Overview

overview

10

Static

static

10

75e9a0ab3a...35.exe

windows7-x64

10

75e9a0ab3a...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe

  • Size

    2.2MB

  • MD5

    8c76e7dcc8ae18ed5107083568de5c15

  • SHA1

    b229653c55b499475dc90fd7f517dad0ddf83afa

  • SHA256

    75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

  • SHA512

    bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb

  • SSDEEP

    49152:a31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:altZUE6NDyTo9lv2F+VvK6

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 15 IoCs
    persistence
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 30 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe
    "C:\Users\Admin\AppData\Local\Temp\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:552
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:464
        • C:\Program Files\Java\jre-1.8\services.exe
          "C:\Program Files\Java\jre-1.8\services.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4344
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14556104-b7ab-4ef4-b1da-d7d05a3a6123.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Program Files\Java\jre-1.8\services.exe
              "C:\Program Files\Java\jre-1.8\services.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2436
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\574165f3-f694-4a94-a47b-4fcd6810ac0c.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Program Files\Java\jre-1.8\services.exe
                  "C:\Program Files\Java\jre-1.8\services.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3588
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0603546-3251-43a8-a9e8-514ede850e72.vbs"
                    8⤵
                      PID:5032
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\489bf07e-6e52-4ebf-b28b-01652472c179.vbs"
                      8⤵
                        PID:2760
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4379617-da3b-4528-b68d-fd11151617db.vbs"
                    6⤵
                      PID:2340
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ad7e2fd-2c0f-40f1-baa7-9b6121b72f89.vbs"
                  4⤵
                    PID:2336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2920
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3880
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3524
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3404
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4960
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4204
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4804
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Users\Default\MusNotification.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2844
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default\MusNotification.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2596
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Users\Default\MusNotification.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2440
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:688
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5108
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3460
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:408
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1936
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4700
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3432
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5016
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4344
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:956
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3400
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835" /sc ONLOGON /tr "'C:\Users\Public\Pictures\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2356
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a08357" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2124
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1172
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2264
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4836
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3180
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1488
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1900
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3056

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Internet Explorer\dllhost.exe
              Filesize

              2.2MB

              MD5

              26f60b3c46d59ce10e634ba51077b2bc

              SHA1

              9fef5009f72fe547d5dcc0a10085389a2a50711b

              SHA256

              8b4d874dc9b0b594909cbb093c25e35afb1722a357311c2edfa8e4002dfa5912

              SHA512

              61f03a3500ab03de3fb5a99d9171aeedb891f18564a5ed13fd99715e61fa98c88a778879a7942738274c9f255be5dd0e3ea1ece5c88c4a5ce1b4c50cead050a5

              Download Submit

            • C:\Program Files\Java\jre-1.8\services.exe
              Filesize

              2.2MB

              MD5

              3008b07548b23ee981272e14aaffc1bd

              SHA1

              6f454ec8b0eb0a6084f9844cf97b5a49a50d7ffd

              SHA256

              078be1312015103f56064a008767f7641d61205991b883a0b9fa0d4fcb8383d2

              SHA512

              f6f7c13773a8fd10a08f855b2702221af7e06df7ee48824d11533b32c9f4fa17c39d36d6edb6e2602e12c17e50d5600a349a801d09b491201f97d4735e4a6ba5

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
              Filesize

              1KB

              MD5

              49b64127208271d8f797256057d0b006

              SHA1

              b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

              SHA256

              2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

              SHA512

              f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\14556104-b7ab-4ef4-b1da-d7d05a3a6123.vbs
              Filesize

              718B

              MD5

              e748283addd193552b01144464015f76

              SHA1

              690d03af03722826093002e99d3afe715399a038

              SHA256

              a47323cb731094982f2896fcba3da1658871bd17871f0a44e218ba00a065fb01

              SHA512

              117000a0de8f8bd2c2c62bc1466c468874632583060e8254fc62a18301ff16e183014826738756e120650e07a906d72d26febaa6172abf4038dafef1cbe7ca87

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4ad7e2fd-2c0f-40f1-baa7-9b6121b72f89.vbs
              Filesize

              494B

              MD5

              09b0249b1a968707f43d6ae4161c4bd4

              SHA1

              9956627c55aec74c133c3a779e97f680ccd01390

              SHA256

              a6bbe7d35970e8f388e915f8a73e8d91a436bf8078b6c69b94bb189bc212283c

              SHA512

              4f37dcdea779adb5802d6489fbcd9fd1c20128bc7f787c7499bb7696e38f78964478d4d225d78c5361ff08bed9f63f58f12b532c13d40e5b3dffa5b546af1b21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\574165f3-f694-4a94-a47b-4fcd6810ac0c.vbs
              Filesize

              718B

              MD5

              765030321a649aac20bb13dcbdc2ee0f

              SHA1

              d0f8d8f20b3a43f33b27755bf39ef94862f6e735

              SHA256

              370077884ad9f2f78b991fd65ae0883a086057806c5806aa8b9e1492ae75a112

              SHA512

              e8c6513214b7c11be29dfdec642c4d8ddf43bc7762653c45cfadd7c4fc57923870247b6876ccca8d933dbd8db96b1d9b72ef2e774e1720298dc299929e2aa9c8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat
              Filesize

