dcrat | f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67EFB6282221428E7FF63B87DF2F6522.exe
Size

3.5MB
MD5

67efb6282221428e7ff63b87df2f6522
SHA1

d358efb4f979b90c159b505d374f475253d04367
SHA256

f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815
SHA512

00443a9f7dda6d9d75d5ad39a802d66e26acb1f2f619462befbe82ac12c9ab47b5d02c6a721dea552d1bc498976ac11b4a6452f5bcfc887392abde49ff6f96f2
SSDEEP

98304:wijoKCxGO1tnxHRMvCcxXue73F43f+YA:wi0KCxGO1tnVR+XV73u3WH

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\smss.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File opened for modification	C:\Windows\Speech\Engines\smss.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Windows\Speech\Engines\69ddcba757bf72	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Windows\system\winlogon.exe	67EFB6282221428E7FF63B87DF2F6522.exe
File created	C:\Windows\system\cc11b995f2a76d	67EFB6282221428E7FF63B87DF2F6522.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
280	PING.EXE
1744	PING.EXE
2292	PING.EXE
1968	PING.EXE
2608	PING.EXE
1948	PING.EXE
1496	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1744	PING.EXE
2292	PING.EXE
1968	PING.EXE
2608	PING.EXE
1948	PING.EXE
1496	PING.EXE
280	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe
2012	67EFB6282221428E7FF63B87DF2F6522.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2656	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	3000	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	1600	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2148	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2596	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2812	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	3060	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2368	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2692	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	2432	67EFB6282221428E7FF63B87DF2F6522.exe
Token: SeDebugPrivilege	1004	67EFB6282221428E7FF63B87DF2F6522.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2912	2012	67EFB6282221428E7FF63B87DF2F6522.exe	30
PID 2012 wrote to memory of 2912	2012	67EFB6282221428E7FF63B87DF2F6522.exe	30
PID 2012 wrote to memory of 2912	2012	67EFB6282221428E7FF63B87DF2F6522.exe	30
PID 2912 wrote to memory of 2680	2912	cmd.exe	32
PID 2912 wrote to memory of 2680	2912	cmd.exe	32
PID 2912 wrote to memory of 2680	2912	cmd.exe	32
PID 2912 wrote to memory of 2608	2912	cmd.exe	33
PID 2912 wrote to memory of 2608	2912	cmd.exe	33
PID 2912 wrote to memory of 2608	2912	cmd.exe	33
PID 2912 wrote to memory of 2656	2912	cmd.exe	34
PID 2912 wrote to memory of 2656	2912	cmd.exe	34
PID 2912 wrote to memory of 2656	2912	cmd.exe	34
PID 2656 wrote to memory of 2004	2656	67EFB6282221428E7FF63B87DF2F6522.exe	37
PID 2656 wrote to memory of 2004	2656	67EFB6282221428E7FF63B87DF2F6522.exe	37
