0x000000000102A000-memory.dmp

Filesize
1.8MB

Download
memory/2816-2-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-5-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

Filesize
10.8MB

Download
memory/2816-4-0x00000000031A0000-0x00000000031AE000-memory.dmp

Filesize
56KB

Download
memory/4468-119-0x000000001C250000-0x000000001C352000-memory.dmp

Filesize
1.0MB

Download
memory/4468-113-0x000000001C250000-0x000000001C352000-memory.dmp

Filesize
1.0MB

Download
memory/5016-99-0x000000001B780000-0x000000001B882000-memory.dmp

Filesize
1.0MB

Download
memory/5016-93-0x000000001B780000-0x000000001B882000-memory.dmp

Filesize
1.0MB

Download