Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 05:10

General

  • Target

    JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe

  • Size

    1.3MB

  • MD5

    427f7790d059cd2061ba031492d36424

  • SHA1

    ee9e9244d72b852328b8b8666801c02b056dd21c

  • SHA256

    0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe

  • SHA512

    f981d1e04e6ef86de82f42f66e96c8896aa452fea6ff78a2856b9d8bc7fca28be6211b85aeac2e6b46f2a69c43e3408e8e4fe73805d0280082c3ef9f84b41862

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 16 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0388c13eea4b908ac57f05f38aefffe533abcceb9c499fba0469ff15e1bf0cfe.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:676
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\RuntimeBroker.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3972
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvqyh5QgiF.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1640
              • C:\Recovery\WindowsRE\upfc.exe
                "C:\Recovery\WindowsRE\upfc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3712
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4628
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1948
                    • C:\Recovery\WindowsRE\upfc.exe
                      "C:\Recovery\WindowsRE\upfc.exe"
                      8⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4460
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3156
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:2540
                          • C:\Recovery\WindowsRE\upfc.exe
                            "C:\Recovery\WindowsRE\upfc.exe"
                            10⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4844
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2440
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2488
                                • C:\Recovery\WindowsRE\upfc.exe
                                  "C:\Recovery\WindowsRE\upfc.exe"
                                  12⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4768
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4296
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:1952
                                      • C:\Recovery\WindowsRE\upfc.exe
                                        "C:\Recovery\WindowsRE\upfc.exe"
                                        14⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4812
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1016
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:2976
                                            • C:\Recovery\WindowsRE\upfc.exe
                                              "C:\Recovery\WindowsRE\upfc.exe"
                                              16⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2032
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
                                                17⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2664
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  18⤵
                                                    PID:4620
                                                  • C:\Recovery\WindowsRE\upfc.exe
                                                    "C:\Recovery\WindowsRE\upfc.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3172
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
                                                      19⤵
                                                        PID:2088
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          20⤵
                                                            PID:4696
                                                          • C:\Recovery\WindowsRE\upfc.exe
                                                            "C:\Recovery\WindowsRE\upfc.exe"
                                                            20⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3148
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                                              21⤵
                                                                PID:4816
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  22⤵
                                                                    PID:3952
                                                                  • C:\Recovery\WindowsRE\upfc.exe
                                                                    "C:\Recovery\WindowsRE\upfc.exe"
                                                                    22⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1384
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
                                                                      23⤵
                                                                        PID:5008
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          24⤵
                                                                            PID:3252
                                                                          • C:\Recovery\WindowsRE\upfc.exe
                                                                            "C:\Recovery\WindowsRE\upfc.exe"
                                                                            24⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4016
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
                                                                              25⤵
                                                                                PID:2216
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  26⤵
                                                                                    PID:2388
                                                                                  • C:\Recovery\WindowsRE\upfc.exe
                                                                                    "C:\Recovery\WindowsRE\upfc.exe"
                                                                                    26⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4980
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
                                                                                      27⤵
                                                                                        PID:8
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          28⤵
                                                                                            PID:4528
                                                                                          • C:\Recovery\WindowsRE\upfc.exe
                                                                                            "C:\Recovery\WindowsRE\upfc.exe"
                                                                                            28⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2608
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                                                                                              29⤵
                                                                                                PID:396
                                                                                                • C:\Windows\system32\w32tm.exe
                                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                  30⤵
                                                                                                    PID:3532
                                                                                                  • C:\Recovery\WindowsRE\upfc.exe
                                                                                                    "C:\Recovery\WindowsRE\upfc.exe"
                                                                                                    30⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Modifies registry class
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2128
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
                                                                                                      31⤵
                                                                                                        PID:1512
                                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                          32⤵
                                                                                                            PID:4960
                                                                                                          • C:\Recovery\WindowsRE\upfc.exe
                                                                                                            "C:\Recovery\WindowsRE\upfc.exe"
                                                                                                            32⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:220
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2944
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4464
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:208
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4052
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3292

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              baf55b95da4a601229647f25dad12878

                                              SHA1

                                              abc16954ebfd213733c4493fc1910164d825cac8

                                              SHA256

                                              ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                              SHA512

                                              24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              10890cda4b6eab618e926c4118ab0647

                                              SHA1

                                              1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                                              SHA256

                                              00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                                              SHA512

                                              a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              6d3e9c29fe44e90aae6ed30ccf799ca8

                                              SHA1

                                              c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                              SHA256

                                              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                              SHA512

