dcrat | 3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714

Resubmissions

14-01-2025 04:24

250114-e1k7payngl 10

14-01-2025 03:04

250114-dkkesaxmar 10

Analysis

max time kernel
873s
max time network
874s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Size

16.0MB
MD5

5aa236eabe65a1e444f1eb31fb330eba
SHA1

b6a8d5362991511526ea5a2b86ad70f05e70652c
SHA256

3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714
SHA512

0ab8e56f1f8a09491d96416bdc2798874ff153ef56c6476cd9eda9fe0744e77f56132073524f1a2719a75d5dea8dcd5706ee1497867f8b3e62c9a52641afc0be
SSDEEP

98304:mjHzjFPB6n2gC9U851tTRIXDNgn+ojsSw9y4Q1vL3NPt:yHHFPgns9BvpyNgnNW4

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\sysmon.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32Local\\sysmon.exe\", \"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4324	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4324	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4324	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4324	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4324	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4324	schtasks.exe	92

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3068	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	XenoSetup(1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DriverbrokerCrtDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe

Executes dropped EXE 6 IoCs

pid	Process
2616	XenoSetup(1).exe
3964	Xeno.exe
4744	DriverbrokerCrtDhcp.exe
1824	sysmon.exe
1976	DriverbrokerCrtDhcp.exe
1052	sysmon.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XenoSetup(1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XenoSetup(1).exe"	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\System32Local\\sysmon.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\System32Local\\sysmon.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverbrokerCrtDhcp = "\"C:\\portBrokerDll\\DriverbrokerCrtDhcp.exe\""	DriverbrokerCrtDhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC308B1DE35F5B453CADB9F330A57645E.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32Local\sysmon.exe	DriverbrokerCrtDhcp.exe
File opened for modification	C:\Windows\System32Local\sysmon.exe	DriverbrokerCrtDhcp.exe
File created	C:\Windows\System32Local\121e5b5079f7c0	DriverbrokerCrtDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoSetup(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DriverbrokerCrtDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	XenoSetup(1).exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2736	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1196	schtasks.exe
468	schtasks.exe
2660	schtasks.exe
1732	schtasks.exe
1868	schtasks.exe
3592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	powershell.exe
3068	powershell.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe
4744	DriverbrokerCrtDhcp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	4744	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	1824	sysmon.exe
Token: SeDebugPrivilege	1976	DriverbrokerCrtDhcp.exe
Token: SeDebugPrivilege	1052	sysmon.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3068	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	83
PID 5064 wrote to memory of 3068	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	83
PID 5064 wrote to memory of 2616	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	85
PID 5064 wrote to memory of 2616	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	85
PID 5064 wrote to memory of 2616	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	85
PID 5064 wrote to memory of 3964	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	86
PID 5064 wrote to memory of 3964	5064	3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe	86
PID 2616 wrote to memory of 3992	2616	XenoSetup(1).exe	89
PID 2616 wrote to memory of 3992	2616	XenoSetup(1).exe	89
PID 2616 wrote to memory of 3992	2616	XenoSetup(1).exe	89
PID 3992 wrote to memory of 4644	3992	WScript.exe	100
PID 3992 wrote to memory of 4644	3992	WScript.exe	100
PID 3992 wrote to memory of 4644	3992	WScript.exe	100
PID 4644 wrote to memory of 2736	4644	cmd.exe	102
PID 4644 wrote to memory of 2736	4644	cmd.exe	102
PID 4644 wrote to memory of 2736	4644	cmd.exe	102
PID 4644 wrote to memory of 4744	4644	cmd.exe	103
PID 4644 wrote to memory of 4744	4644	cmd.exe	103
PID 4744 wrote to memory of 1764	4744	DriverbrokerCrtDhcp.exe	109
PID 4744 wrote to memory of 1764	4744	DriverbrokerCrtDhcp.exe	109
PID 1764 wrote to memory of 1840	1764	csc.exe	111
PID 1764 wrote to memory of 1840	1764	csc.exe	111
PID 4744 wrote to memory of 2836	4744	DriverbrokerCrtDhcp.exe	112
PID 4744 wrote to memory of 2836	4744	DriverbrokerCrtDhcp.exe	112
PID 2836 wrote to memory of 4196	2836	csc.exe	114
PID 2836 wrote to memory of 4196	2836	csc.exe	114
PID 4744 wrote to memory of 3208	4744	DriverbrokerCrtDhcp.exe	118
PID 4744 wrote to memory of 3208	4744	DriverbrokerCrtDhcp.exe	118
PID 3208 wrote to memory of 2064	3208	cmd.exe	120
PID 3208 wrote to memory of 2064	3208	cmd.exe	120
PID 3208 wrote to memory of 3100	3208	cmd.exe	121
PID 3208 wrote to memory of 3100	3208	cmd.exe	121
PID 3208 wrote to memory of 1824	3208	cmd.exe	124
PID 3208 wrote to memory of 1824	3208	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe
C:\Users\Admin\AppData\Local\Temp\3d79293d371d3393d83f0d6205c35263baa3618a6f3ccba4fcefbee999d4a714.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe
  "C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portBrokerDll\2jfojLJgRy.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2736
    - - C:\portBrokerDll\DriverbrokerCrtDhcp.exe
        
