dcrat | 61a895f11ef7bc4781b9dc1db2b9ae51fb84bd4af5efdfd2ed946092f9e19864

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sаbvixUI.exe
Size

1.5MB
MD5

8f5b3e1fc1f550a044a079c1089a3e4f
SHA1

4c0cea34acd355e2fd8522ae6d6ff74fbfc406c4
SHA256

61a895f11ef7bc4781b9dc1db2b9ae51fb84bd4af5efdfd2ed946092f9e19864
SHA512

17eb64a4ab81db13f112c26889836aba6ad6657a3aa8fb4d10dfe5bbaac08c9eecf97e71c48290abed9e6121af47458be4fdc0affb751a16ae2fdbd411d97fbe
SSDEEP

24576:U2G/nvxW3Ww0tHpfnNcVKuQ8BFFKS01CEUgYBJlc7535I4YzDAIEqNn:UbA30JfdD8nFKC453Z0Arqd

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1900	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1900	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c8c-9.dat	dcrat
behavioral2/memory/4792-13-0x0000000000790000-0x00000000008C4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	componentsavesCommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sаbvixUI.exe

Executes dropped EXE 10 IoCs

pid	Process
4792	componentsavesCommon.exe
572	upfc.exe
1824	upfc.exe
672	upfc.exe
4188	upfc.exe
816	upfc.exe
5088	upfc.exe
4092	upfc.exe
1072	upfc.exe
396	upfc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\conhost.exe	componentsavesCommon.exe
File created	C:\Windows\Resources\088424020bedd6	componentsavesCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sаbvixUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sаbvixUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	componentsavesCommon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
2976	schtasks.exe
4676	schtasks.exe
368	schtasks.exe
2172	schtasks.exe
760	schtasks.exe
2008	schtasks.exe
3408	schtasks.exe
404	schtasks.exe
3556	schtasks.exe
4632	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
4792	componentsavesCommon.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
572	upfc.exe
1824	upfc.exe
1824	upfc.exe
1824	upfc.exe
1824	upfc.exe
1824	upfc.exe
1824	upfc.exe
1824	upfc.exe
672	upfc.exe
672	upfc.exe
672	upfc.exe
672	upfc.exe
672	upfc.exe
672	upfc.exe
672	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe
4188	upfc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	componentsavesCommon.exe
Token: SeDebugPrivilege	572	upfc.exe
Token: SeDebugPrivilege	1824	upfc.exe
Token: SeDebugPrivilege	672	upfc.exe
Token: SeDebugPrivilege	4188	upfc.exe
Token: SeDebugPrivilege	816	upfc.exe
Token: SeDebugPrivilege	5088	upfc.exe
Token: SeDebugPrivilege	4092	upfc.exe
Token: SeDebugPrivilege	1072	upfc.exe
Token: SeDebugPrivilege	396	upfc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4448	2728	sаbvixUI.exe	83
PID 2728 wrote to memory of 4448	2728	sаbvixUI.exe	83
PID 2728 wrote to memory of 4448	2728	sаbvixUI.exe	83
PID 4448 wrote to memory of 656	4448	WScript.exe	98
PID 4448 wrote to memory of 656	4448	WScript.exe	98
PID 4448 wrote to memory of 656	4448	WScript.exe	98
PID 656 wrote to memory of 4792	656	cmd.exe	100
PID 656 wrote to memory of 4792	656	cmd.exe	100
PID 4792 wrote to memory of 1704	4792	componentsavesCommon.exe	113
PID 4792 wrote to memory of 1704	4792	componentsavesCommon.exe	113
PID 1704 wrote to memory of 904	1704	cmd.exe	115
PID 1704 wrote to memory of 904	1704	cmd.exe	115
PID 1704 wrote to memory of 572	1704	cmd.exe	120
PID 1704 wrote to memory of 572	1704	cmd.exe	120
PID 572 wrote to memory of 2208	572	upfc.exe	123
PID 572 wrote to memory of 2208	572	upfc.exe	123
PID 572 wrote to memory of 1852	572	upfc.exe	124
PID 572 wrote to memory of 1852	572	upfc.exe	124
PID 2208 wrote to memory of 3956	2208	cmd.exe	126
PID 2208 wrote to memory of 3956	2208	cmd.exe	126
