dcrat | 7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe
Size

1.3MB
MD5

33741cf74e4b4b83a93cfcc292f68b00
SHA1

59deab59932e91f89ded7b1568037128845198c3
SHA256

7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d
SHA512

b652a9039eab74019771b998bd544d14153d73176dfe7185a8b036035157e1a29b42cb7425b47e1b6cb563e7e266ddd1eb56bf62bfc60c73b80905a35f8d2f01
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1520	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016458-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2100-42-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1680-574-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
2344	powershell.exe
2336	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	DllCommonsvc.exe
2100	Idle.exe
1040	Idle.exe
2668	Idle.exe
320	Idle.exe
1924	Idle.exe
1144	Idle.exe
2232	Idle.exe
2660	Idle.exe
2644	Idle.exe
1680	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	cmd.exe
2916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
30	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2232	schtasks.exe
1072	schtasks.exe
1180	schtasks.exe
2176	schtasks.exe
1308	schtasks.exe
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2904	DllCommonsvc.exe
2344	powershell.exe
2336	powershell.exe
2080	powershell.exe
2100	Idle.exe
1040	Idle.exe
2668	Idle.exe
320	Idle.exe
1924	Idle.exe
1144	Idle.exe
2232	Idle.exe
2660	Idle.exe
2644	Idle.exe
1680	Idle.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2100	Idle.exe
Token: SeDebugPrivilege	1040	Idle.exe
Token: SeDebugPrivilege	2668	Idle.exe
Token: SeDebugPrivilege	320	Idle.exe
Token: SeDebugPrivilege	1924	Idle.exe
Token: SeDebugPrivilege	1144	Idle.exe
Token: SeDebugPrivilege	2232	Idle.exe
Token: SeDebugPrivilege	2660	Idle.exe
Token: SeDebugPrivilege	2644	Idle.exe
Token: SeDebugPrivilege	1680	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2788	2772	JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe	30
PID 2772 wrote to memory of 2788	2772	JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe	30
PID 2772 wrote to memory of 2788	2772	JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe	30
PID 2772 wrote to memory of 2788	2772	JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe	30
PID 2788 wrote to memory of 2916	2788	WScript.exe	31
PID 2788 wrote to memory of 2916	2788	WScript.exe	31
PID 2788 wrote to memory of 2916	2788	WScript.exe	31
PID 2788 wrote to memory of 2916	2788	WScript.exe	31
PID 2916 wrote to memory of 2904	2916	cmd.exe	33
PID 2916 wrote to memory of 2904	2916	cmd.exe	33
PID 2916 wrote to memory of 2904	2916	cmd.exe	33
PID 2916 wrote to memory of 2904	2916	cmd.exe	33
PID 2904 wrote to memory of 2344	2904	DllCommonsvc.exe	41
PID 2904 wrote to memory of 2344	2904	DllCommonsvc.exe	41
PID 2904 wrote to memory of 2344	2904	DllCommonsvc.exe	41
PID 2904 wrote to memory of 2336	2904	DllCommonsvc.exe	42
PID 2904 wrote to memory of 2336	2904	DllCommonsvc.exe	42
PID 2904 wrote to memory of 2336	2904	DllCommonsvc.exe	42
PID 2904 wrote to memory of 2080	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 2080	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 2080	2904	DllCommonsvc.exe	44
PID 2904 wrote to memory of 2624	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 2624	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 2624	2904	DllCommonsvc.exe	47
PID 2624 wrote to memory of 2284	2624	cmd.exe	49
PID 2624 wrote to memory of 2284	2624	cmd.exe	49
PID 2624 wrote to memory of 2284	2624	cmd.exe	49
PID 2624 wrote to memory of 2100	2624	cmd.exe	50
PID 2624 wrote to memory of 2100	2624	cmd.exe	50
PID 2624 wrote to memory of 2100	2624	cmd.exe	50
PID 2100 wrote to memory of 1952	2100	Idle.exe	51
PID 2100 wrote to memory of 1952	2100	Idle.exe	51
PID 2100 wrote to memory of 1952	2100	Idle.exe	51
PID 1952 wrote to memory of 648	1952	cmd.exe	53
PID 1952 wrote to memory of 648	1952	cmd.exe	53
PID 1952 wrote to memory of 648	1952	cmd.exe	53
PID 1952 wrote to memory of 1040	1952	cmd.exe	54
PID 1952 wrote to memory of 1040	1952	cmd.exe	54
PID 1952 wrote to memory of 1040	1952	cmd.exe	54
PID 1040 wrote to memory of 2760	1040	Idle.exe	55
PID 1040 wrote to memory of 2760	1040	Idle.exe	55
PID 1040 wrote to memory of 2760	1040	Idle.exe	55
PID 2760 wrote to memory of 2788	2760	cmd.exe	57
PID 2760 wrote to memory of 2788	2760	cmd.exe	57
PID 2760 wrote to memory of 2788	2760	cmd.exe	57
PID 2760 wrote to memory of 2668	2760	cmd.exe	58
PID 2760 wrote to memory of 2668	2760	cmd.exe	58
PID 2760 wrote to memory of 2668	2760	cmd.exe	58
PID 2668 wrote to memory of 1088	2668	Idle.exe	59
PID 2668 wrote to memory of 1088	2668	Idle.exe	59
PID 2668 wrote to memory of 1088	2668	Idle.exe	59
PID 1088 wrote to memory of 2000	1088	cmd.exe	61
PID 1088 wrote to memory of 2000	1088	cmd.exe	61
PID 1088 wrote to memory of 2000	1088	cmd.exe	61
PID 1088 wrote to memory of 320	1088	cmd.exe	62
PID 1088 wrote to memory of 320	1088	cmd.exe	62
PID 1088 wrote to memory of 320	1088	cmd.exe	62
PID 320 wrote to memory of 816	320	Idle.exe	63
PID 320 wrote to memory of 816	320	Idle.exe	63
PID 320 wrote to memory of 816	320	Idle.exe	63
PID 816 wrote to memory of 824	816	cmd.exe	65
PID 816 wrote to memory of 824	816	cmd.exe	65
PID 816 wrote to memory of 824	816	cmd.exe	65
PID 816 wrote to memory of 1924	816	cmd.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7eb8eb0da26c2718d0809d3ece0fdfc3e91f366e70af1440fb11237ef2a10f4d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2284
      - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:648
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2788
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2000
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:824
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        15⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2408
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        17⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2616
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        19⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:364
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        21⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2876
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        23⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1308
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20bbf89853224a28dc7f7cd3dff8e846

