dcrat | 93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe
Size

1.3MB
MD5

6371030e6d85c20398c34082e97705d2
SHA1

7c85c909b8e3944a522f3e27af54544fae3cdecb
SHA256

93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0
SHA512

8f2dfe7eab6ab8ade0fe70b6c41c069fe704aa1319416ac44682843b8c6b858821f284be685996fc1eded810636c8c70c2342f96685ad4668488ccc5af7a7c86
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2996	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2996	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2996	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2996	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2996	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2996	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d81-12.dat	dcrat
behavioral1/memory/2468-13-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/1560-28-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2148-104-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/3060-165-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2936-225-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/3064-285-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1584-345-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2064-524-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2868-585-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
1864	powershell.exe
2700	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2468	DllCommonsvc.exe
1560	conhost.exe
2148	conhost.exe
3060	conhost.exe
2936	conhost.exe
3064	conhost.exe
1584	conhost.exe
2776	conhost.exe
2404	conhost.exe
2064	conhost.exe
2868	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
2932	schtasks.exe
2820	schtasks.exe
2884	schtasks.exe
2580	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2468	DllCommonsvc.exe
2700	powershell.exe
1864	powershell.exe
2132	powershell.exe
1560	conhost.exe
2148	conhost.exe
3060	conhost.exe
2936	conhost.exe
3064	conhost.exe
1584	conhost.exe
2776	conhost.exe
2404	conhost.exe
2064	conhost.exe
2868	conhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	DllCommonsvc.exe
Token: SeDebugPrivilege	1560	conhost.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2148	conhost.exe
Token: SeDebugPrivilege	3060	conhost.exe
Token: SeDebugPrivilege	2936	conhost.exe
Token: SeDebugPrivilege	3064	conhost.exe
Token: SeDebugPrivilege	1584	conhost.exe
Token: SeDebugPrivilege	2776	conhost.exe
Token: SeDebugPrivilege	2404	conhost.exe
Token: SeDebugPrivilege	2064	conhost.exe
Token: SeDebugPrivilege	2868	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2364	1856	JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe	30
PID 1856 wrote to memory of 2364	1856	JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe	30
PID 1856 wrote to memory of 2364	1856	JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe	30
PID 1856 wrote to memory of 2364	1856	JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe	30
PID 2364 wrote to memory of 1796	2364	WScript.exe	31
PID 2364 wrote to memory of 1796	2364	WScript.exe	31
PID 2364 wrote to memory of 1796	2364	WScript.exe	31
PID 2364 wrote to memory of 1796	2364	WScript.exe	31
PID 1796 wrote to memory of 2468	1796	cmd.exe	33
PID 1796 wrote to memory of 2468	1796	cmd.exe	33
PID 1796 wrote to memory of 2468	1796	cmd.exe	33
PID 1796 wrote to memory of 2468	1796	cmd.exe	33
PID 2468 wrote to memory of 2700	2468	DllCommonsvc.exe	41
PID 2468 wrote to memory of 2700	2468	DllCommonsvc.exe	41
PID 2468 wrote to memory of 2700	2468	DllCommonsvc.exe	41
PID 2468 wrote to memory of 1864	2468	DllCommonsvc.exe	42
PID 2468 wrote to memory of 1864	2468	DllCommonsvc.exe	42
PID 2468 wrote to memory of 1864	2468	DllCommonsvc.exe	42
PID 2468 wrote to memory of 2132	2468	DllCommonsvc.exe	43
PID 2468 wrote to memory of 2132	2468	DllCommonsvc.exe	43
PID 2468 wrote to memory of 2132	2468	DllCommonsvc.exe	43
PID 2468 wrote to memory of 1560	2468	DllCommonsvc.exe	47
PID 2468 wrote to memory of 1560	2468	DllCommonsvc.exe	47
PID 2468 wrote to memory of 1560	2468	DllCommonsvc.exe	47
PID 1560 wrote to memory of 588	1560	conhost.exe	49
PID 1560 wrote to memory of 588	1560	conhost.exe	49
PID 1560 wrote to memory of 588	1560	conhost.exe	49
PID 588 wrote to memory of 2068	588	cmd.exe	51
PID 588 wrote to memory of 2068	588	cmd.exe	51
PID 588 wrote to memory of 2068	588	cmd.exe	51
PID 588 wrote to memory of 2148	588	cmd.exe	52
PID 588 wrote to memory of 2148	588	cmd.exe	52
PID 588 wrote to memory of 2148	588	cmd.exe	52
PID 2148 wrote to memory of 1084	2148	conhost.exe	53
PID 2148 wrote to memory of 1084	2148	conhost.exe	53
PID 2148 wrote to memory of 1084	2148	conhost.exe	53
PID 1084 wrote to memory of 1856	1084	cmd.exe	55
PID 1084 wrote to memory of 1856	1084	cmd.exe	55
PID 1084 wrote to memory of 1856	1084	cmd.exe	55
PID 1084 wrote to memory of 3060	1084	cmd.exe	56
PID 1084 wrote to memory of 3060	1084	cmd.exe	56
PID 1084 wrote to memory of 3060	1084	cmd.exe	56
PID 3060 wrote to memory of 1808	3060	conhost.exe	57
PID 3060 wrote to memory of 1808	3060	conhost.exe	57
PID 3060 wrote to memory of 1808	3060	conhost.exe	57
PID 1808 wrote to memory of 876	1808	cmd.exe	59
PID 1808 wrote to memory of 876	1808	cmd.exe	59
PID 1808 wrote to memory of 876	1808	cmd.exe	59
PID 1808 wrote to memory of 2936	1808	cmd.exe	60
PID 1808 wrote to memory of 2936	1808	cmd.exe	60
PID 1808 wrote to memory of 2936	1808	cmd.exe	60
PID 2936 wrote to memory of 276	2936	conhost.exe	61
PID 2936 wrote to memory of 276	2936	conhost.exe	61
PID 2936 wrote to memory of 276	2936	conhost.exe	61
PID 276 wrote to memory of 1080	276	cmd.exe	63
PID 276 wrote to memory of 1080	276	cmd.exe	63
PID 276 wrote to memory of 1080	276	cmd.exe	63
PID 276 wrote to memory of 3064	276	cmd.exe	64
PID 276 wrote to memory of 3064	276	cmd.exe	64
PID 276 wrote to memory of 3064	276	cmd.exe	64
PID 3064 wrote to memory of 1888	3064	conhost.exe	65
PID 3064 wrote to memory of 1888	3064	conhost.exe	65
PID 3064 wrote to memory of 1888	3064	conhost.exe	65
PID 1888 wrote to memory of 1784	1888	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_93e70be7948903b137cbd13cf87d9418633bd3aeef7135f1af01c016f864cec0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2068
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1856
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:876
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1080
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1784
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        16⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2624
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        18⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1872
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        20⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2664
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        22⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2112
        
