dcrat | 0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe
Size

1.3MB
MD5

b7e9d643bca72180c6c2723fc56b6a14
SHA1

7d204dc2db6274ea22475a5e2537db97bdcef4d4
SHA256

0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693
SHA512

64451465f0a42524c90028cea1e4c03a9e93c1c985e7d343265e9c15e6c935215033b99ab729a4df603c9e4c66a551ea68f07e475685319cd46e5383f9bdc5bf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2712	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2712	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2712	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2712	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2712	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2712	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018bf3-9.dat	dcrat
behavioral1/memory/2960-13-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/684-32-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1796-221-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2300-282-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/584-342-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2008-580-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1724	powershell.exe
2636	powershell.exe
2624	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	DllCommonsvc.exe
684	services.exe
912	services.exe
2780	services.exe
1796	services.exe
2300	services.exe
584	services.exe
2624	services.exe
2644	services.exe
2088	services.exe
2008	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	cmd.exe
2356	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\it-IT\services.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\it-IT\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe
2568	schtasks.exe
2860	schtasks.exe
2744	schtasks.exe
2600	schtasks.exe
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2960	DllCommonsvc.exe
2624	powershell.exe
1724	powershell.exe
2636	powershell.exe
684	services.exe
912	services.exe
2780	services.exe
1796	services.exe
2300	services.exe
584	services.exe
2624	services.exe
2644	services.exe
2088	services.exe
2008	services.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	DllCommonsvc.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	684	services.exe
Token: SeDebugPrivilege	912	services.exe
Token: SeDebugPrivilege	2780	services.exe
Token: SeDebugPrivilege	1796	services.exe
Token: SeDebugPrivilege	2300	services.exe
Token: SeDebugPrivilege	584	services.exe
Token: SeDebugPrivilege	2624	services.exe
Token: SeDebugPrivilege	2644	services.exe
Token: SeDebugPrivilege	2088	services.exe
Token: SeDebugPrivilege	2008	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2108	2112	JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe	30
PID 2112 wrote to memory of 2108	2112	JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe	30
PID 2112 wrote to memory of 2108	2112	JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe	30
PID 2112 wrote to memory of 2108	2112	JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe	30
PID 2108 wrote to memory of 2356	2108	WScript.exe	32
PID 2108 wrote to memory of 2356	2108	WScript.exe	32
PID 2108 wrote to memory of 2356	2108	WScript.exe	32
PID 2108 wrote to memory of 2356	2108	WScript.exe	32
PID 2356 wrote to memory of 2960	2356	cmd.exe	34
PID 2356 wrote to memory of 2960	2356	cmd.exe	34
PID 2356 wrote to memory of 2960	2356	cmd.exe	34
PID 2356 wrote to memory of 2960	2356	cmd.exe	34
PID 2960 wrote to memory of 2624	2960	DllCommonsvc.exe	42
PID 2960 wrote to memory of 2624	2960	DllCommonsvc.exe	42
