dcrat | 6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe
Size

1.3MB
MD5

b1d16f347692432587298343b7f93a10
SHA1

58fdef12cfa882b9867e58fced09787faddd036d
SHA256

6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e
SHA512

5e8bc26ab2d65e499ea14fa2d1d7a4afa6097cd3a79356fd43d0102dcb30cd43915bff0642a56f23ec0b8f4713d080fbba18fa605f8b89d2263507776c340146
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2656	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000170b5-12.dat	dcrat
behavioral1/memory/2948-13-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2088-44-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1340-103-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2776-163-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/604-282-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/756-343-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2192-403-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2080-463-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2448-523-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2356-584-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe
760	powershell.exe
1812	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2948	DllCommonsvc.exe
2088	services.exe
1340	services.exe
2776	services.exe
1820	services.exe
604	services.exe
756	services.exe
2192	services.exe
2080	services.exe
2448	services.exe
2356	services.exe
2136	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
38	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2356	schtasks.exe
2404	schtasks.exe
352	schtasks.exe
2308	schtasks.exe
1776	schtasks.exe
580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2948	DllCommonsvc.exe
1300	powershell.exe
760	powershell.exe
1812	powershell.exe
2088	services.exe
1340	services.exe
2776	services.exe
1820	services.exe
604	services.exe
756	services.exe
2192	services.exe
2080	services.exe
2448	services.exe
2356	services.exe
2136	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	DllCommonsvc.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2088	services.exe
Token: SeDebugPrivilege	1340	services.exe
Token: SeDebugPrivilege	2776	services.exe
Token: SeDebugPrivilege	1820	services.exe
Token: SeDebugPrivilege	604	services.exe
Token: SeDebugPrivilege	756	services.exe
Token: SeDebugPrivilege	2192	services.exe
Token: SeDebugPrivilege	2080	services.exe
Token: SeDebugPrivilege	2448	services.exe
Token: SeDebugPrivilege	2356	services.exe
Token: SeDebugPrivilege	2136	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2820	2096	JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe	30
PID 2096 wrote to memory of 2820	2096	JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe	30
PID 2096 wrote to memory of 2820	2096	JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe	30
PID 2096 wrote to memory of 2820	2096	JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe	30
PID 2820 wrote to memory of 2892	2820	WScript.exe	31
PID 2820 wrote to memory of 2892	2820	WScript.exe	31
PID 2820 wrote to memory of 2892	2820	WScript.exe	31
PID 2820 wrote to memory of 2892	2820	WScript.exe	31
PID 2892 wrote to memory of 2948	2892	cmd.exe	33
PID 2892 wrote to memory of 2948	2892	cmd.exe	33
PID 2892 wrote to memory of 2948	2892	cmd.exe	33
PID 2892 wrote to memory of 2948	2892	cmd.exe	33
PID 2948 wrote to memory of 1300	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 1300	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 1300	2948	DllCommonsvc.exe	41
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	42
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	42
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	42
PID 2948 wrote to memory of 1812	2948	DllCommonsvc.exe	43
PID 2948 wrote to memory of 1812	2948	DllCommonsvc.exe	43
PID 2948 wrote to memory of 1812	2948	DllCommonsvc.exe	43
PID 2948 wrote to memory of 2088	2948	DllCommonsvc.exe	47
PID 2948 wrote to memory of 2088	2948	DllCommonsvc.exe	47
PID 2948 wrote to memory of 2088	2948	DllCommonsvc.exe	47
PID 2088 wrote to memory of 1336	2088	services.exe	48
PID 2088 wrote to memory of 1336	2088	services.exe	48
PID 2088 wrote to memory of 1336	2088	services.exe	48
PID 1336 wrote to memory of 2292	1336	cmd.exe	50
PID 1336 wrote to memory of 2292	1336	cmd.exe	50
PID 1336 wrote to memory of 2292	1336	cmd.exe	50
PID 1336 wrote to memory of 1340	1336	cmd.exe	51
PID 1336 wrote to memory of 1340	1336	cmd.exe	51
PID 1336 wrote to memory of 1340	1336	cmd.exe	51
PID 1340 wrote to memory of 2804	1340	services.exe	53
PID 1340 wrote to memory of 2804	1340	services.exe	53
PID 1340 wrote to memory of 2804	1340	services.exe	53
PID 2804 wrote to memory of 2908	2804	cmd.exe	55
PID 2804 wrote to memory of 2908	2804	cmd.exe	55
PID 2804 wrote to memory of 2908	2804	cmd.exe	55
PID 2804 wrote to memory of 2776	2804	cmd.exe	56
PID 2804 wrote to memory of 2776	2804	cmd.exe	56
PID 2804 wrote to memory of 2776	2804	cmd.exe	56
PID 2776 wrote to memory of 2696	2776	services.exe	57
PID 2776 wrote to memory of 2696	2776	services.exe	57
PID 2776 wrote to memory of 2696	2776	services.exe	57
PID 2696 wrote to memory of 848	2696	cmd.exe	59
PID 2696 wrote to memory of 848	2696	cmd.exe	59
PID 2696 wrote to memory of 848	2696	cmd.exe	59
PID 2696 wrote to memory of 1820	2696	cmd.exe	60
PID 2696 wrote to memory of 1820	2696	cmd.exe	60
PID 2696 wrote to memory of 1820	2696	cmd.exe	60
PID 1820 wrote to memory of 1736	1820	services.exe	61
PID 1820 wrote to memory of 1736	1820	services.exe	61
PID 1820 wrote to memory of 1736	1820	services.exe	61
PID 1736 wrote to memory of 680	1736	cmd.exe	63
PID 1736 wrote to memory of 680	1736	cmd.exe	63
PID 1736 wrote to memory of 680	1736	cmd.exe	63
PID 1736 wrote to memory of 604	1736	cmd.exe	64
PID 1736 wrote to memory of 604	1736	cmd.exe	64
PID 1736 wrote to memory of 604	1736	cmd.exe	64
PID 604 wrote to memory of 2472	604	services.exe	65
PID 604 wrote to memory of 2472	604	services.exe	65
PID 604 wrote to memory of 2472	604	services.exe	65
PID 2472 wrote to memory of 1668	2472	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9899c4be14a7899939e226d4fad6c30593e261b6655cf912d09d09ae5a039e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2292
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2908
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:848
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:680
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1668
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        16⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2976
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        18⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1448
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        20⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2496
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
        22⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2640
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        24⤵
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2152
        