PID 1852 wrote to memory of 1824	1852	WScript.exe	127
PID 1852 wrote to memory of 1824	1852	WScript.exe	127
PID 1824 wrote to memory of 312	1824	upfc.exe	130
PID 1824 wrote to memory of 312	1824	upfc.exe	130
PID 1824 wrote to memory of 4672	1824	upfc.exe	131
PID 1824 wrote to memory of 4672	1824	upfc.exe	131
PID 4672 wrote to memory of 1488	4672	cmd.exe	133
PID 4672 wrote to memory of 1488	4672	cmd.exe	133
PID 312 wrote to memory of 672	312	WScript.exe	134
PID 312 wrote to memory of 672	312	WScript.exe	134
PID 672 wrote to memory of 2252	672	upfc.exe	136
PID 672 wrote to memory of 2252	672	upfc.exe	136
PID 672 wrote to memory of 3312	672	upfc.exe	137
PID 672 wrote to memory of 3312	672	upfc.exe	137
PID 2252 wrote to memory of 1772	2252	cmd.exe	139
PID 2252 wrote to memory of 1772	2252	cmd.exe	139
PID 3312 wrote to memory of 4188	3312	WScript.exe	140
PID 3312 wrote to memory of 4188	3312	WScript.exe	140
PID 2208 wrote to memory of 816	2208	cmd.exe	141
PID 2208 wrote to memory of 816	2208	cmd.exe	141
PID 4188 wrote to memory of 4768	4188	upfc.exe	144
PID 4188 wrote to memory of 4768	4188	upfc.exe	144
PID 4188 wrote to memory of 656	4188	upfc.exe	143
PID 4188 wrote to memory of 656	4188	upfc.exe	143
PID 4768 wrote to memory of 2440	4768	cmd.exe	146
PID 4768 wrote to memory of 2440	4768	cmd.exe	146
PID 656 wrote to memory of 5088	656	WScript.exe	147
PID 656 wrote to memory of 5088	656	WScript.exe	147
PID 4672 wrote to memory of 4092	4672	cmd.exe	149
PID 4672 wrote to memory of 4092	4672	cmd.exe	149
PID 2252 wrote to memory of 1072	2252	cmd.exe	150
PID 2252 wrote to memory of 1072	2252	cmd.exe	150
PID 4768 wrote to memory of 396	4768	cmd.exe	151
PID 4768 wrote to memory of 396	4768	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sаbvixUI.exe
"C:\Users\Admin\AppData\Local\Temp\sаbvixUI.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainBrokernetdhcp\iR3gbXvN7eC84EGpCm3.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainBrokernetdhcp\wUY9dZzguX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\ChainBrokernetdhcp\componentsavesCommon.exe
      "C:\ChainBrokernetdhcp\componentsavesCommon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TQGNQCrGCR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:904
      - C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3956
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b378a108-7b2a-4e1e-9d01-b5394f6d8acb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa7aa06-68a6-4335-9be3-bc0202a430da.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1772
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d4d6f4-0efb-44e5-a39f-7def229fd1ae.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac2e5ca-d291-43f1-bf6c-432129fd2f0e.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2440
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1488
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\ChainBrokernetdhcp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\ChainBrokernetdhcp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\ChainBrokernetdhcp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Resources\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainBrokernetdhcp\componentsavesCommon.exe

Filesize
1.2MB

MD5
34d69dae85289e768d2d7228d6f10cd7

SHA1
f8db7105a7bb223a156c2126e1778e3776726256

SHA256
a2b40041cb60435ec996407b7ef8c2784619d7a148edd45b7fac1d30c410fe81

SHA512
a8cd8d34df2a54fb03678e7d0ed2fd317d0aa5f5648cb9b5db7ed6267a6baec29eaf97c86972772426f641b532898790b07b09277bed8a7c6d577b3c9ad5d91c