        "C:\portBrokerDll/DriverbrokerCrtDhcp.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gaflx5im\gaflx5im.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4457.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B99FC13CA8D42688EE717FCB55797.TMP"
        7⤵
        
        PID:1840
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvhmnu1w\qvhmnu1w.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44B5.tmp" "c:\Windows\System32\CSC308B1DE35F5B453CADB9F330A57645E.TMP"
        7⤵
        
        PID:4196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PvwO9nGGIO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3100
        
        C:\Windows\System32Local\sysmon.exe
        
        "C:\Windows\System32Local\sysmon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
- C:\Users\Admin\AppData\Local\Temp\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\System32Local\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\System32Local\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\System32Local\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 6 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcp" /sc ONLOGON /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DriverbrokerCrtDhcpD" /sc MINUTE /mo 11 /tr "'C:\portBrokerDll\DriverbrokerCrtDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\portBrokerDll\DriverbrokerCrtDhcp.exe
C:\portBrokerDll\DriverbrokerCrtDhcp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32Local\sysmon.exe
C:\Windows\System32Local\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DriverbrokerCrtDhcp.exe.log

Filesize
1KB

MD5
a6cd1c3e645a5feb627a00f125da9fc8

SHA1
61d3b101c5e286ff21cc62a0e21484e556835317

SHA256
fbbf9453956534a33bd6f75f61926c50fd62bfca4976b818ccca5b8260fd4917

SHA512
5e70d82849172c3b978172ead140a5a9a3e6ee91a570e998f3b0536e788dad22499deef0685f9cd22f6aa15ba315d65600750414f6e21fd6a851c0bd70e11518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvwO9nGGIO.bat

Filesize
211B

MD5
9a621b12b2cbfb9d22e5be9acb91f68f

SHA1
82b51ff0d24e8cdf80346e635bcb8af59debcb10

SHA256
c928387b2d74d2b1975ffa8feb9994fa99995200fc80a54bb86959d0dff9113b

SHA512
5e2174b48023171d8ab61cc5f8c9c2347c5a833538298e1b065201ded3e3099c27dda7980eb97d1dad199da2072cc0615d48aa4181c5549566fecdd31a626f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4457.tmp

Filesize
1KB

MD5
f130879f33a28007f64afc517f98dec5

SHA1
82ee55e76726da7f5b67bb86e20456f738a08de4

SHA256
c7dee4ba7963ecbe39af523128047077ed3d9785bb4aa9a739b39f196286b0b7

SHA512
d923e2116ef0fc1af58f1000e235c429348f0da0eebd5da5a74090d8246ce8bfe46271624ca7ae52e3aed8efab6763634438fd9ac43136843866fb8ea9fc53ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44B5.tmp

Filesize
1KB

MD5
9e14c2baf714018dcab4f27b731e01b6

SHA1
fb8ad67734a8ef1eda212fc27504554953bf1ddf

SHA256
7aefac78cb5d293b357c23449e3572f9efa65cb2976a0872a1f4e62ee83eeb45

SHA512
b74f7a20a66e6768973ce640cb13b47182cbeebab8ff01abbae027dabbd00cd2b2b1c853ee6833f81a45fe1eb731d4e780b1018515cf1afc4e4f01685cfbbdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xeno.exe

Filesize
3.5MB

MD5
056586e6a4d9b97c77fd606b2a63f604

SHA1
b13e10949df28f3944c68b950617a641ea20491b

SHA256
4d3b4ef0ec929ebd649637f55aabd856954e3d6424ac337a17ee4bb65ec2e8f3

SHA512
da2c4066a7975ede5c1645d6cd82f0499b452a021d18aa86ad64130efc9f1da2270be30a7af89b4cce97b0eb13c27f55f37c70db5f2f6aa4a2b5a54dcae72cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoSetup(1).exe

