dcrat | 620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051

Analysis

max time kernel
115s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
Size

2.0MB
MD5

10ff87f8fabc6154f9a370f7fd17f928
SHA1

8dcfbb5f1793861d917c38d77b241f2c73f7344b
SHA256

620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051
SHA512

e7ca4a43bf8eb6fd06d180d7d4befb42887020f626c088616627f35362fb549689594a0425deb86a778067ae102219cb299677d6802ddcc8d555da9032a9bf9e
SSDEEP

24576:YIWvTgWtxIEUy/N3VfEj2kiGJrgnhU66dtZyXSt1Q65bNAJO4f6/NJmlEUDAS9gm:YIWTxhVG7ohU665Y0JbNm8mkjYLyu

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2260	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2260	schtasks.exe	82

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe

Executes dropped EXE 1 IoCs

pid	Process
744	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\spoolsv.exe	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Program Files (x86)\Windows NT\f3b6ecef712a24	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\System.exe	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File opened for modification	C:\Windows\L2Schemas\System.exe	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Windows\L2Schemas\27d1bcfc3c54e0	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Windows\PolicyDefinitions\it-IT\sihost.exe	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Windows\PolicyDefinitions\it-IT\66fc9ff0ee96c2	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Windows\System\unsecapp.exe	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
File created	C:\Windows\System\29c1c3cc0f7685	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2612	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2612	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4324	schtasks.exe
4564	schtasks.exe
3552	schtasks.exe
3744	schtasks.exe
3000	schtasks.exe
112	schtasks.exe
2128	schtasks.exe
2736	schtasks.exe
2724	schtasks.exe
3708	schtasks.exe
1472	schtasks.exe
216	schtasks.exe
3664	schtasks.exe
2928	schtasks.exe
3172	schtasks.exe
2728	schtasks.exe
4984	schtasks.exe
1232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
Token: SeDebugPrivilege	744	spoolsv.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4680	3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe	101
PID 3332 wrote to memory of 4680	3332	620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe	101
PID 4680 wrote to memory of 440	4680	cmd.exe	103
PID 4680 wrote to memory of 440	4680	cmd.exe	103
PID 4680 wrote to memory of 2612	4680	cmd.exe	104
PID 4680 wrote to memory of 2612	4680	cmd.exe	104
PID 4680 wrote to memory of 744	4680	cmd.exe	105
PID 4680 wrote to memory of 744	4680	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe
"C:\Users\Admin\AppData\Local\Temp\620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qQl0OSbWT6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:440
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2612
- - C:\Program Files (x86)\Windows NT\spoolsv.exe
    "C:\Program Files (x86)\Windows NT\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\System\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\it-IT\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d10516" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d10516" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qQl0OSbWT6.bat

Filesize
173B

MD5
0ed5d56d8584504519579d98dc554462

SHA1
b3af7b167c5d611ffef2d0a098e77dbc9c4afa00

SHA256
e6f37b3cbfe39a0ced8e9bd667e4af9de33fd60dc9ff490625d801498d11e564

SHA512
a4508c3c10b5c9df5c11530e2738f480bcea4532aaf656246df5875d8e398e7013d324b6dd49139de695ceffc35753a82412fb33357cbacf396ae4777d247848

Download Submit
C:\Windows\System\unsecapp.exe

Filesize
2.0MB

MD5
10ff87f8fabc6154f9a370f7fd17f928

SHA1
8dcfbb5f1793861d917c38d77b241f2c73f7344b

SHA256
620ebdda751738d4c95cb793fbcda971e6cd1dcf082f0da63848c55ed68d1051

SHA512
e7ca4a43bf8eb6fd06d180d7d4befb42887020f626c088616627f35362fb549689594a0425deb86a778067ae102219cb299677d6802ddcc8d555da9032a9bf9e

Download Submit
memory/744-60-0x000000001B400000-0x000000001B4A9000-memory.dmp

Filesize
676KB

Download
memory/3332-7-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-21-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

Filesize
48KB

Download
memory/3332-6-0x0000000001110000-0x000000000111E000-memory.dmp

Filesize
56KB

Download
memory/3332-0-0x00007FFB28113000-0x00007FFB28115000-memory.dmp

Filesize
8KB

Download
memory/3332-8-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-10-0x0000000002B80000-0x0000000002B9C000-memory.dmp

Filesize
112KB

Download
memory/3332-11-0x000000001B4F0000-0x000000001B540000-memory.dmp

Filesize
320KB

Download
memory/3332-13-0x0000000002BA0000-0x0000000002BB8000-memory.dmp

Filesize
96KB

Download
memory/3332-15-0x0000000002B60000-0x0000000002B6E000-memory.dmp

Filesize
56KB

Download
memory/3332-17-0x0000000002B70000-0x0000000002B7E000-memory.dmp

Filesize
56KB

Download
memory/3332-19-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

Filesize
48KB

Download
memory/3332-4-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-23-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/3332-24-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-26-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-3-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-37-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-38-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-39-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-40-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-46-0x000000001B550000-0x000000001B5F9000-memory.dmp

Filesize
676KB

Download
memory/3332-2-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-48-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3332-1-0x0000000000750000-0x000000000094E000-memory.dmp

Filesize
2.0MB

Download