                                              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              d28a889fd956d5cb3accfbaf1143eb6f

                                              SHA1

                                              157ba54b365341f8ff06707d996b3635da8446f7

                                              SHA256

                                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                              SHA512

                                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              cadef9abd087803c630df65264a6c81c

                                              SHA1

                                              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                              SHA256

                                              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                              SHA512

                                              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                            • C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

                                              Filesize

                                              195B

                                              MD5

                                              87ebd670ae2571eea04a640e11adc405

                                              SHA1

                                              0e401f8f84566f4719d3f2dd62a978bb7d896738

                                              SHA256

                                              658a2caf2e3eebc83162dd8a63efdeac2ae27f1795890f7a7347d8c9582318fe

                                              SHA512

                                              ef09446103aaa2c6f9a11b972af39e366126fd26bddaffd69f67255880c15ea6584ade4844b726b2356e3f4ce6c3f07d3d34290a11935dac026c0729441e5fe8

                                            • C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

                                              Filesize

                                              195B

                                              MD5

                                              3c8404ce2a93f5e1658ca619e73b3bb8

                                              SHA1

                                              0622e5ceef0111436566e024a718e2f4c2d1e4d2

                                              SHA256

                                              db9fe0c17b5b5ec5108f8ba65d4dd0baccfe87e1680a0779b9d1c2dcb029a86c

                                              SHA512

                                              490347e43ea28bfcf7df7c1825a63068c76ec582d81555b5d16946abc25dd48bf2b89aa9c18545e61401c55d288843933df1dbf2a5b3a76875da6f7d4a097aaf

                                            • C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

                                              Filesize

                                              195B

                                              MD5

                                              80a0ed50d3d843ebb673ed9875ad3acc

                                              SHA1

                                              a5a39bd486ad56c676f79871ec640aa1d7c0a50e

                                              SHA256

                                              950b3f7f49e691e653a3284225e967b6ec26f97f9e96ac1e73d7d005f258b517

                                              SHA512

                                              cce5be29dfa6fba1597b567d80cbcd64552e933f7a75c654ed439984edcc252a87a280aba6c1ff95fa51d9706f2cf82f28e413a303cbb6b7c4e96582e74c3d4e

                                            • C:\Users\Admin\AppData\Local\Temp\Lvqyh5QgiF.bat

                                              Filesize

                                              195B

                                              MD5

                                              d5856bba2719e8e6c010c0628c5e4a87

                                              SHA1

                                              218f4659defe7c2cee96ac442a6b83d58e5e357e

                                              SHA256

                                              5fbe24001853544faf87244c92f0558fd8f0b90093f4a20394309b202f323573

                                              SHA512

                                              8fe789dc036d8a80efadd532b888aedbc9e9505e7bcef52f31ae6a7ea07b30e14f3bec2e63cb25ded39387c562dc718428839676857cc708458867f8ea5a20b1

                                            • C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

                                              Filesize

                                              195B

                                              MD5

                                              dc162715946a74ce7ab4ed7c526bcf20

                                              SHA1

                                              377085a8084e15bbba6dba9ac6419556f15197e6

                                              SHA256

                                              4d421fb05d431573db99637e908aeab349707c4b5a16b3aba15a127f5292cd39

                                              SHA512

                                              4a3346ef442fa4c59f42e0f9e80eaf7fc31aa2afb81716806d62d3f091a7eeaa29cc7d4d3a22541e10b4375812dd2c587b052d549f8d256abf1f4b47e3f41307

                                            • C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

                                              Filesize

                                              195B

                                              MD5

                                              b85e03d728c7e7e0f542db37dfdf2b9d

                                              SHA1

                                              64714cb67475f0ba9df740c35430aa733932c62a

                                              SHA256

                                              c684f005431e6be7d67fbdb9d45526c666b3600bae51434f6da630469cbcb7ac

                                              SHA512

                                              f1324357a628ca1ac5c9ec393747ad3f1ba219455de5c48305e271ad3a252a6102f1fa7709a363b36e87408689ca1454869af5bce027bda5bce4881cf8f421bc

                                            • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                              Filesize

                                              195B

                                              MD5

                                              55bb8a9770b07b70c82462a1329870cd

                                              SHA1

                                              d45145de165d4a2ad30b6ffa29850123ab5b809f

                                              SHA256

                                              48886f6421fd2fd4ea3d8d0d79cc15126686d9d298b2957718be31181a99f9dc

                                              SHA512

                                              6326f5648d93e7f175c7ab922bd5fd32efa65dc187c8d39c6f2fd52fef4feddfdf93ba69373392120b3d9579e7b529e924a8183c40b4e0d0e5ce386b34d33a39

