dcrat | 26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe
Size

1.3MB
MD5

240684424eccc71c0a8d876aada5d582
SHA1

8bfaf5b897be4bd56acff6caffe086a59aa63409
SHA256

26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b
SHA512

b170b168622e91c51517bec518bfb6a358c73771dc32e9cc1b246cfb0d3dfc181c7c289d77ffc460e40b717dd18e1bb63f00af3b0eed7597e809dd9958f066cf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2724	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173aa-9.dat	dcrat
behavioral1/memory/2184-13-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1424-28-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/764-104-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/2480-164-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1816-224-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/2900-284-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1976-344-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2592-404-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2508-583-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2636	powershell.exe
2644	powershell.exe
2692	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2184	DllCommonsvc.exe
1424	csrss.exe
764	csrss.exe
2480	csrss.exe
1816	csrss.exe
2900	csrss.exe
1976	csrss.exe
2592	csrss.exe
2624	csrss.exe
880	csrss.exe
2508	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	cmd.exe
2508	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Cursors\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2608	schtasks.exe
2936	schtasks.exe
2844	schtasks.exe
2288	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2184	DllCommonsvc.exe
2644	powershell.exe
2692	powershell.exe
2636	powershell.exe
1424	csrss.exe
764	csrss.exe
2480	csrss.exe
1816	csrss.exe
2900	csrss.exe
1976	csrss.exe
2592	csrss.exe
2624	csrss.exe
880	csrss.exe
2508	csrss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	DllCommonsvc.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1424	csrss.exe
Token: SeDebugPrivilege	764	csrss.exe
Token: SeDebugPrivilege	2480	csrss.exe
Token: SeDebugPrivilege	1816	csrss.exe
Token: SeDebugPrivilege	2900	csrss.exe
Token: SeDebugPrivilege	1976	csrss.exe
Token: SeDebugPrivilege	2592	csrss.exe
Token: SeDebugPrivilege	2624	csrss.exe
Token: SeDebugPrivilege	880	csrss.exe
Token: SeDebugPrivilege	2508	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2856	2272	JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe	30
PID 2272 wrote to memory of 2856	2272	JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe	30
PID 2272 wrote to memory of 2856	2272	JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe	30
PID 2272 wrote to memory of 2856	2272	JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe	30
PID 2856 wrote to memory of 2508	2856	WScript.exe	32
PID 2856 wrote to memory of 2508	2856	WScript.exe	32
PID 2856 wrote to memory of 2508	2856	WScript.exe	32
PID 2856 wrote to memory of 2508	2856	WScript.exe	32
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2184 wrote to memory of 2636	2184	DllCommonsvc.exe	42
PID 2184 wrote to memory of 2636	2184	DllCommonsvc.exe	42
PID 2184 wrote to memory of 2636	2184	DllCommonsvc.exe	42
PID 2184 wrote to memory of 2644	2184	DllCommonsvc.exe	43
PID 2184 wrote to memory of 2644	2184	DllCommonsvc.exe	43
PID 2184 wrote to memory of 2644	2184	DllCommonsvc.exe	43
PID 2184 wrote to memory of 2692	2184	DllCommonsvc.exe	44
PID 2184 wrote to memory of 2692	2184	DllCommonsvc.exe	44
PID 2184 wrote to memory of 2692	2184	DllCommonsvc.exe	44
PID 2184 wrote to memory of 1424	2184	DllCommonsvc.exe	48
PID 2184 wrote to memory of 1424	2184	DllCommonsvc.exe	48
PID 2184 wrote to memory of 1424	2184	DllCommonsvc.exe	48
PID 1424 wrote to memory of 608	1424	csrss.exe	49
PID 1424 wrote to memory of 608	1424	csrss.exe	49
PID 1424 wrote to memory of 608	1424	csrss.exe	49
PID 608 wrote to memory of 1684	608	cmd.exe	51
PID 608 wrote to memory of 1684	608	cmd.exe	51
PID 608 wrote to memory of 1684	608	cmd.exe	51
PID 608 wrote to memory of 764	608	cmd.exe	52
PID 608 wrote to memory of 764	608	cmd.exe	52
PID 608 wrote to memory of 764	608	cmd.exe	52
PID 764 wrote to memory of 2052	764	csrss.exe	53
PID 764 wrote to memory of 2052	764	csrss.exe	53
PID 764 wrote to memory of 2052	764	csrss.exe	53
PID 2052 wrote to memory of 2512	2052	cmd.exe	55
PID 2052 wrote to memory of 2512	2052	cmd.exe	55
PID 2052 wrote to memory of 2512	2052	cmd.exe	55
PID 2052 wrote to memory of 2480	2052	cmd.exe	56
PID 2052 wrote to memory of 2480	2052	cmd.exe	56
PID 2052 wrote to memory of 2480	2052	cmd.exe	56
PID 2480 wrote to memory of 1780	2480	csrss.exe	57
PID 2480 wrote to memory of 1780	2480	csrss.exe	57
PID 2480 wrote to memory of 1780	2480	csrss.exe	57
PID 1780 wrote to memory of 1436	1780	cmd.exe	59
PID 1780 wrote to memory of 1436	1780	cmd.exe	59
PID 1780 wrote to memory of 1436	1780	cmd.exe	59
PID 1780 wrote to memory of 1816	1780	cmd.exe	60
PID 1780 wrote to memory of 1816	1780	cmd.exe	60
PID 1780 wrote to memory of 1816	1780	cmd.exe	60
PID 1816 wrote to memory of 2104	1816	csrss.exe	61
PID 1816 wrote to memory of 2104	1816	csrss.exe	61
PID 1816 wrote to memory of 2104	1816	csrss.exe	61
PID 2104 wrote to memory of 688	2104	cmd.exe	63
PID 2104 wrote to memory of 688	2104	cmd.exe	63
PID 2104 wrote to memory of 688	2104	cmd.exe	63
PID 2104 wrote to memory of 2900	2104	cmd.exe	64
PID 2104 wrote to memory of 2900	2104	cmd.exe	64
PID 2104 wrote to memory of 2900	2104	cmd.exe	64
PID 2900 wrote to memory of 2532	2900	csrss.exe	65
PID 2900 wrote to memory of 2532	2900	csrss.exe	65
PID 2900 wrote to memory of 2532	2900	csrss.exe	65
PID 2532 wrote to memory of 1564	2532	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26f62d2129acecbd0c03e475baa7012a26230dc5069e301264e6ef2e4d94d10b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1684
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2512
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1436
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:688
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1564
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        16⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2128
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        18⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1632
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        20⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:756
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        22⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2676
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        24⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4a04b6c443885ccac8c7ec6f3e80e3