Filesize
3.5MB

MD5
bcf49847a74e554a807294d4f5adfa62

SHA1
c6f105b28ac3bc7dd2e4a444cf96edbcdc45febf

SHA256
eae94b757fe5e150f8f1039140feebc969788bd2c0ef7fe2d4675a81f6dc9898

SHA512
489cf5844853a4ba7489386a545d0369e1eca835a70053aa6e408aed7f42eaa26684859ddf50b874c643c53ae050dcd3d1a27e887e413c8db8636818ba7dcdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdzqbmbn.ywa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\portBrokerDll\2jfojLJgRy.vbe

Filesize
237B

MD5
851d51cdee60a57d4aef51ea7f466436

SHA1
34a13967e69d21091850d4f0dffb2bce88c80e0c

SHA256
5d612089c06bbe2b32de8bfcc3e0ba1e0ef2155cd6cde83b280797c6061ca269

SHA512
7fed60da3ed3ff2a26b8b4cadf0cf6cd3e28259a4a7ec7e3ba97509fa47b7ca75753ca49edf2f218ae323830977c2ecdfb2f05b6fa5de303038c31012926e953

Download Submit
C:\portBrokerDll\Ac4k16M5JuZ3cBUzCeuZfRwt20LYrImECkDEo2qhe7JRV.bat

Filesize
194B

MD5
69c0edf85b6d3ab82c42e82ef04f50f7

SHA1
7acb4d2454d9e04db488c2ee4352cfece1b8ae58

SHA256
3041cc5e5c4251ea1eddccaa5d145446719d6e86dcfd3bc40bc23c80b3102ec2

SHA512
04877f967609e6efb4a8c4f99c4130b3894eb223f390d32c6e2248abaf1bdff71f539f122635f18fa432648b927cc597dd7bdaa52284824f8c57c7909f7dca21

Download Submit
C:\portBrokerDll\DriverbrokerCrtDhcp.exe

Filesize
3.3MB

MD5
c9d8bce0425ed81346b9a43f148d948b

SHA1
d3bcb8f02ef3732ffa70fc798cd4ad3d77bbbde6

SHA256
884de0ba4d113a1674b112f76b7d6af9bb11c562d6b58155e974e549694e0f58

SHA512
60e0d21db0518d66f4546dceb978b15d2eb87347cc1676b7420eb2a6c4c1c6fa947d31ae8cb70ce880b76f931702aaab51c46f559dd91a49c9a4bdc83b75368b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6B99FC13CA8D42688EE717FCB55797.TMP

Filesize
1KB

MD5
dc289c30c143fd2f8e608119ae4846a0

SHA1
2f0d6888b80d26d9ff52b5decdd63963255e5113

SHA256
37aac241c050fb90090b36441ae1f198d11a0da4ee5f30e3332673f3c6ecf40a

SHA512
68bffd2b69ee9d5857fc9d5b2a71561a985738b5fe0768fc7dd23a753c976529158042f2a239ffe74ed99b5bd4b469fd2220a990d20a742935f5560a55f2d6fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gaflx5im\gaflx5im.0.cs

Filesize
387B

MD5
953b79f62f3ba3a3b57b6b74d45c7c25

SHA1
3f9d3c73ce6beea76ee244ba1703ffc49eb59789

SHA256
4161c0df6e9d4e0d890c4a7a52be7cd0c074d2ae2ee07b336186e03a3a35d7ff

SHA512
439ad742c2e4cb47a0c9645579c3ebdbbfde062251106b19b760a7b3b6a4361ece4fbf53be87be1ab81269e536dc14a168b4019f566352fabb091f13f096a99e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gaflx5im\gaflx5im.cmdline

Filesize
255B

MD5
104bb562ce8368e6f980e529c5ee1282

SHA1
0a16601303793ac7d9494f6e1c47dfdb30be075a

SHA256
ba5e98f1b56d3d5f11ccde3f6fbfc82766f3711f5e946c416c024c3e6b7bd20c

SHA512
060c802a699f68a327c7698da2ca56e250d135b525506151fa827a5b9ebe4bff20a0dd527b082215cb42201f97ad2664419755124a6b674c46e7aca34887a02d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvhmnu1w\qvhmnu1w.0.cs

Filesize
367B

MD5
353f46f4d768cde50f32fbf0cb01fc27

SHA1
ec77cf89058ad5da4463e46cf471a61af8155c1f

SHA256
bab2e58ba522c329c8278832739d88c64236612bcf32607e214f30181136dbf0

SHA512
8b5b6379aa795d4951fa84d85ac0523e440a7de4007bf231fe97a6175f5026e6387435ae3d2b1ccb1da26f2eea9c1a600bdf4ac9e05f4c054a37dbe000eab466