Download Submit
C:\ChainBrokernetdhcp\iR3gbXvN7eC84EGpCm3.vbe

Filesize
206B

MD5
16b6864f6d695a3c799d1acd838e9f7f

SHA1
6b029257913ba2ddd0291f6a930e836f86cd7574

SHA256
df53d0d69fb1ebaab06a9ba09cf6f9ce499c006cefa48b9dee68aa5ec8e8ac30

SHA512
65c2a2827e6f1281ff24a6e298de66febef6478113f050344d7fb68ba0de93b397ce4074986188ebd8a8f776b4ca128dd882962cb9014b7e4d937e192d8398b4

Download Submit
C:\ChainBrokernetdhcp\wUY9dZzguX.bat

Filesize
48B

MD5
43fdcdd78a34c05479dd962d8f528a33

SHA1
629707b0b4c3736e41e417030b292274018da878

SHA256
03a430a76f54cd3d9ef550641e2d863398185f93942f6912e1bbba226da0bcb4

SHA512
184bee73f4640fa989857e8d5ee571e4b571bdbef3aff36afe7d619ea7e55a640efef8e73ddaa61e5a4d45bf0a6ea1e1aa3873e69a8236c8b6d0a7508680bb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
38600effaf6f4a95dd6f8fd12751463b

SHA1
590e9f869c0a5e3861783cb23023f23d9b57bb54

SHA256
e3b9ce7cbc8cf9f43eaf4ed01eb1f8113f7f580a1f4c35d3f01a0de87b9772f4

SHA512
aca30aada4bd5284b619cb06e6d3c1d2d680da9eb6879903595b5f08b8da96cd45a0d64df4e359f1fca0d6aaa2eeabba78ccd36fd039fb1d394f88fbdfe10e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\18d4d6f4-0efb-44e5-a39f-7def229fd1ae.vbs

Filesize
705B

MD5
8e332e98fb366e85a4e12b971a7d09ee

SHA1
0e4b4627dc5951529781d4f9e4a562f2da820e9f

SHA256
c24edf8d20b1728508294d1552bf4b2f4801c764d3ed6d0d1f7e7a32018bd64a

SHA512
f7f9885523b629cd013fa09095d9f6489160f17de5517dddd8dcd8f198d1575fee115dcd164ff7e490091cc3250a56f8fab1a76e8de68df9cc726f9a999a098e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fa7aa06-68a6-4335-9be3-bc0202a430da.vbs

Filesize
706B

MD5
1862f48ec6092cdc5348b2eba7dea20a

SHA1
e252be3039144bd44fe87b1abaa0555251ee76e8

SHA256
364b577bcacd982e08cf275450ed75dd39b5b3e07ab2d450b7da3f4556b3a307

SHA512
eb23b5f1d2838b0f24b8c86cb2c884545db7ba5df3c09bfd42eb53e60e6d476d309823616d8be994e1e3c75c6fdda42fffde15c5a67438a3f7ae9e4661b2364d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
195B

MD5
04231a9c8e2d8ce19b56cb40e5ede839

SHA1
b8c71f733cde5f3f384aae12aba1afaf857d6ff7

SHA256
1fd14bd1820eab1fbf4e8ad5b48929343e2104d91bc9527b5cc791bee33a4ed2

SHA512
b84aba051eff03088106f9c3907bdeb44217386c518efe94e81c604db766514f6c3f5f0a9e760b221ed132020d0092c841b8661a824eb71b5933c9ac94a947f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
195B

