Overview

overview

10

Static

static

10

dabf40b2ed...cb.exe

windows7-x64

10

dabf40b2ed...cb.exe

windows10-2004-x64

10

Resubmissions

13-01-2025 04:05

250113-enzvbaxner 10

12-01-2025 14:56

250112-sa1fkszjhp 10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2025 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dabf40b2ed8d96638f713f6373ef64cb.exe

  • Size

    2.5MB

  • MD5

    dabf40b2ed8d96638f713f6373ef64cb

  • SHA1

    4c9479e54b394722bdaeff1b36d903502cd1b1fe

  • SHA256

    0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911

  • SHA512

    0a9abca78917efea2b77dcccf862761e99001a26bba3de871c233b07500c7e414e32ebd41f93e23b332696db1d56aaa9e8357e60ac32efbf06c13bf40abf1fd0

  • SSDEEP

    49152:UbA30QsSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifV:UbcLlK6d3/Nh/bV/Oq3Dxp2RUGV

Score
10/10
dcratdiscoveryevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 41 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 13 IoCs
    persistence
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 26 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe
    "C:\Users\Admin\AppData\Local\Temp\dabf40b2ed8d96638f713f6373ef64cb.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Mssurrogatebrowserhostperf\Serverbroker.exe
          "C:\Mssurrogatebrowserhostperf\Serverbroker.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2320
          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe
            "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1864
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c2b2fad-8334-41cb-aed2-0c9038117d74.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1808
              • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe
                "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe"
                7⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1544
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0e4bc0-4faf-4826-b2d3-622bf88eff77.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2312
                  • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe
                    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe"
                    9⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:3024
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fced749-e4cc-413d-9cd2-eb3091b0effe.vbs"
                      10⤵
                        PID:2220
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17d76cde-b9b7-4f42-9f55-084b72844b2e.vbs"
                        10⤵
                          PID:2180
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8defb09d-cf36-4703-a167-18a6de444cdb.vbs"
                      8⤵
                        PID:2796
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa88d08-8b81-4903-8d59-0c2df5e24a5c.vbs"
                    6⤵
                      PID:3040
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\lsm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3024
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2392
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1708
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1584
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3020
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2920
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\audiodg.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2908
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1084
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2524
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1256
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Mssurrogatebrowserhostperf\Idle.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:964
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Mssurrogatebrowserhostperf\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Mssurrogatebrowserhostperf\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Quirky\dwm.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Quirky\dwm.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2292
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2508

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          5
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\RCXE40D.tmp
            Filesize

            2.2MB

            MD5

            70f35d04041d9c029d59586fc6aa3819

            SHA1

            a9f37462584d22bad8909ffc1c047cdfee84f049

            SHA256

            517ef97c6f4481e5d6eac2ebd79fbbfe34c9dbe59a0f775c0c2a3e3b942aaae6

            SHA512

            1739c6ce05e4fbee9d2829a95b3ca910b28a0f853d2a6e11e779fae7b419c46b7fd22641f28c2b91b826dd3905e478a23fa1e55c31665adea3f6a042d7078f53

            Download Submit

          • C:\Mssurrogatebrowserhostperf\8kPsHmvrEcJwjafU40gzsGMXV7Gtxc.vbe
            Filesize

            216B

            MD5

            a7e0475eb8e2e26e457a4c752dc26444

            SHA1

            060c460c794a47f44686b717eb8d15f1945edb58

            SHA256

            8ece9e304ffb5cba5d51cb2187907d4910167fca5f67a59d316fd9d2ce47ae52

            SHA512

            9d7cac7d9fd93e3b88c1ea7663af7687ae08e8ee39dcc1549c4fb25d7342f3a9774b7f8e7c1b50ab96b09629ab4c587548a5b1063c843132277c7baa2069cad6

            Download Submit

          • C:\Mssurrogatebrowserhostperf\SmjPROQS4143k.bat
            Filesize

            160B

            MD5

            fa37ae621180833b315a091613c1540f

            SHA1

            88d6ec7192566b085231e6a6f05f813a8355514d

            SHA256

            f3f37ca346054c66639f1320cccc5b8f618ce747c5f9086bd18376a9a42a3484

            SHA512

            d77768e84e9e01e3e64e00914c5e8f1067796a369c71939641f052c9f9b7d17aef5c9b5e96449d610976f45e291b567c49fc374099a9284c8045ca51d51c9bd0

            Download Submit

          • C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe
            Filesize

            2.2MB

            MD5

            6eae67834cba4ff2f7dd6de7a0e474be

            SHA1

            adfe58f08c4452824c6f01a616726c68f935fd37

            SHA256

            749486c22ab0805aebbd2a8f7534893f7b937100434e1686965ffebb2cc46b1d

            SHA512

            5a69d2bd03f1d5fbd4fc89b66cf9c245ab5b8a218575c3d30af1cf606b02c5ae32e52504cd2d49a22184830dc4e7675a4b8527ecd0a3dd6928c0589a622bbe52