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmcevfud.ngl.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

                                              Filesize

                                              195B

                                              MD5

                                              27cea7042b6ef2ef7ba94d950cdb8dcc

                                              SHA1

                                              6052bd10761ccd908afe13f9315c782901044c76

                                              SHA256

                                              3637de6a5ce8ff7e11e638eae3a06f4f753f11814a4f11e87fd269a95369bb9a

                                              SHA512

                                              c0bb279e1d0d9318fb013cdae2a3406088d93fb1ba825699bb8ed33dbe7ebe7a9009f61dd40056af98e1fd85b88b8f70eaa63e5fdb0a3a41e27b6108fbf9a89a

                                            • C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

                                              Filesize

                                              195B

                                              MD5

                                              c4ddabd9d389867b897d6f82f9cb7dcc

                                              SHA1

                                              6c770eee86c8129993e142710e33550724050b75

                                              SHA256

                                              5590e0e6e5664a190ffc9de3e8daf443bb00c197a09bb3aecff8501d65ea9ef9

                                              SHA512

                                              4bac70e9b5c8d56198ee70d4d2d6b003940431f5f8633fce1655db2e70d36bab542b58970c97dc78c5992bfa18eabb7605cb2864e4fc21b9545ae6a2ac2c2665

                                            • C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

                                              Filesize

                                              195B

                                              MD5

                                              47a0298008901a6fbc556fa055551ea9

                                              SHA1

                                              c0d8ff117247bedf4bed111f0b09d6e07b3eac07

                                              SHA256

                                              9b52f74a99efa0110543bf27dd35881d2ff9ce942261e5a9089798bcc1ab1a0c

                                              SHA512

                                              9c46e88412e9a1370769665d9a99c5897d2c37c60b5cff5a7a1d3c329bd6f8d4f0afc833a9af11bd9642fe2578cbfd2354903d0d5ff24e18e2ceef0dcd762feb

                                            • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                              Filesize

                                              195B

                                              MD5

                                              95f7ac9fe500b734d584ca070362ed8d

                                              SHA1

                                              bfa076c8a2b4ec077a6f9b660a4e3f09f13956e8

                                              SHA256

                                              20c536abaa2f52d2831eb4f5552d5a0ebf16f8e4115138aa24563bbf8ee38fd6

                                              SHA512

                                              2b2c9e6899167d236da1776ad386c1b95140ab9a893f9b1a109c96e69eda9643a35a5bbd09b5ae7bb1650a5cd0201aadfecf63191cd7440858e7f0d4b808ee50

                                            • C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

                                              Filesize

                                              195B

                                              MD5

                                              b036b83b24bd6c88c4420d3e57cc5c4f

                                              SHA1

                                              049c4deda0459e2ae1b8f96e2b58c405ef9b0e80

                                              SHA256

                                              e67843ab7f1a432be7e1c0a63672ac84773b657ec835346cfacc76f895dd8238

                                              SHA512

                                              07abf9ffc9bd689b6e9a683636336a9ce7b5d4006012d20ff02c1d91bc8cc03a736ef0553733baaf3137c86adb18197085fa93c07c0b9975e24003cba3a1b793

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/2032-145-0x0000000001800000-0x0000000001812000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2032-150-0x000000001CA30000-0x000000001CB9A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2128-191-0x0000000003080000-0x0000000003092000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2552-37-0x000001E563C50000-0x000001E563C72000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3172-157-0x000000001C960000-0x000000001CACA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3712-105-0x0000000002640000-0x0000000002652000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3712-111-0x000000001B9D0000-0x000000001BAD2000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/3784-16-0x00000000013B0000-0x00000000013BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3784-17-0x00000000013C0000-0x00000000013CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3784-15-0x00000000013D0000-0x00000000013DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3784-14-0x0000000001150000-0x0000000001162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3784-13-0x0000000000930000-0x0000000000A40000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3784-12-0x00007FFE10183000-0x00007FFE10185000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/4460-115-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4460-120-0x000000001B780000-0x000000001B882000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/4768-135-0x000000001BCE0000-0x000000001BE4A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/4812-143-0x000000001C4B0000-0x000000001C659000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/4844-129-0x000000001C050000-0x000000001C1F9000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/4844-127-0x000000001C050000-0x000000001C1F9000-memory.dmp

                                              Filesize

                                              1.7MB

                                            • memory/4980-178-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

                                              Filesize

                                              72KB