        C:\MSOCache\All Users\conhost.exe
        
        "C:\MSOCache\All Users\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        24⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53f91e869511e477ad65b9db16ee0a3c

SHA1
f2c153caf73fe175506c482776e792ea3fc9297c

SHA256
22714a0755f0d4cb1e4a7ef035f66193f10f1b717513464df4a9155f748cfc2b

SHA512
24eacd0f06d45481e1e5affcc109fcbc1cae6367240583f0105dd01cf83c67f644ff27f6addc068def9971cd17856ec3993b1ff74d520a43842cf6ac9cb5d91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d597e83f3462b99ee57775ba409539dd

SHA1
d95b88086a974a7ab69d8339f4d6ebfb808e7146

SHA256
c77daaea509452a7e723c588eea1832eb8bf6b5dd821863fb7433fde516997ed

SHA512
8c755da0478e8ee04cdf08aad083665204df3fecf0765cd62f4ac5ec94f3ad7e5d589501586180207dd474293559967d75fc2e2e0c11b0248e6342e8d85f7184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0fb6eb31e45af5d95acf6afd2b6a430

SHA1
4ab451abb771c9477f8b6c3804d00b9f63e4b415

SHA256
6fb82563afb4459d6fdc7562789906d6f69b9520848ced87f7dc9c253320f484

SHA512
bc47eb1240ee52aac5fddbf15f150ab47e2970b19815c259b3e1696bc849e424e06b370f669070027165b278c3fcfaf43b7b5fbb28b7cb04f79bbe85f58c6a5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ac51a22d8d2865160980f024958ee53