MD5
2544a3794cfb8c3e327efd2ca725db13

SHA1
67fbfff295c8bb52101a0e1061769ad49377f826

SHA256
5a51e63b7bb7de8dbd0bf8b1269e8fdc5dd513aae6bca04557df1cdc49019c83

SHA512
1d5741546f1041dc8d6d32148070440fc917a79f79d9ef82f62d03870dcaf562230a4c4e93677791a1790669836e40e562756df799774017fbde620d077d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQGNQCrGCR.bat

Filesize
195B

MD5
8f63d7ee33c6c86077a8e3b7c0cf98af

SHA1
77ce50160f41b57930fa7f2490b5164b9638ada6

SHA256
a343eddf9ea69adee867ad3dc664fe49ca6130e091e883406be528f8de5af617

SHA512
c64aabfe2a48e66299009b9fa4ad96e6313b9805cf7523e7193527f0ce9e0339c5f28412a977a6a83d312299fe2b8a9c8b7c762ac22e6ed1e617ddf8bc6bdc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aac2e5ca-d291-43f1-bf6c-432129fd2f0e.vbs

Filesize
706B

MD5
848acf38076035ff7e999fe3a2276cae

SHA1
cea020864e1b8986945008120998c76aad4a4635

SHA256
c41f0328974029b6860f582ea297303867abb8b8738f4e6b99ada7ed9496dc14

SHA512
70bb10cbfabc9f483dbd130c5a2f12dbd03609c9ee370266f3af005d87e1b8b13cc8f907b378a82f419f94fe363851f84d974affa31db572cbb2b2a721e1f9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b378a108-7b2a-4e1e-9d01-b5394f6d8acb.vbs

Filesize
705B

MD5
fa1c7b4cc19018219c1d302918270662

SHA1
d4af138602f38eaaf1e093ee7a1ae9b0a7ebb43a

SHA256
df66efe04b0894236f0208edf0d25916cea3bfe9ff11f05c3e2c34b2b90f152e

SHA512
7ef28d39ed1fa155a28cbe50dfc672d686d2bb9452523b898d3b8b10aa3ed768a0c42ee1cce94edb1258055ae8e7803fcf9753f6aef4b87c353282571eaa9ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
195B

MD5
5c6b0190785433f7b3feb2feb66330d5

SHA1
199de89a762cc36431624514b7fe6d2b4463fccc

SHA256
0574bfa56a5dd5a47644ee9e724958965d953c3ef9b740bb59a7597a7244d633

SHA512
29b0d33cf4ac25ff1ea59951fe1187605db98e47f4124a53e05495c9e290db0fd003ea6d956ac52c5a6a364c1db8c18c0a880d6863afffd02a4780d28bb3f4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
195B

MD5
2de630831b911771e1a47d945aecedbc

SHA1
df1b6a4a582ce58bc7d4bcb6d4266f523ddaefd6

SHA256
94fc17e841695039df2296a77506a2113a3ae8e60c003b145d89196eac04d7b4

SHA512
8652ce362e5e0d17bd6e29a6024aeca5d3cfa741249a9e20a1d017b62412266dd0c225123d2bbf4ffd5e4e65adfa2bd3f17394990994271682e88cc5b0fd26da

Download Submit
memory/672-62-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/4792-15-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/4792-20-0x000000001B5A0000-0x000000001B5AA000-memory.dmp

Filesize
40KB

Download
memory/4792-21-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

Filesize
56KB

Download
memory/4792-22-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

Filesize
48KB

Download
memory/4792-18-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/4792-19-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/4792-17-0x000000001C290000-0x000000001C7B8000-memory.dmp

Filesize
5.2MB

Download
memory/4792-16-0x0000000002B00000-0x0000000002B12000-memory.dmp

Filesize
72KB

Download
memory/4792-14-0x0000000002940000-0x000000000294C000-memory.dmp

Filesize
48KB

Download
memory/4792-13-0x0000000000790000-0x00000000008C4000-memory.dmp

Filesize
1.2MB

Download
memory/4792-12-0x00007FFE6CC23000-0x00007FFE6CC25000-memory.dmp

Filesize
8KB

Download