SHA1
6d3184353fe4391e643c6309bc448fb7ed905c94

SHA256
df340b07584db0b2dbc82a237546b5c3d19410e7a3e87c2c12155e3d9e61a78f

SHA512
dc4560d538d3c1c925d1fd356a6711a73958b0dfbb3a7ba46e4ad4f9a32ef0303219308f97353d7dad24d7573aaf36d9a4bc112ec04b8af72f97e353c635901d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4adc59da757543761ca2ed72b6cabe86

SHA1
b7ac6794a9b4c3db81b601fb21fd5ed73fa5d0e3

SHA256
87d69e21b4dbd42b0f94f87e05f276ae9249c184602c34d5e709d2afc3a932a2

SHA512
2c05fb1d510caec50a4980933ad6c55e31f3b354011c7bdf9fba2e3063ffcdb5ca353060eff2649187cf7aefa3a30bac68e5cf1fa3cabd3682863fca4e16722c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e952531dc5c009060b813f07d71ce451

SHA1
b1e054d6cdc28c37dd4e1197f052acf3ba38d383

SHA256
e75e362c4704651961dbb4701795ed6e22459e4139f32caf94754ea6ef636180

SHA512
24b5f490bde2e111ec08c28d4e178c1a84dbc965465b13e2c3a89c0bd779aa96a0c0de058955715a590f54d5b6f3fd93c48ea436bc3df2b75b6eb4e799f84448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3f492bb006affa1fe087a9cc9795aad