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6fced749-e4cc-413d-9cd2-eb3091b0effe.vbs
            Filesize

            759B

            MD5

            e3f8045f1c782dce34e8ffd964635281

            SHA1

            b68323badb02cb5d980ce0ac9482ae54f0f617a5

            SHA256

            a85c7c05c13084880bab67eac8b59252041954cf062d720e1e4291e0d20fbbc1

            SHA512

            731985c1fcf839a9a10429b9ab4646cdfc80867f84c0b5fe447195e39ecdad5593fa1ae8a73b34d1ae865a26e8f40c1c5fac1cba7d17490c509351c356f099d5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7c2b2fad-8334-41cb-aed2-0c9038117d74.vbs
            Filesize

            759B

            MD5

            edfc9cad1350e1a81299ff662b9097b4

            SHA1

            0c241c54ac7ae33978af13758a4af0b726e7bd4e

            SHA256

            ec7d647c7d5251f51a4d600f6324fd4e16447544008b5410599cd1392ea81921

            SHA512

            daba472134f8a4d66eff0df4c5efd465360865d85ce8d3e5e31a95869f7215da5c0b5862bc34d07d23da9fb8e111874e33bd6bf3dc18d0474b4d078965647d02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8a0e4bc0-4faf-4826-b2d3-622bf88eff77.vbs
            Filesize

            759B

            MD5

            a0bac60653d7572ab7423452184d6f40

            SHA1

            76a31dd483519bdef279ffb1a64214e8eb88e649

            SHA256

            fe36b9ab23ae07e9b3a949a49aca524c8041e22bf0d22c2731fefece2a1ffbe5

            SHA512

            99ba2c6a741c177b784a0cce7005321506754a1df746cae35c51a202a125c954a508c4f872e7b0332befff62cf47e5de2a79ebb1a86250a654c466b73944ee7f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8aa88d08-8b81-4903-8d59-0c2df5e24a5c.vbs
            Filesize

            535B

            MD5

            c03807b788fcb42f1405644fd0736c3f

            SHA1

            31329668f9961e4a4895727c1e1cace38c02bf92

            SHA256

            0746ca9bcba3db02e202c848981a583519a0716d2667758efabfc7ed2ade933e

            SHA512

            c0d33cb7e1d3e965ee552757d65bee59dbf1181732a2de88f776d83ab68a891e4cf61ac0c22f071020453cdd2a2d3359d5d357b39884eb9bde19c2140f6e1ac6

            Download Submit

          • \Mssurrogatebrowserhostperf\Serverbroker.exe
            Filesize

            2.2MB

            MD5

            67f998093c11d8a104aef7a92a2d5b26

            SHA1

            cea4392bfb620e2d5b303c7f39fe68a30080a771

            SHA256

            f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1

            SHA512

            e3572eaf810f95944206728a83c822244afd079f59cef2911e11dddd85216a09663edbd8041fe5281c0ca9a6182bc5b70d77cbcc403baccbfbdc1d9c6a137e92

            Download Submit

          • memory/1544-245-0x0000000002280000-0x0000000002292000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1544-244-0x0000000000140000-0x000000000036E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1864-233-0x00000000009F0000-0x0000000000C1E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/2320-29-0x0000000000970000-0x0000000000982000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2320-36-0x0000000002230000-0x000000000223E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2320-24-0x00000000007A0000-0x00000000007AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-25-0x00000000007C0000-0x00000000007C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-26-0x00000000007D0000-0x00000000007DC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-27-0x00000000007E0000-0x00000000007E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-22-0x00000000007B0000-0x00000000007C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2320-30-0x0000000000980000-0x000000000098C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-31-0x00000000021E0000-0x00000000021EC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-32-0x00000000021F0000-0x00000000021FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-33-0x0000000002200000-0x000000000220A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2320-34-0x0000000002210000-0x000000000221E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2320-35-0x0000000002220000-0x0000000002228000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-23-0x0000000000790000-0x000000000079A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2320-37-0x0000000002240000-0x000000000224C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-38-0x0000000002250000-0x0000000002258000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-39-0x0000000002260000-0x000000000226C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-21-0x0000000000600000-0x0000000000608000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-20-0x0000000000570000-0x000000000057C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2320-19-0x0000000000550000-0x0000000000566000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2320-18-0x0000000000540000-0x0000000000550000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2320-17-0x0000000000300000-0x0000000000308000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2320-16-0x00000000002E0000-0x00000000002FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2320-15-0x00000000001E0000-0x00000000001EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2320-14-0x00000000001D0000-0x00000000001DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2320-13-0x0000000000310000-0x000000000053E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/3024-257-0x0000000001040000-0x000000000126E000-memory.dmp

            Filesize

            2.2MB

            Download