SHA1
f9a990e61edcc17823d49f4af6898cea880b6af4

SHA256
b2b62e7ab5d731045859ea22a23967c146c941b266f1590c734cef9110521dfd

SHA512
0fb4e631309928616fde202d7817a62ac0eee3404c09a9e3d97058ad81473c97710866b5b839e32841cb32969422d34e61a27767f61b5973ddf1aa989fed5027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a73a0cbfbd18a95735631472b9dc680d

SHA1
440ebf5c915fd991de9ee32843fd8a75c5fddbec

SHA256
e3169afc53fbaa991a596f58ae2313850a94e740f06ae3bd87973c7519bc236a

SHA512
44fcc062926b508e83e4d4bf8e16d62a8e2a8ff3b0e743d8208b7f3453bc4396de12dfb7fb12037f9c06852465c7efa3096ad3f7c0b7dd66e33354d71005c6d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ceea0f67d93b7189bd5e11447a25ac62

SHA1
afc63f3bfa62c188150085434e8c109355370d6c

SHA256
16b713012a44bc93d23435c7eb1e9e78156a9408c11cdec10a76fcead05e41ce

SHA512
1052f2935daa54c71f3790ffce618d694479623ea672fa23cfdac4b2a16ac54ad328919c0aa69244bf2717406df6d7b0fcebd62c653c32a48b8058eae6bc8452