SHA1
39209262fc8a1ba9bf166127b14253316440d5e5

SHA256
7cc3557fc3c59688dce7b96f0b58450a8278756c17eae7dc0332e88801c0ed33

SHA512
12a15e7e529618d39809b777465f1fc5b75b31b340085c2efba1ef9f47d9cfc683594b8c408501c8470527b7a7502766da3d94ffda7647dad907221cccb615d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4111023a90e32debeee43ae3f78b75e4

SHA1
ba2a798fe6eb1b61c5c04a3ac8d679aebfd31641

SHA256
396ae2731135169c2bd97879591580e4f596211a312b46554ab3be14791993c9

SHA512
1405d0fd09eb06322d2fa706bd7051f1c9e91c83d241111d1a685c0fc2c3550848563e31a0e96e4cb659a9778f78a0ce64425aa0a6eafa67219654d1f1bc1624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fea604f73ed275048f41f535ec1797ab

SHA1
a4009f3c30555477f2b19ad55edec9ad386d5d72

SHA256
524059ad70108eb52b6ccba4297582897995a2f2cf1b881c885e6eb79724dc8e

SHA512
861d2568b8cea38010bbd753341b29c80ea740205cbf6ada814b6ee4304b74e32aa977d2225116f6c698feb1b0ad47d7dd577ebe9b9de5b26c8ee7b359f1529f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a91d36abdd39d92d0d0354b82fda432

SHA1
bbaac5542186ce702737c5c9b962fc8f719f4837

SHA256
2871b015148bd7844dc87d8c77b6b512e6d52067248c942af1da56e81a197b9f

SHA512
41fcc07202a4851ed3d154cb223d5b3d371f2ccb2c1050962ee4365979d8890be4600aad74de9264c1c1cd8355fa0250288ff26055eae0eca00ac8a355b88c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3806f492cb7216870003fa5e7ef13b73

SHA1
3ec336c8098156f1f5521faf746f41920b4fc224

SHA256
9df25f6a3b93864dc588e518b57be06892b18e0e7c602742bad22ba6c62a1833

SHA512
68e5a4120b7d15654440fbe782f15ead719a44a99d46d55d0f8ed555b6f0a7946c6706932a4c62b9082a3ff51b5690ea25b5de2ad4342e024bc2dde5c888b084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c4931aae682e9b046cda9600f542197

SHA1
ee6b9ac04377127faef33812ef9aa9bbdb6ce262

SHA256
08330ddd7a6408200e7de768cec2a6ab90e86e717e447e229ee8b2a0e1372c5a

SHA512
6a6e066890daa8ed6cdbd6e88d1355bcabd406df67a606f4a8a30aa3654b0fe6f60c9093efae86c9b33f01ae6c718818952298b7a83ee4895de8fea647afef68

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
198B

MD5
d82813855b51b9b9bcb10e622fbc5829

SHA1
aa52e951c11d54263d8c45f47cff176638b83668

SHA256
120634a397319f86a3976cbc816248b4da7ca533acfff0301e56c0dae0888e7d

SHA512
bf5a1016c6c923ace747d085fe6e9fa597c5774b0063107436af9776fbbb9a92a4d830307e7b7cc9495716fb0409e33a6c2321cadd33748b3b15988f7caf41a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
198B

MD5
a37b7d14351e2e171b0a5aa108efa6e1

SHA1
1d2c652e0ab90103b009831d2165c82a907390c7

SHA256
de9273a0d5c905d8ddced3b6116e5dd038178bfab0e38ad5a5fe9c4e38d1c034

SHA512
f0a8b48c6f6f090cd83cb5074eb588f7d44e9993333e1d549b282752d1a319ded66681cc46a4969bb0dfa5dcc1141c73a2af21a4afb2032519a1a30158bcf8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9DD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
198B

MD5
622d823d36cb1fb014b11a286014ebe7

SHA1
bfb1d29badde2069a4225268cc97761effab8730

SHA256
340d5a2118b3615b1445ce25e90f4fdc4588d7b48dfcfe5f72855be02e280796

SHA512
2b47252384bb0eae3bfe79be756593c707735ec290e60c48815369902c16aa242ee2f3b183442b28660926090829a53f8552e0610270a994e2ac638b46a91cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
198B