        C:\providercommon\services.exe
        
        "C:\providercommon\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        26⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
791fd0c78cc86485cc28cf0795766cae

SHA1
d32a5cfe2ab7e4e58cd4c0391fe2b45b9f930bf3

SHA256
1b14d3a4a2e3d6f304aff3134f3d900ecf834573151120e5a52e04ff7725b5b1

SHA512
577507436564c540a85578007e011c1bb88dedbd56770e0ab1362bf029a10487f52dfb2622d9a4954825adb712ca3d9424060454d118310e1164db3396335797

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b0743c54bfdbd7177ae24b51333f46

SHA1
57b4d9641c8dc1e7d7a75784a36ee2e676cda35b

SHA256
dfde85576fde9622d7d619bb635cebce69b383aa8f3e78fd22910bba6eb7e7da

SHA512
3c3d9a1c9a7427bc27f7ddad2463576cea7dc05bfc345ba43c487659563ee564a98c1542aa9c49a05c8bcb59681eba10fc8061cc54c1046d6404df862ad7edeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bde54ae7517ffc7878c0fe0c5c63e93

SHA1
b80f2a94cdbd9e0d3af1d785504964bf3445c789

SHA256
ca172ba2b1db16cb77705f9b9a96a4af0aabbacbc7915ba07744bb567d2f726f

SHA512
a5b10275aa524784eba7da7a87ba0efe7fc14fa40c9325c5754e3e971a1ef57330da3ce2368e3f73df749a625f2bbeb83ad894a7a0d22be9d556037ad49b73c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c59160064b44310e547fde91d7b2cc1f

SHA1
168eb9c7c34043f341e9183f89f3d94b3db81b3a

SHA256
6d621aaca9754675e41ae41763844645df1a07afc892c516d6a399c6100543ed

SHA512
016954707eb0bbfd13947deee8fdb32d769a8cf1fdd3d050a711aba3d65d320d0adaf5152fec937830a6feac50b7f0ea5f9466d189dd29670368d168c279ca07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de6f8528f96c905001ead93df714351c

SHA1
8c235d13037523886468280ac1a698768a5945d6

SHA256
b13eec57073c67dffb1cedaf69ca3df84c86edde9b93046f255d75502c50135a

SHA512
1022434d3353227735b6b0af3f2d7abcc4ffc7cd762ea268330f904d7bb4dd6b166ed2ce7eb36aaa7502808d6b167ea29b2ba35867c184f3aa1dfd8d10749dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a6d78125f35789b063b3faa302b0a17