PID 2960 wrote to memory of 2624	2960	DllCommonsvc.exe	42
PID 2960 wrote to memory of 2636	2960	DllCommonsvc.exe	43
PID 2960 wrote to memory of 2636	2960	DllCommonsvc.exe	43
PID 2960 wrote to memory of 2636	2960	DllCommonsvc.exe	43
PID 2960 wrote to memory of 1724	2960	DllCommonsvc.exe	44
PID 2960 wrote to memory of 1724	2960	DllCommonsvc.exe	44
PID 2960 wrote to memory of 1724	2960	DllCommonsvc.exe	44
PID 2960 wrote to memory of 684	2960	DllCommonsvc.exe	48
PID 2960 wrote to memory of 684	2960	DllCommonsvc.exe	48
PID 2960 wrote to memory of 684	2960	DllCommonsvc.exe	48
PID 684 wrote to memory of 1860	684	services.exe	49
PID 684 wrote to memory of 1860	684	services.exe	49
PID 684 wrote to memory of 1860	684	services.exe	49
PID 1860 wrote to memory of 1848	1860	cmd.exe	51
PID 1860 wrote to memory of 1848	1860	cmd.exe	51
PID 1860 wrote to memory of 1848	1860	cmd.exe	51
PID 1860 wrote to memory of 912	1860	cmd.exe	52
PID 1860 wrote to memory of 912	1860	cmd.exe	52
PID 1860 wrote to memory of 912	1860	cmd.exe	52
PID 912 wrote to memory of 2124	912	services.exe	53
PID 912 wrote to memory of 2124	912	services.exe	53
PID 912 wrote to memory of 2124	912	services.exe	53
PID 2124 wrote to memory of 2884	2124	cmd.exe	55
PID 2124 wrote to memory of 2884	2124	cmd.exe	55
PID 2124 wrote to memory of 2884	2124	cmd.exe	55
PID 2124 wrote to memory of 2780	2124	cmd.exe	56
PID 2124 wrote to memory of 2780	2124	cmd.exe	56
PID 2124 wrote to memory of 2780	2124	cmd.exe	56
PID 2780 wrote to memory of 2612	2780	services.exe	57
PID 2780 wrote to memory of 2612	2780	services.exe	57
PID 2780 wrote to memory of 2612	2780	services.exe	57
PID 2612 wrote to memory of 1500	2612	cmd.exe	59
PID 2612 wrote to memory of 1500	2612	cmd.exe	59
PID 2612 wrote to memory of 1500	2612	cmd.exe	59
PID 2612 wrote to memory of 1796	2612	cmd.exe	60
PID 2612 wrote to memory of 1796	2612	cmd.exe	60
PID 2612 wrote to memory of 1796	2612	cmd.exe	60
PID 1796 wrote to memory of 1340	1796	services.exe	61
PID 1796 wrote to memory of 1340	1796	services.exe	61
PID 1796 wrote to memory of 1340	1796	services.exe	61
PID 1340 wrote to memory of 1256	1340	cmd.exe	63
PID 1340 wrote to memory of 1256	1340	cmd.exe	63
PID 1340 wrote to memory of 1256	1340	cmd.exe	63
PID 1340 wrote to memory of 2300	1340	cmd.exe	64
PID 1340 wrote to memory of 2300	1340	cmd.exe	64
PID 1340 wrote to memory of 2300	1340	cmd.exe	64
PID 2300 wrote to memory of 1240	2300	services.exe	65
PID 2300 wrote to memory of 1240	2300	services.exe	65
PID 2300 wrote to memory of 1240	2300	services.exe	65
PID 1240 wrote to memory of 1776	1240	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dd2a55a8e463c858a928eba2949c622f10ff77f3209c1428a6ccc10e3c2b693.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\it-IT\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1848
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2884
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1500
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1256
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1776
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
        16⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2808
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        18⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1460
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        20⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2416
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        22⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2608
        