MD5
76054d81d64cc5a3cdfe623b2cabe9de

SHA1
17a0a4ce0c86fcea7a8b0127e310b8857239d004

SHA256
100b1e8413152cae1cfcffe28510c69d23e33844d01d13de0852af8d04e2e3cb

SHA512
8c2ca551faafd1f9e6133a8ec09587527a52ba859137a48dc039db300625aca54884783698a7807068c5ec1877ffa50c3a40365c2871758335ce5e89f4e5ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
198B

MD5
fbff1ba9aa061f2faae65bf7af72d6ae

SHA1
52a5c5f6ae5f0a8a7f6b82ecb7d4b25486e51636

SHA256
059d531115338c4589d8a2875017c83ef6f92cb184d52c08124a50d412bdcc28

SHA512
8bfd09cdb89dfcf2d98b54ef08244f054dafbcf04a76efa66a0db1321a78a4d3692afb082103bdadf465b072bf584360262a5ef6e4425bc417e282a5dd7887d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
198B

MD5
e8ee51304b9386e15b313e7d63a87fba

SHA1
1018d0a398d5395a1dc047ca2a7c48247813fb20

SHA256
91085bbdf47cf97521ce3bbaef9e0b9ce91ea84a8bd0cd576fc15a7f97ec96f4

SHA512
24403e83359b1b06e16a5dd74da0c861e5e7aaf1d59f730c4f9faeb5fcfc2955941f0e5ab3b1bcb0322a11bbad222bdb4dc31388fc5d71f9f10cb08cd4635b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
198B

MD5
fd238baeec1077b970f8a4633ceb83eb

SHA1
8659f0965fa360ec46f0e8fb195e08b895bccee0

SHA256
1540c0093da6d750115ec1fa1dbb626fccaae5b4901235bc877356cd7eb52f2f

SHA512
77006911396bb8a62ce5690f2f2148a995cb6af135f5abd43928b22ddb1be2d3ab674de55cde5a4906d8a907a1225631367098da8a49e944d2871a349498665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
198B

MD5
f7ddd2c72c6c5ebe598ffd2fd25ca2eb

SHA1
dbf61b196d76eca0e6e212480840d00f6825efff

SHA256
e9b458566f649ab5cf4dcda0329faa1f1034dd024a5578afdbfed194db31c2a0

SHA512
579b12e4b1cb662493d88c32f4a00869c3b6dbe96e0364d6d4b0d5a16f499ed2af0921623bb74ecb98397641ed04d4bec59585a730f125a74e06a6ef51a122c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
198B

MD5
536a3b46db6ce56dfbd9e681e4be092d

SHA1
a5fc7b4f00dfd84016ec89e55921fdc7997efaaa

SHA256
f654b63ad237a9b4d2e6827a7fc27ffeae7438e48dcecf55ceb4d2e6e729119c

SHA512
5a0c31db1e77b8eb5bdcff82e5ab5166d2ac3cfda0ae377bd556ff998265390f3ec86d28107777ce45e03d06103c210b033e997ffdbfeba326eae86dda7d21c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
198B

MD5
e705759ce3398f397cebb2cf732c64f6

SHA1
c68d2bb3da5bf5638cecda3376a61a91c080eadb

SHA256
e4acefd1dfdbd7891450dbea09c1c59e61f82b7c340b31db3e82a4b329fd6a9f

SHA512
ad5cabd3c5c293367647f8f8663e00232b9bd6ea0917d15780989d572a9b8d469bd9dc31a45e282d656ee70802317f2f3ed2be02cd8e634285aa458c6e2c0cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ff1ac30039243c858f726c35193cc9f1

SHA1
ac147a226e9590092f1d79d2344e16dc8c4536b9

SHA256
786092b589a2b81072ba643331a0ef8c1cfca4cbd25b1807634725bfdcb20bc0

SHA512
5dd69b452bf7023958db69b183b3d1c4050e04ff8ee957890edcac27e7d1eacfea5d6eec7d8c2cda86c4ddc82c97cd0fd950b06d8cf0c9c2dd7d50f81f05ab5e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1560-28-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1560-45-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1584-345-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/1584-346-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2064-525-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2064-524-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2148-104-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2148-105-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2468-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2468-17-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2468-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2468-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2468-13-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-34-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2700-35-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2868-585-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2868-586-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2936-225-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-165-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/3064-285-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download