SHA1
f9935c886689e002792d4f59303ccd584491cf6c

SHA256
3898cbf4489e2f3edb3c848932d09d620003d598a19419b5ab4db34ebada5ecf

SHA512
9a820c281997c5bf93c4e451e8f72f181d71d31a9979bc815746afddc97f2e0136298f38b439c99580e5bf3ea3ce8cc8ea43d605b0e571a73487cd9ff6cf9826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a34bbea01be7f3c91f330efd07bbf6a7

SHA1
d827300ab722efc329536d6baf6100731bbc50ae

SHA256
f960d35cf6495b6a29112df21cbf702bb68b9df7e9891e15172d14620e4fa9a7

SHA512
cca37955987a4a9f6cd267d9d95a7e55bc55cacd8484fbb938806716466f8e0e71fad1e13de5b4611698abed84b42afca6bdb18859276d723cd99caa366a8eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31004cd66c95f3a9036e746b06edfed0

SHA1
60e82abdf72b9dc1bcb669f7b41517fa7729009c

SHA256
8c8e9881fd1f36f34aa88f4b74ffc3ef1c39bd1cad85c2dd670917dd2ec87965

SHA512
fa16c9e71d2e12d9111a8e3fa2524c4f1d73d000ac0985819f009040c91b565925350fe46432cdd41add7a0d31ccb1dcbb5b789826b89523936ed565aca7f1ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
639c89b28f81d4ec7d10ec0ae37644fd

SHA1
ac9209d831153b7dc632e4b5caf56eaa20f0cb41

SHA256
d86be99bd2b8bdc9bfb23cf1d91df0d4f5faac5ebc2ee7fbd15283ceb5255c5a

SHA512
b45504446348bc1c8339a5379afb3d065edc0c935da685204ea517c0188205655f3b93c08a77b2f73af617500a6af0a9f3a919a09fb9bdf16152b90e08a15907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf75cdd76c3384c5a7fcb1c1e19b940

SHA1
af4332ba3342db1e3df75b36bb5094e54a827276

SHA256
9151e5f6018f64070332f63ced9149ecf6c5426dc5860a33fd38ec748fa6814e

SHA512
2fd8109f5e7c20884ba6abbe6a1d4dbfbb91d15b33a2025f5a1bb6f54f45dc2f9f418edc03bdf0713bac4705a0faa0c4772ab52c26f1fad55be434072d63d21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
195B

MD5
80d381ee074b078d5967dc494af582d8

SHA1
9f46490a2a9385c4124f80bda2596415c3760d6c

SHA256
de09feabcb3e2a1963c5c707b7d0e6e73d95600317f7932cc4fbd131863d0411

SHA512
45547b5191e1909227807827bb103823df5b80174813dd93366381a16c0fb675ee17159bee0255d3e9157a7be319b8f556c3f699e604fcfbf113f46fa57bdfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
195B

MD5
e4e8f0220e1bd7c9d415dc15ca855483

SHA1
eb3aff4ee3fdfc8b73d32e02babeb9b1d553814a

SHA256
c3ee842a6ee9d82680c97d6f7ca1d44cbbdb4d2c833297465a401b10ac7806cd

SHA512
24a5553c66fd5fcc94eb3dd1eaaebd0b9beee7c0c5b384c13d13e7350418e8e7492fcebbe643e2c770dd6c53ac1680d64a113ccd84b13e630b68eba9d0a90061

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC67.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
195B

MD5
1df6d78c1dbcd30419e3a35dcfdd5fa9

SHA1
3e6c0ad5d478a2f9ea12fb3751da4e06ba912f2d

SHA256
e3e166c664095ac7dde2b2ec120c2bf542674243241e9c5920cede93f6c6ee5f

SHA512
e635d512af9009c86a85a30d12902088a4bf9643a2378ed2661da2cf250e70df12b7fbd94867c11de94fd39428ed6c5ff793f6917ebb3f604edd39a78f2c0c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\GptcLQn9Ec.bat

Filesize
195B

MD5
0d48ee14a498404cf857cd9b16c3fb6d

SHA1
37df136f8d0e7b364094448bc76ccea1f1b89641

SHA256
9e93be2ded4045ab086673097c1fbdb7ae1e45653591f1ff74045ad7bf82b6ae

SHA512
2a3f9d03e5ab1067a08c30f34d0142ce2c584092b6164f484766dcc12cf460b61cc6b25fbd19b7b2e709d4e6a79ee9ad7557035dade6e7ddbaf265a32300f266