        C:\Windows\Branding\Basebrd\it-IT\services.exe
        
        "C:\Windows\Branding\Basebrd\it-IT\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b4f662a38e22ba1adea4589b3f2aa2b

SHA1
cd4e97a0af4c9a8524f58d38f44e01b029a3773e

SHA256
9738919313dac8d6646404962d10e68060dfd569f90557369816a70a0a1951f6

SHA512
ebcea234ce9f9cc0508d6c4bd2148bc0a7ca7701540dbf0708932c3fd880ebd1ba0250da125f031c6d2dadd781fdac4a99c9fbde46200d2595d05cd194a4d9a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21ceeb8f5d0acef5138e215e72bdef47

SHA1
694f38e922f367732d8ce8e519ba409240dc9e24

SHA256
c5dc7ce65468ed6b9b5888ee6854f05604535e60469be0d38fb0121cf7ae395f

SHA512
25b0f75eac97f193ae287c06d4b0b1a90acb2979afecbf11c803b969060c341a934e8440430caa3944d706d7362cb301c7a14e3856bcc1698d019bb6fa9a9b62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1bfe9a3b25daf12a0843d9b98d21755

SHA1
49c6f54502eef17d7b7d22353face5634256e6f4

SHA256
d3ecf2c7e4fc39e343cf65cb73f7eafa16314aebba33c835812149fead37f6e8

SHA512
343aefd900fed48212dba29791c863cbb9669ca9909eaa26fe11c3c2ac6cdb242d8b809386ba9771a62581da426cce378e53cd68aef4981b42a4fbc9312c26fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f75414cee6de8664392fa0211e8f558e

SHA1
b8efe7d3533d1c9001c08f40e2bcc48931ba6085

SHA256
b6605827bc06b7b9e906d9a96b8e88be5252516fa1786436def2c628590153c6

SHA512
6df8fa06aaaefc1979f793b62adf284691ea26440581bce916956ba972165df798e145c308bcb82fd6949d04d4d83277151a72cedf1af34a6a448fdc1195904a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
193d46f581b13164ead4a2913520cfd8

SHA1
6e6e7f72bc9540619ceb0a7bbdd4678d2d5fb0fa

SHA256
b8f086f1599204bea6a77ddfa491886a3b01e3bc938b56a53f9ee63d03696633

SHA512
47d1d0e9e4b980f7f75e314adb91cc51ec68a3b3abf8b8877fac99970c9cb870618692e21ce52776efbe87e20b07e62ad4e1bd41c15a68478a125300cfff5b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40d7a443f587e564ac4e00da5fb12ba3

SHA1
9d8fb6ed343e737f759be65d9775ea6cb49936b7

SHA256
a82fb7e299401fc6916e27b3399f009e99219de19e0bce5875143a4d2c16cf37

SHA512
11fb6221eecded601eac4d4ef7a4d221736866161cc23cc7507aa78b5c54f2e880c5bef5c3852eb45eb0cbe2f27434717cb78f16d44a2ad78f1f79823526ccfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0df6303fb277f3c26bc52160248b1b96

SHA1
0285fbdfba6bf2a95f313a5136610c4e15ca07fc

SHA256
9fdb52fda5a71b6954cff6e87e64916589e29703a8c142e23d8016331064cb40

SHA512
b81ba09396b841e10211393d9a45bfea07b1c66babcf2c1793faa75cd9fddd6f76ca8cc41c9558b9e293133fb16e3339dff55df5f6a89ae84620a2a700b2c8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaae47e413e69ea80482bbceb654e94a

SHA1
3d799345fbd2f7d6f25adbafa9a78448fcd55c6c

SHA256
c8fb23223147a856fe33f3ef7138ab8b22693c3d9fc79387725afe97097398b2

SHA512
8e37d0e148ddceef1e58f50c60c580fd73feec8101b31e913ceb50d4de0e7af4eba7b34360b969515fb4ffa367582e6ae2177fe94cc6f864a592f87752f18cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
211B

MD5
e6daa006c0b39e69dd98460668d46bb3

SHA1
656f25c1eb3922dce06a21ff9ca2ea077bc872f8

SHA256
02206e711fe24fc98cd603b7bdd706f8b51a854baa462cbcec8c3d5e2478f20a

SHA512
4963eb88a0fad06c191870d30c71fad4e04a468400c860c1393ca72df949b36b0e796ff137575739f3c025f37a29bd56fc80e1559a83ac7ecd31c1d433f2e309

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
211B

MD5
962023ec447f5467fb3764bf488bb439

SHA1
aa70cbcbda2edb1f6768739a1f10314daf176f3a

SHA256
c7db5e8badcb6b530da6125e2b32df1b4fbd0b65c90e2a7da9d337b273edda6d

SHA512
12c32561e64ef02b192b85deb2ff851b8e412638ea0f0b31efe53de0b78016cc89ca174c57910a4b52df6dcf977745fe03fda0a133a0a6ec9c1cfaab838a9385