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c61ca229dad00686646af74b29135153

SHA1
9e13514de18c87857ff145c01d5a4bdca7803f96

SHA256
308dbc3f7a552fe2ab235c856348bc6a0bf53adc8bdf91375aa75288702e2472

SHA512
5fb4d27656346729ab23203221dafe3fec50f43d415b26044679539dbed2fbb79f5e4d3b40e7c990563d437c126e5f9ecfd7405b7862b4d7de7bd493e9b2e1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3ba74b730cbff7013210dcf1f6cf814

SHA1
d50f911a48f4d7e6186874a1faaeab576a9f2000

SHA256
5fbbcdfa3bb14078c15ba15f2d0b57ee9df776088293b363593a23087d9594cb

SHA512
421e6d18d04a7b194268335a8708711a8199005c2f29e975c9e62bea62a8a6db9bc66536c779d20bbc420b70d4322e309f4c6572d4f3fc0bdcdabe31051f18e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33142baf83374f918f5389a120abc5b8

SHA1
72c25a7f0059781dc520c030cc3862f663a0b98d

SHA256
593a77aa7c7312ab9d246539c605c05d2d28db2ed0699b591e0facab3bb0c8e9

SHA512
3e004cf66f21d54a793a61b6bbcaa35efaaebe0e6938b89aabd9b811ae221a91cd660f1e47d27cf7b882f9a90f9bfe24660cb201fb770946e561576e559480db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da7787f59b7ad88eea990e871629a463

SHA1
bf810330780c7962fe96f438f7e24649a683d28a

SHA256
66c1757f6a34b1553e8ff7bbace07ac2297f60afba36f197c158780f9d076d79

SHA512
0ad145921082701e492af58b0fd087dde108e56b92a188583eb0e3c674e84ffefc41ba21d765183016c5911031a46868593ba891661e069ed06ac04a8725d604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21e83e88af5acc90b01b392823c4161b

SHA1
9f63b3c9c43a5ef5e0eeba2c5cba2b3961205163

SHA256
4d33736a101cac4736552660d092220c872d5655a9d278883b6e01b3cdb9d3fd

SHA512
49053268355ee6e7b01f94a1ecd71370c448691692c9ea8a5db0afed56e60bd03f31d5d73484ca85a79b5f5c6af885809f9f65cee7c051455b98f35001f1d3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
222B

MD5
397a4bb3fc59e95918c6baf0905903dc

SHA1
0b9b613dfda8632d522ef91cf0bcfa940e59ee64

SHA256
d98255a4878cb18332b6509b747fd7e1626333ba89de681c020fd2c8a1a2fe7c

SHA512
10e27ddc8cfa3d31ce3fab233965582d8894bd99725a212d2207039207c9bc2f4ad8af1435b4e0af50ed715c2b9b6e5f0c208e9ae88dcea351577029b3c9d4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
222B

MD5
0ecb9f7ba20728b42a349b56aeafa38e

SHA1
ec5495717e1e39d7b50dd47685a2e3cfd201e757

SHA256
28f190869919a97984d97df9493b4e13eae8113021c5d67d07c4bfcba5d465b4

SHA512
8c73646deb5626f9998f6258a104d50753f0ca9c110499750e6801716c987abb885511ad7b871c5781e85d15557d813661edd3c3fe6d5d0f091af6dca7a4b56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat

Filesize
222B

MD5
85081ceee076448fb3abcec8205f01be

SHA1
89923349d00c3dcc176b9c6221238373f17114b2

SHA256
8f6d51ef8b6f22bfde42cc908fac046b8abb270863924168bf900842e02f3085

SHA512
c852a92d793d2450e355770610b2f66a2480bce2488bd4fd66e1dde5bca1fb229fdc0d60c647fe586c9761d8837832c7fb7605ac1160964ca5934b2ebdcf6bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B03.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
222B