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvhmnu1w\qvhmnu1w.cmdline

Filesize
235B

MD5
46ebfe8dd371bba95501faa15242523b

SHA1
136beac8a1f5c3d0183935918cc3ddb8fbd1483e

SHA256
cfe27792b1a9c25c6e9b60d2a4ed86f308315ee090fd84845a13bfa7fc6bdad5

SHA512
28a76f2fa4bcf09d0ce7092a1c03f82116daba396bf2d2906a8c833fae20e2d23e5fdd877f42130f6bd8a603bd65f26d67a30733fd32c642eb75dc838484f609

Download Submit
\??\c:\Windows\System32\CSC308B1DE35F5B453CADB9F330A57645E.TMP

Filesize
1KB

MD5
7bbfaf1199741b237d2493615c95c6d7

SHA1
86d466217c4dc1e0808f83ceda8f4b4df948b5dc

SHA256
e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

SHA512
2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

Download Submit
memory/3068-17-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-14-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-13-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-12-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-10-0x000002C027C60000-0x000002C027C82000-memory.dmp

Filesize
136KB

Download
memory/4744-109-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-3622-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4744-87-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-83-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-81-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-79-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-78-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-75-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-71-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-69-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-67-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-65-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-59-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-57-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-55-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-63-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-97-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-115-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-113-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-111-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-91-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-107-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-105-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-103-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-101-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-99-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-117-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-3611-0x0000000002440000-0x0000000002466000-memory.dmp

Filesize
152KB

Download
memory/4744-3613-0x00000000022D0000-0x00000000022DE000-memory.dmp

Filesize
56KB

Download
memory/4744-3615-0x0000000002490000-0x00000000024AC000-memory.dmp

Filesize
112KB

Download
memory/4744-3616-0x000000001AE00000-0x000000001AE50000-memory.dmp

Filesize
320KB

Download
memory/4744-3618-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/4744-3620-0x000000001ADB0000-0x000000001ADC8000-memory.dmp

Filesize
96KB

Download
memory/4744-89-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-3624-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/4744-3626-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/4744-3628-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/4744-3630-0x000000001ADE0000-0x000000001ADEE000-memory.dmp

Filesize
56KB

Download
memory/4744-3632-0x000000001AE70000-0x000000001AE82000-memory.dmp

Filesize
72KB

Download
memory/4744-3634-0x000000001ADF0000-0x000000001AE00000-memory.dmp

Filesize
64KB

Download
memory/4744-3636-0x000000001B340000-0x000000001B356000-memory.dmp

Filesize
88KB

Download
memory/4744-3638-0x000000001B360000-0x000000001B372000-memory.dmp

Filesize
72KB

Download
memory/4744-3639-0x000000001C790000-0x000000001CCB8000-memory.dmp

Filesize
5.2MB

Download
memory/4744-3641-0x000000001AE50000-0x000000001AE5E000-memory.dmp

Filesize
56KB

Download
memory/4744-3643-0x000000001AE60000-0x000000001AE70000-memory.dmp

Filesize
64KB

Download
memory/4744-3645-0x000000001B380000-0x000000001B390000-memory.dmp

Filesize
64KB

Download
memory/4744-3647-0x000000001C2C0000-0x000000001C31A000-memory.dmp

Filesize
360KB

Download
memory/4744-3649-0x000000001B390000-0x000000001B39E000-memory.dmp

Filesize
56KB

Download
memory/4744-3651-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/4744-3653-0x000000001B3B0000-0x000000001B3BE000-memory.dmp

Filesize
56KB

Download
memory/4744-3655-0x000000001C280000-0x000000001C298000-memory.dmp

Filesize
96KB

Download
memory/4744-3657-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

Filesize
48KB

Download
memory/4744-3659-0x000000001C370000-0x000000001C3BE000-memory.dmp

Filesize
312KB

Download
memory/4744-93-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-95-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-85-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-73-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-61-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-54-0x000000001AEA0000-0x000000001B239000-memory.dmp

Filesize
3.6MB

Download
memory/4744-53-0x000000001AEA0000-0x000000001B240000-memory.dmp

Filesize
3.6MB

Download
memory/4744-52-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/5064-19-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-1-0x0000000000AC0000-0x0000000000E42000-memory.dmp

Filesize
3.5MB

Download
memory/5064-0-0x00007FFE00F33000-0x00007FFE00F35000-memory.dmp

Filesize
8KB

Download
memory/5064-38-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download