SHA1
d405b881d95fbfb07bfb86e44b1ffbb6836b895a

SHA256
ba067c19efe4cbc82c3ad1850de9098f325727f4f8f8896c30a2c53eca509d45

SHA512
7cb2fb2d7949a78ce2140f0d2aea928e4dc5888ef90dda29be4dee058780111b75664f7d079497215b02d3c47c6f5880641fe5d3844cf00bba85bcfa48d2f8b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63e76b140c15ebff35f910ae52aee65e

SHA1
ebacd4e77ef4d42a9c318d7d1e253fb1e9d16c58

SHA256
eff46f717e3be754de4ba9f9a4366f6ca0b05e5211a0fd20e54cb5e1d16ab9cd

SHA512
3b7812ce6903a2f30e825b2680030fbc6666809a42a95a090ada1a1ce784c841b280ae56cb82e6610c8b09c55e7b2d825594fc1481b33e42d064ff834dec04c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76faecea4ac12953f55b5e228955a6d9

SHA1
2a51f012e43cbc2f98b9440e1e70c9b216df4e0e

SHA256
a8e0e4787d0a982031cb5d57a9e2e344034e1a979b8f98bbd522e497655787f7

SHA512
ea120c71508c806d43c8160f848282604485333a09449c3334da52ca56dacb8d3df111da6cef5e238e03a814860679ac083d833a1385b0e291f3e55b19cf88bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
497b955759324d5dc63557619e0fbeb1

SHA1
17e585ffe603aeced9f567cd29931a1bd8dbd51d

SHA256
7f868b5e982d11c0de3769d5a534679dba928c495e7a6210d8787d39abd668bb

SHA512
eaa86ee66d40bd89b63cae105e1205a18deaa52e08ed4036dea3c54be3a5e253fc1357c27b114eaebb8f258dd6ed4aef9e40795748e45515a02f2ebf17a33b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecde51a0d47aad49a952a1e8b6e84957

SHA1
3adb25b07f265637e422ef37a5d8e277cf781bb4

SHA256
793a4f301b0dcc88af2028a8559cdae3b84b02da6587e65bf84357d65a1ea159

SHA512
b154c1f76444ad37ba8c517e0e0408d67d3245df9557336a65ecf4bedd960fba044d805149ca538e5c6cfef42bf2bf5b2cb2ce870e7b63581390a39e812d9b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11c34804027ac5de589d9c94df958e07

SHA1
23b45022faf49e0863495f1e71101a5d512633d8

SHA256
458cf26aaa4e14970eda9d7543dc4a40be993bd60752a48906cec50ba674c721

SHA512
37cec2947fda5defb37171b6c2117de6d67558709db6277e3db9a000e09758c296b920beeb064852bf5e0857ddeb7c5fe5b6a5f62bf55e0bb71385726d9613b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
192B

MD5
1ea43430943204172faa733bec7441c6

SHA1
290339a93877e24f32f906f2e5f7bb9cfbcfa124

SHA256
3277e6a539939eaf2102181e97039223018da5bad12a8c388af5f36059936bcb

SHA512
4a12e987a881946735b7a6b26e962124f3e49abe840cee5d0e3f9a7e776517300164baa0fa13a20931367659c8f3465e5af66f03853e4dbd35af724546cf104c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF48E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
192B

MD5
b2089ffd0cc08dd9ca8615753ff3fd68

SHA1
56955a407d9e2b0e896cd90dafa98c80226588f4

SHA256
528ca9dac381d3d1aaea2b9c78da181d84cbabb70dbbcb4f7737ddec442c4939

SHA512
3621ac1583020e2d54447930cea5d2487b5dfe430b04797246affa05071285b92e54daa6e5fbcc2c46c5571af4f43abe187c6c087da652c1cb168452e869f12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
192B

MD5
4cf1b693faf10c6189d6aac74e5fb9f9

SHA1
ff76ee09630b3e60bc9ea1886c85aa31597528fe

SHA256
c336aa595116e82e0064ca424ba88cddd867a96c79f581901cd66f7ea1cba74a

SHA512
a27596622b5d61eb6264e068144fde512dfdb12919d3f89efbc04878ab9e4581ee132392a572bd46baf8259cdd2c3b5c130324ae58f0d30cf40a82668fe99608

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4A1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
192B