              207B

              MD5

              3a0e4f5d32598edbcfaaba97499c782b

              SHA1

              0f8bb8aa938d133e28314a8f8b6b6562d13c4547

              SHA256

              0db47913eec7816273c4d0d5c405dfa43e51902a1d7e419034f8c8b2c4889465

              SHA512

              735f0d4616a788ad0883df82d89773cfa29dd1328cc15a172e160e36ce4b79531f4a2b9c41249d3dba1dad0b869416bf00b75bea1e93fb32b290864f87bde69e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\b0603546-3251-43a8-a9e8-514ede850e72.vbs
              Filesize

              718B

              MD5

              c5e744f3fe2321f2bd61554be705fc65

              SHA1

              b429320a894a06bc5d9a43fced46fc52af7c7661

              SHA256

              5d95041f7c7574998ab084e81fcc62648df07e872606ac7fd8f19371c04da0ff

              SHA512

              2d986be8b14b339ae211ca7783793dd69ecb708413b926846fff91dcf1d5a3e7d00a54e8d578e9ef3444be3797bcd67cde72f08a56daf217d710e6560b21d432

              Download Submit

            • C:\Users\Default\MusNotification.exe
              Filesize

              2.2MB

              MD5

              8c76e7dcc8ae18ed5107083568de5c15

              SHA1

              b229653c55b499475dc90fd7f517dad0ddf83afa

              SHA256

              75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

              SHA512

              bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb

              Download Submit

            • C:\Users\Public\Desktop\RCX6CF9.tmp
              Filesize

              2.2MB

              MD5

              5d3af89d022a5254fb73160a9344c5cd

              SHA1

              29f80f28bc8a1f30f4377dbb9041605aff4fd484

              SHA256

              6342eadbd0350c42bc903b36487794cfc554a0e94ea389633942c1de23af862e

              SHA512

              740f213116b9fd1dac7193211bb370077cc0568fb944a3c80c050703ac0cf58064b7bc6acd1e5b34f9e5e27ee9b5a24403e000d76de2d89c1a2a6df88b7ebd80

              Download Submit

            • C:\Windows\Globalization\csrss.exe
              Filesize

              2.2MB

              MD5

              e91f6df154cea4aa86dbebf25a9a8971

              SHA1

              897828d7c84f3c9f5923e2727e48b347e4a97450

              SHA256

              bc6f0ce8245fbda6aae5bef9090e43816b7a9c551309562342c5b9afe24c44d6

              SHA512

              0de7aa0b6425a295f78c5966195d3a45244bec5a6154e056d55c1d8bc371d8369073d205a4f47715b2d38d7506668872325288c2f8b153b7d33558b2d1c7035a

              Download Submit

            • memory/552-11-0x0000000001710000-0x0000000001718000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-34-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/552-13-0x0000000001730000-0x000000000173A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/552-14-0x0000000003040000-0x000000000304C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-19-0x0000000003080000-0x0000000003092000-memory.dmp

              Filesize

              72KB

              Download

            • memory/552-17-0x0000000003070000-0x0000000003078000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-16-0x0000000003060000-0x000000000306C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-15-0x0000000003050000-0x0000000003058000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-21-0x00000000031D0000-0x00000000031DC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-20-0x000000001C770000-0x000000001CC98000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/552-22-0x00000000031E0000-0x00000000031EC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-23-0x00000000031F0000-0x00000000031FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-28-0x0000000003280000-0x000000000328C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-29-0x000000001BA60000-0x000000001BA68000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-31-0x000000001BA70000-0x000000001BA7C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-30-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/552-27-0x0000000003230000-0x000000000323E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/552-26-0x0000000003220000-0x0000000003228000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-25-0x0000000003210000-0x000000000321E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/552-0-0x00007FFAEEA33000-0x00007FFAEEA35000-memory.dmp

              Filesize

              8KB

              Download

            • memory/552-24-0x0000000003200000-0x000000000320A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/552-12-0x0000000001720000-0x0000000001730000-memory.dmp

              Filesize

              64KB

              Download

            • memory/552-9-0x00000000016E0000-0x00000000016F6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/552-10-0x0000000001700000-0x000000000170C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/552-5-0x00000000016A0000-0x00000000016BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/552-7-0x00000000016C0000-0x00000000016C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/552-183-0x00007FFAEEA33000-0x00007FFAEEA35000-memory.dmp

              Filesize

              8KB

              Download

            • memory/552-207-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/552-226-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/552-8-0x00000000016D0000-0x00000000016E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/552-251-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/552-1-0x0000000000AF0000-0x0000000000D1E000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/552-6-0x0000000002FF0000-0x0000000003040000-memory.dmp

              Filesize

              320KB

              Download

            • memory/552-4-0x0000000001690000-0x000000000169E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/552-3-0x0000000001570000-0x000000000157E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/552-2-0x00007FFAEEA30000-0x00007FFAEF4F1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4344-255-0x00000000007E0000-0x0000000000A0E000-memory.dmp

              Filesize

              2.2MB

              Download