PID 2656 wrote to memory of 2004	2656	67EFB6282221428E7FF63B87DF2F6522.exe	37
PID 2004 wrote to memory of 1360	2004	cmd.exe	39
PID 2004 wrote to memory of 1360	2004	cmd.exe	39
PID 2004 wrote to memory of 1360	2004	cmd.exe	39
PID 2004 wrote to memory of 1480	2004	cmd.exe	40
PID 2004 wrote to memory of 1480	2004	cmd.exe	40
PID 2004 wrote to memory of 1480	2004	cmd.exe	40
PID 2004 wrote to memory of 3000	2004	cmd.exe	41
PID 2004 wrote to memory of 3000	2004	cmd.exe	41
PID 2004 wrote to memory of 3000	2004	cmd.exe	41
PID 3000 wrote to memory of 1664	3000	67EFB6282221428E7FF63B87DF2F6522.exe	42
PID 3000 wrote to memory of 1664	3000	67EFB6282221428E7FF63B87DF2F6522.exe	42
PID 3000 wrote to memory of 1664	3000	67EFB6282221428E7FF63B87DF2F6522.exe	42
PID 1664 wrote to memory of 952	1664	cmd.exe	44
PID 1664 wrote to memory of 952	1664	cmd.exe	44
PID 1664 wrote to memory of 952	1664	cmd.exe	44
PID 1664 wrote to memory of 1948	1664	cmd.exe	45
PID 1664 wrote to memory of 1948	1664	cmd.exe	45
PID 1664 wrote to memory of 1948	1664	cmd.exe	45
PID 1664 wrote to memory of 1600	1664	cmd.exe	46
PID 1664 wrote to memory of 1600	1664	cmd.exe	46
PID 1664 wrote to memory of 1600	1664	cmd.exe	46
PID 1600 wrote to memory of 3036	1600	67EFB6282221428E7FF63B87DF2F6522.exe	47
PID 1600 wrote to memory of 3036	1600	67EFB6282221428E7FF63B87DF2F6522.exe	47
PID 1600 wrote to memory of 3036	1600	67EFB6282221428E7FF63B87DF2F6522.exe	47
PID 3036 wrote to memory of 1620	3036	cmd.exe	49
PID 3036 wrote to memory of 1620	3036	cmd.exe	49
PID 3036 wrote to memory of 1620	3036	cmd.exe	49
PID 3036 wrote to memory of 1496	3036	cmd.exe	50
PID 3036 wrote to memory of 1496	3036	cmd.exe	50
PID 3036 wrote to memory of 1496	3036	cmd.exe	50
PID 3036 wrote to memory of 2148	3036	cmd.exe	51
PID 3036 wrote to memory of 2148	3036	cmd.exe	51
PID 3036 wrote to memory of 2148	3036	cmd.exe	51
PID 2148 wrote to memory of 2828	2148	67EFB6282221428E7FF63B87DF2F6522.exe	52
PID 2148 wrote to memory of 2828	2148	67EFB6282221428E7FF63B87DF2F6522.exe	52
PID 2148 wrote to memory of 2828	2148	67EFB6282221428E7FF63B87DF2F6522.exe	52
PID 2828 wrote to memory of 2072	2828	cmd.exe	54
PID 2828 wrote to memory of 2072	2828	cmd.exe	54
PID 2828 wrote to memory of 2072	2828	cmd.exe	54
PID 2828 wrote to memory of 2696	2828	cmd.exe	55
PID 2828 wrote to memory of 2696	2828	cmd.exe	55
PID 2828 wrote to memory of 2696	2828	cmd.exe	55
PID 2828 wrote to memory of 2596	2828	cmd.exe	56
PID 2828 wrote to memory of 2596	2828	cmd.exe	56
PID 2828 wrote to memory of 2596	2828	cmd.exe	56
PID 2596 wrote to memory of 2344	2596	67EFB6282221428E7FF63B87DF2F6522.exe	57
PID 2596 wrote to memory of 2344	2596	67EFB6282221428E7FF63B87DF2F6522.exe	57
PID 2596 wrote to memory of 2344	2596	67EFB6282221428E7FF63B87DF2F6522.exe	57
PID 2344 wrote to memory of 3044	2344	cmd.exe	59