MD5
3521cd29daab79eb3eab76de0089a42a

SHA1
5f7a16dfe3b54c78e699028179096f82e4beb69f

SHA256
f913ae3ed5025043f7e245bb82320c7ac9fee0aee6a85e1597a4257a6c5a0a63

SHA512
9f0ec9ab87c46ccc73751897bcf643824e1079ae2c0fbe227288a339fcc5596b562de4a7d37d938abf8a7412da30d2f130e60892941adf5ddca1678f9914fe7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
192B

MD5
65121ab4c0e36c563bf874d3721151d3

SHA1
fad829dc8c9ecb5bf71f765e3ae7442e89a187fd

SHA256
e45ab5baa875893e87c9ec06eb152d3b0938d1039f5795f142810a2d6d441f91

SHA512
7484e39388780ae84419cecb0e311404c83e392573d6ed7fb3e4f49e1ca218e25032a16ebc4a92b2434dbbfd8358e75d559c8a8af56db8c41cdcf5598e49cc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
192B

MD5
c54968d6e18e22d5d9c50c4e747a95cc

SHA1
b407020f920697281390fae958cdee36f9359de6

SHA256
f897efec2f5dd0605cb6a7e0d514acec64afc0b7114ff1806b732664f460f059

SHA512
e5ab6ab74f430607de45bbcb4bf6aa71786f41cf0b5fc83db4fe3026ba11a9f92cee346afd4f26354ebb527b4e828bd7d2e97b8cca4f891a0f7178419a3d706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

Filesize
192B

MD5
a46c1e5398eb2e397884527c6c11cb10

SHA1
c653975c921b88252dba328abfac6f83a8b4ec03

SHA256
3115b57a04566e9f23ac9df1ecb3b26ae175b7eb8103a15fb5429efcb5ee0474

SHA512
1a5c2177488f72529cb25192d83ac73001b8c64ada98ecde6c2f209266f8fe1f4416c22300773c3ef309c59a294f476ca9a57177fae61c695f42ae23d5287a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
192B

MD5
c3f1cf19447b7a10471956adec798f02

SHA1
56e2182828a300b8274e13207c9d801e7b87ec69

SHA256
85c16e08c676f67fa371a64599962b9cbe98826b5e39d3bb1e6f8b0f29c69a1c

SHA512
e7df731a8c0abff4c99ac10bbef3b8ca2160afa40dcb1aa49eed3ea78f2473260fe1c66e3c82e0d5dc9a3f3581780ffba72da113a9fa9e5ca5993f9e6988f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
192B

MD5
81d7934b893595ce95a301d4083025b7

SHA1
f560caf38f35e1f98b86b11b723ee917d1930839

SHA256
049ae37f0e4ed0d3db60a05480200789f29c839777c72d6500acf598fa9d188c

SHA512
6654b748e78f227a31842c49ed8948684dc453a692e62113e461b7f3b928211bf128b2af8c4b921a6b455d386da5d09cfa83b567f41e9e0d4b1d4220c1e3ae43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
192B

MD5
6933d42cf0bdb7885857d53d2c3235f9

SHA1
e5b02b137ca6e8b9842652f95f32bbec5809fdc5

SHA256
01295c69488e03308bcf593b116e1ffaec83f755e10ecbe26e96eaeb9725ffba

SHA512
3c58f77a2690fd5027cc22ae9499ac626ccc7dcb16c3a5ffe38627d3ab44de3d5bdd8f5d35fd9a9caad2d27510cdecf2c54b66f330ba6bf229a1bb18236d519e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8fe09630853c7fb9d85743ff01f9aa5

SHA1
3d62346399ab5dc7cbb24a79607376cba43c3b2a

SHA256
0c846fd0ecc2051e94694af0c642b6501cfc50b6f5c4d09ea631fd2b7bf0eb2f

SHA512
cee58f38dba2527e73ed125af97f93ce56e0c9583e59674ead33126d4e05a85d2fd7cc9f8da99ed682419fcc7858de0e9b7d296826ad13ee5d442e6bc7f9d92f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/764-104-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/880-523-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1424-28-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1424-45-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1816-224-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-344-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2184-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2184-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2184-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2184-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2184-13-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2480-164-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2508-583-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2508-584-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2592-404-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2644-44-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2692-43-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2900-284-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download