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
211B

MD5
e896ab2532ba3d8fb581cbd34b92a999

SHA1
7b912d48a0d9082e17acab8fdc04ccf13aa31cf6

SHA256
b061a5ccb41d81819938ef102a26e72039bda8a25561094889d2221ede0266c0

SHA512
7b2242120c17f97a8c41e0cbf19efa6fcb5b3bc1f9762013c2ddbc7041b12a6d992fa7ad85ba0b303df7220afb12e03f3ef592e2f76a594ebf6a497fd0095f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF77B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
211B

MD5
41b234605ac2de2db076ba681ecbef17

SHA1
60ae54d17a12dcf4567420af29327a5174a2f617

SHA256
e29a67d381fee94259552be8e8500d1004d60771873a6fac8ab30561341c737e

SHA512
9bf9b2cd7487d7225db400b6efd6e575b65394bd5a25dba6ff0c4e68dab61892d9ef877a62a108420483fc39bdfb64506424287d4d9db3038448e84cb0fe63b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
211B

MD5
9400bbf7ee3b646ec52d7a8464f4487b

SHA1
8006afa00fefe206c8f377d8d25a6ea05aa03060

SHA256
e8d5bbad275a3c794bf0eb50bdc45b692c1e9f925e58fcb5af7704a1b4152ac1

SHA512
91bcc80d90c3b43cc7576c0667d281890930c7a80c48b018f6f64bcba4c08675343dedbde59b3933f35d90713bbf5eef2fdc570cfa46cf50fd550272a51276e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
211B

MD5
104c97aadfdd6fcfa2013ceca5e4f6f8

SHA1
7917011e9ba24ccdc2975bafd08ae13dd65060d1

SHA256
9273a2dda8ddb7d92e0585f896fd2609190e0e1c20c5ab447d2b4f65d85897ed

SHA512
d76d06da750a9f60e056e158a143841f15a1be1aeacf6c043d36b85642c6700725c803367163b56775b7ef6be0bdda2ece645374be75912897a4e68c2d038e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
211B

MD5
c189f5a2e514b72f0a618b08cdfdc47c

SHA1
cac14d29ea5477cae7bf7ab82a5e51ac6e644a8e

SHA256
ca70ca15403e285a0e059e1f1d68d6e98262cb1226e077d40af65b1acf821821

SHA512
8c82db3e9760a93b4da03bdeb7618d1e7c8e613c27fc03fb1543db7a66e72e4a0341055752abea26e197da46eda8e64b5b2b888a4895964aaa7967270191c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF79D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
211B

MD5
7950551f6e9c728f47b6bd8728cbe774

SHA1
c7d0a9487b634c1e85003f1b3fc84282467d6461

SHA256
f29aee33f445b61c068ab7863aac48ac384df1d4be5f15ed16f829cd14b2562b

SHA512
2e91dbd15a297c1023d651ac8a1453f9bb2d448031badcc03aa40709d3d481df462409c5f57a6ebc34b1bd64a9da24c1c76897ddb887e17cf7df755aa1497b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat

Filesize
211B

MD5
ac4ebf95da0c7022d5dbca8af7204a78

SHA1
1390523423ff2239a5efcb3640092aaab497316c

SHA256
9217a9600e6d483321ac1c32c25780dd0c6036c536d3a8962a73941e09c59585

SHA512
732e3e026162beb4bef0f8320610cb01ed13d0c29f31a156158fa27e6eecc57da9d7037f73f83a0448f3e0bb29efa11ab67a02ed2f8c5a9733ff57f3c46c7c0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
af997ab1634483e7529e0424c290be03

SHA1
ae663ddced5063c1fdd2efed1071cacdef19015a

SHA256
762286d4605ab3c194fe1bfad5438711bb278f6ff947065f926d7fa86a972f05

SHA512
d55d9dca99c6ebafebda6aae36bee9905c07c5380edc75ca5642428070fd3308fb96d8588a4c142916ff44ea2486591a148c3bbfdc36856cb5fd5f787711b190

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/584-342-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/684-32-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1796-221-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1796-222-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2008-580-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-282-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2624-43-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2624-402-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2624-44-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2960-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2960-15-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2960-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2960-13-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2960-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download