MD5
490e2559e446b5d95ce81002e30e9217

SHA1
76f8ee47e7663cba764b4311bd7b4ab86e8f60e1

SHA256
f0f3f8de342e466dcd9a0a89ed7b7e3b9359bd69eb3fc5840dc5db70acaaef60

SHA512
e83e008686cc3fadc80c95b29e6572aa244d116e20a4f306654b1526d76dd1fdbdc7a792f7bf67a877a773291ddacf4cadc3c776b2050703bbecfc9cac1e4241

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8B34.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
222B

MD5
143ce6575e300b0b0a0360353667fc07

SHA1
b5a72f9c522821cedccbbcdb73b7bfde00d2afe1

SHA256
b48dd66b3c685212920c812d976eb87643b05b4c87637f6c3c4a892604158b04

SHA512
22d7c8a474d43aa6e180c6e52579532f527dcf6f108b6c7c24b55083a776f18fadfeee2836697bef139809875bfbf8751298b7691d311920b4ed597600e6d3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
222B

MD5
bcb0f463b74b344cacc2971ecf153dae

SHA1
5003b7313352b7abf72dacb658c88fbe124694ae

SHA256
d8f29dad65c46cd64c1d54ad1d47d45e5b247112097fb5109786a70667c2f628

SHA512
15619da19bcd3a3d429be945fc0f2ec51359ae794fb8e40109f16167a707c8bc56e8134412c980de3651bc0327694bcf4b366532352f803c8c71792a2e51b5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

Filesize
222B

MD5
8daa94c78f86afe1e3307441f34b1e14

SHA1
186e293ab13d23795a5f006fd7288580d42a249c

SHA256
a1b9c069268bced47b4784a5e86dd77f4e5835628b01f536cd305971f7adeee8

SHA512
6017ecd7e62223df085356ff8ba84e0a09e53caae78e2d95114c2c50ea41142d7b673491cb304656018816aea1a90c7b10dedaee013c21e521d393371bec45f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat

Filesize
222B

MD5
05f5c00556f16a9d628f26cdff1b811c

SHA1
3359df75aa8d66f2f2b98b61995dfdcce4069274

SHA256
aa8b5f907f1d8b8f6dcf3e9958bd9d73dfb2efca4f3d46b01739f7cff4547393

SHA512
5dff54bee75c27c4d08826636caad81968b007ff63a5d57cc2ada9cad837ef5b745c878c74ba914c0b1c2d9099edd342a3b36a451a2171ac493e177b859da272

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
222B

MD5
b2acdea1aeea19a1ab194bcad82f29fe

SHA1
da028440fc195ee8e00f992ec341772dbd24780f

SHA256
e7074015ab23092397cdb502cf59be400d370a4a322ad5c00d607433d2a2dfa4

SHA512
5cce1c1829c21ae866ad86bcc9570477ce351aff17e552e6adb27405f9f21121ff388f194f8b496b152b58608112f0a6abe06d12c77cf13f8dc4c2d5602539df

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

Filesize
222B

MD5
6d990c7974ea68c93d106cfbd3104be2

SHA1
8df3f3c0240fe9cedd890b438f205c0612230781

SHA256
db02704c1f22e7e80e60319395e2ee9f9b95d4b9c548772a85dd5e23ca3cee9d

SHA512
7daacaa9ff764a32ea38e3804016334c3981dae0b8a55a95fdbc15d50772e28a6da25222a7b6e14a09cd0f00a3eb8361216c83f2b04228097061687da5d65066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
206ab3138afecece0cb811d5ec879cf4

SHA1
75610618d46c3616ee91718069df162d18b588e4

SHA256
60515583d1a30190bf56c2d9680dbcbccdd16683109acac828833d6a25fb595b

SHA512
007e813d0d9f2ab7e29b3e67dc026e97de3ec256ea279523c551239c88a51e4d167af941d3952072a1578325c03af3ab0f868dd98878d9655325d9786d897b06

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1680-575-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1680-574-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2100-43-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2100-42-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2344-38-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2344-37-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2904-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download