C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
"C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TRuzRfGmcB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2680
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
    "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FfDOv2d6gz.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1360
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y9xm5D5TAc.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat"
        14⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat"
        16⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat"
        18⤵
        
        PID:2736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat"
        20⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat"
        22⤵
        
        PID:1068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe
        
        "C:\Users\Admin\AppData\Local\Temp\67EFB6282221428E7FF63B87DF2F6522.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat"
        24⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
3.5MB

MD5
67efb6282221428e7ff63b87df2f6522

SHA1
d358efb4f979b90c159b505d374f475253d04367

SHA256
f39e16190b3c97670dbd39c9ddada53857c38be6737d9f379b57d706292d5815

SHA512
00443a9f7dda6d9d75d5ad39a802d66e26acb1f2f619462befbe82ac12c9ab47b5d02c6a721dea552d1bc498976ac11b4a6452f5bcfc887392abde49ff6f96f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat

Filesize
246B

MD5
a9008d7679cd15d9cefa003af627d2f6

SHA1
df983fe3e8a4f442632cf74e95862445eeb943e7

SHA256
749e1d1758231e024709b5cf0d47fe2a81d7d290ef9c0ccbe7a39e232a8bd3cd

SHA512
2e5853da670439eba1e4ae80335128e300c40b1ab669253a9bb44cd7e0de002a73ed8aa3570b67d01380a2ff069a829d615e8a963952299712cbc62e2a07e2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat

Filesize
198B

MD5
01af05b45c53683a4a55b2246606418d

SHA1
5d7fca8917851416d4872ca6c9c46ee697c37e5f

SHA256
4410f0ced603844ac9e362b1d405d31250bcc93471a04013ce0324203a0d4a01

SHA512
adbbc15838d6c6e20a3b93405b5b13c038c0975f98299bd07a8d6e34c6fd21c91c47a80ef8d75e7d69768c3c12b70ae71852d26ef6cf550ef58c65cf1ae81604

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat

Filesize
246B

MD5
194a05dbe302ff308d136d70e86d9067

SHA1
081db2f39824f1e47c2ef7b9fb5b846bdd61380a

SHA256
1aae487aa85fb6c0dc7537f1c30c6792314e67cdaf9c0d4ce420749a5b71ed58

SHA512
a1b5c121d8ce94ce8bf25500750bbd52971eb3d9a23827f49f26f9dbe33b981066e25e483179c0ff70703e1cdfdc463060a27213116e67382017145c97bd5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\FfDOv2d6gz.bat

Filesize
246B

MD5
12699734ed49f273a28056298844a3c4

SHA1
c5a43c92e0a8d3267fe00810c0ec484a69d4ce16

SHA256
f3e9ff7e5870f9e299dbf9a0a467174572212f599ef12d02638902b6a9aa8b20

SHA512
85f8c8062094b1c97e1ab9aeab349f762f8f8621dcd978e144f1452e0bd0d7bf1eb934abbb83f490bef7c12fccc5743c040dab85b9d65fe436d8a3f25b8a3587

Download Submit
C:\Users\Admin\AppData\Local\Temp\NdqlWD9npX.bat

Filesize
198B

MD5
f4ca1c545598dcd06b2717ae640465b4

SHA1
f82ec9a97191a192d43ff3434f9b12e250edce2f

SHA256
f260d4a4dbe2d6624164a8dae107a652a5613fb3af988f84d05042a7be891aea

SHA512
7efb7ee5d3d35c247c7c263c6477bf58507dccb13ee48d3bc3ac29cfd9eb5def80666fa2e022f2698ce8e71e78b648fefacf3f18ce261c106d9f41983f3923a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN8AyO50yD.bat

Filesize
246B

MD5
b133b104b216b5018d26f27f615f0534

SHA1
0b0b10e7fe62ae9d3d9ce06fce144bbd314aeb95

SHA256
8af3b265e6a168963dabf38f8e2b1865362ecaacfed5c03421e03e9bbb31a171

SHA512
328afb5a490f289dc790c16d0ddf654f023ef6210a636eb9df93c054f0a5e01677d3dde631376d6ca105d2b41e572b223ecae6b0e92c396a9ed2e123197c68f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRuzRfGmcB.bat

Filesize
198B

MD5
8ff198bd21bdce2cfb6effcb4aa77951

SHA1
4080e087f56c60b4a78b4631399ff21d579f9e06

SHA256
9c0ed2249476af0a13cc94a49a48c6d2f859deb2be92324750bbcdaa178372ce

SHA512
0e3fc0c897681ed1a4a713e282265bade7065a7ea32316c86f55450af2012b7d0939d460af6e17aea162f02d9f953feb1a4ec3b9c1af3acddf69efc6efe3b6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat

Filesize
198B

MD5
4decc6e1ccc807fd43a23f7590d8f74a

SHA1
227ebcce4bf6d77562458123b7a8527139690a98

SHA256
1e12893af3835a0aa098c49f132082df9ec7699307af13864b8c5d2515e8728f

SHA512
1fc86725e0b7dee8be118e5ff2a6181ecc89bda469ef46e6ebb645d2c72363a2c112cc9b24127df5526a7ef2c24160b65983f206487b95d63f39aef84434195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat