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC7A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

Filesize
195B

MD5
c1e0c95fb9376e4f63723a7ec6b59874

SHA1
6c8093340e84f91f89698b44b3c24fb3528fb26e

SHA256
87f3d6772be442c767a96f76a16b6312727a6c18b2a0bbdf75908a81955106e4

SHA512
dc068bd7f38a74b3df5bbc23a39edcbb0fe1d47bdec335b2adf4aaf3b6a1cdadaaa451a4839a3228953ec989dd1c7197dbe6854742c91dd7fa4c605800e52b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
195B

MD5
a22e81168164c188aa2e268c0493db25

SHA1
bcaa82bc3cced13dd70221df872ba4a0fc044b50

SHA256
e58d5c4da0949b634ffdaa21821d390ba7dfd5139d25f21abf354fd35e66c786

SHA512
9a8768d257b91968937f7137d356854b9c8387a4789c392c118d69e26ff77171c1debf88ac86d3b3dbb9e1d3f4c6ae4391970ccbdc82a3130fb00b9111dfae8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
195B

MD5
3128b9ccf8bc4b083245207b40f20014

SHA1
ada6220b974eb0dd80014085b86f815301f357d0

SHA256
ec0919ecd995d237e297b0995eca2b937d6caf6b9ad8a506de110caa842b7d36

SHA512
cf836a2bb175da16c387814fe7b61fc90258f1f79bff2234ddd9090187d07499f0ba00b7975f30ac6c6d2266c5efc92a8f1f78fcffc7f18f4e1af0b2bb8e8894

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
195B

MD5
0dbbf106fb74abf2de5823878083d03d

SHA1
bf005bef552c296bd6020fa71e99fb578ba03740

SHA256
dc159d4769cd21b1b170a2aafdcb7a5ed67c89e64abdc30b0131758dbaaba9f5

SHA512
486a9639948ff8eecc5494fd6ada2c20cd58206a4d30854b684a8574c154cce03a1000f9ea2318872bbaf4c8c7aecd45466c98b6a5d22ed9e0c30ca7fd45e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
195B

MD5
2e0310419a1c7f4764adbe9eaa915f46

SHA1
0e0b139eda9faf86ea99f67c2ed31df45fa4fbe8

SHA256
5bded8f257cb4600a2b813113a0d8d13277a0151138d8b11a28b71ca3150a69c

SHA512
fa9b805b7773cbd42ae2ae1365357d1f3087b706e8505238fffc6380047061ad334acbb31b955e4c87d109a76a7c12f4c54145cb8a6daf7de6b90de8bdd007b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
195B

MD5
a1012434291b71b4eb6a21d04d97866e

SHA1
4889c940fdb299de413e144d6a64407b01bf3fa3

SHA256
f9beb58c3b54397f1ae8b8aea6a49cff96fd0595864e8a3d608b5ed4f12f9d0a

SHA512
19c08d6d8b8ab59e6ef92c649ececed862553b50e392a564f2b02f27c30d117887b3012adc618281228a74d201ca7d6b509a831626be942949157da244a08b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
195B

MD5
8f573a7d69d4747ba4629f274ed18d52

SHA1
9adc2aa0b3e299cde406df91e1b47090413f5299

SHA256
57ad8ca3311d98c49720fcfb4c4591470b1aee67cc5c85f62d8d88fd7d949f85

SHA512
6d7188c25a3e9209c20b4e6e8253c5f31c23e162a5f661474439f959bec44c88e118ae551e3a101b43fcabc7ca7cd51c74513676af88eb599ea73d9d72a624ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dbfc8a17d9fd879300640087436ede68

SHA1
722e2eff53b4a952487af10a2ec5abe7ba3cd5e7

SHA256
a34f6fd3d83bd392c13105a0b8f27dda82bf100d8f8f921870dc7fc3cd17e0f7

SHA512
c9c26a3c3e8e9c9a1b63214be1bed86cfb0873298c1cb0c209c4000b495bf41ddd63eae58a321615f99fcd4da4cb550adb6c8188fb3d0a901606ef3bc85a04a9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/604-283-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/604-282-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/756-343-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1300-43-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1300-42-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1340-103-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2080-463-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2088-44-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2192-403-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2356-584-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2448-524-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2448-523-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2776-163-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2948-17-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2948-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2948-15-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2948-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2948-13-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download