Filesize
198B

MD5
0f3e26253fbbb9a66cadef1000ec62b7

SHA1
a63e962a06054e2ead627b521d7a70d30ed92685

SHA256
f87774e89db0093b61f1bf96a54cc77366b27eadac7fe0a9bae673fceb5cfcd4

SHA512
b976ea1e260addbb8d02dd31900afae306fe1525516f20c962444c99374b0ac41a7168a922aa88855db7e6bdda4a8aaf1563181d520dc2dae8c68d4c423da4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat

Filesize
198B

MD5
cbb4acab9fca879a994dc399de2b560d

SHA1
6cc5265799ada1962c2e3d45c8fe94ec598a9223

SHA256
3a770d55832db9058d781748bcf59c60a9236462df5b673ce2222a066fb999f7

SHA512
39567c100cfaa8751a53bddac04ea11299ac87f0b3971a2f150ed55e07fd77b1c0e9327346ee1abce662a11ccf9a77dd1b997742dc6ac4c6f885b75f8c63bfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9xm5D5TAc.bat

Filesize
246B

MD5
2bec4ca6dc49ebb4f1711b1d42e69939

SHA1
e09c924e903e71609a3a2fb527e3e0d91dd51c0a

SHA256
dfd50619f50d0fe581082b21d72ec4355643451f09f9e5f83248d40351f1e498

SHA512
bd0d95f4d075c843e0a75e5de0679bf69adb42234bbd8958eb158b91812671cf0ace2b8f1c78c12ad5d7ad059cf20734f0c8eb3914f75fdb9d55bbdfc6c77da2

Download Submit
memory/1600-125-0x0000000001330000-0x00000000016B4000-memory.dmp

Filesize
3.5MB

Download
memory/2012-26-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-28-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2012-23-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2012-21-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-20-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-19-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2012-17-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/2012-31-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2012-33-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/2012-35-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/2012-37-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2012-39-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2012-41-0x0000000002530000-0x000000000258A000-memory.dmp

Filesize
360KB

Download
memory/2012-43-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/2012-45-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2012-47-0x0000000002450000-0x000000000245E000-memory.dmp

Filesize
56KB

Download
memory/2012-49-0x0000000002480000-0x0000000002498000-memory.dmp

Filesize
96KB

Download
memory/2012-51-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2012-53-0x000000001B000000-0x000000001B04E000-memory.dmp

Filesize
312KB

Download
memory/2012-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp

Filesize
4KB

Download
memory/2012-69-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-25-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/2012-1-0x00000000000B0000-0x0000000000434000-memory.dmp

Filesize
3.5MB

Download
memory/2012-29-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-2-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-15-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-14-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2012-12-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2012-3-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-10-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2012-4-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-6-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-7-0x00000000005C0000-0x00000000005E6000-memory.dmp

Filesize
152KB

Download
memory/2012-8-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2148-152-0x0000000000380000-0x0000000000704000-memory.dmp

Filesize
3.5MB

Download
memory/2368-261-0x0000000001090000-0x0000000001414000-memory.dmp

Filesize
3.5MB

Download
memory/2432-315-0x00000000013A0000-0x0000000001724000-memory.dmp

Filesize
3.5MB

Download
memory/2596-179-0x0000000000320000-0x00000000006A4000-memory.dmp

Filesize
3.5MB

Download
memory/2656-71-0x0000000000F30000-0x00000000012B4000-memory.dmp

Filesize
3.5MB

Download
memory/2692-288-0x00000000003E0000-0x0000000000764000-memory.dmp

Filesize
3.5MB

Download
memory/2812-206-0x0000000001140000-0x00000000014C4000-memory.dmp

Filesize
3.5MB

Download
memory/3000-98-0x0000000000300000-0x0000000000684000-memory.dmp

Filesize
3.5MB

Download
memory/3060-233-0x0000000000270000-0x00000000005F4000-memory.dmp

Filesize
3.5MB

Download