dcrat | 70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

Analysis

max time kernel
141s
max time network
170s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d3790d20dcd64ff72360ebd3b199e3.exe
Size

1.6MB
MD5

12d3790d20dcd64ff72360ebd3b199e3
SHA1

548c99a5137a38ed6fefdfdb9fd1d528d7795b74
SHA256

e4f54860982aa850776dbb14e8cd179b9afff0f02a06a7fcf7cada35fee4e6cc
SHA512

32e3da761ac34f1e920190619b2449a96ff2e3ede2cea65b11efbeaf5e049f22645e378bb3187406786b2fd2e8f3a8180ce1d6b3dd75cbd57b8a16a17fdae4fc
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2896	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2896	schtasks.exe	29

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral23/memory/636-1-0x0000000000180000-0x0000000000322000-memory.dmp	dcrat
behavioral23/files/0x000500000001998d-24.dat	dcrat
behavioral23/files/0x0005000000019bf9-37.dat	dcrat
behavioral23/files/0x000e00000001225c-48.dat	dcrat
behavioral23/files/0x0006000000019c3c-91.dat	dcrat
behavioral23/memory/2228-92-0x0000000000AF0000-0x0000000000C92000-memory.dmp	dcrat
behavioral23/memory/2744-114-0x0000000000350000-0x00000000004F2000-memory.dmp	dcrat
behavioral23/memory/2720-126-0x0000000000D30000-0x0000000000ED2000-memory.dmp	dcrat
behavioral23/memory/1684-138-0x0000000000290000-0x0000000000432000-memory.dmp	dcrat
behavioral23/memory/2376-150-0x00000000010A0000-0x0000000001242000-memory.dmp	dcrat
behavioral23/memory/2184-162-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral23/memory/2320-174-0x0000000000360000-0x0000000000502000-memory.dmp	dcrat
behavioral23/files/0x0006000000019e92-178.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
2968	powershell.exe
700	powershell.exe
2848	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2228	winlogon.exe
2244	winlogon.exe
2744	winlogon.exe
2720	winlogon.exe
1684	winlogon.exe
2376	winlogon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\56085415360792	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\RCX7E1.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\RCX85F.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe	12d3790d20dcd64ff72360ebd3b199e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
3004	schtasks.exe
2700	schtasks.exe
436	schtasks.exe
2652	schtasks.exe
2768	schtasks.exe
2724	schtasks.exe
1920	schtasks.exe
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
636	12d3790d20dcd64ff72360ebd3b199e3.exe
700	powershell.exe
2848	powershell.exe
1800	powershell.exe
2968	powershell.exe
2228	winlogon.exe
2244	winlogon.exe
2744	winlogon.exe
2720	winlogon.exe
1684	winlogon.exe
2376	winlogon.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	12d3790d20dcd64ff72360ebd3b199e3.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2228	winlogon.exe
Token: SeDebugPrivilege	2244	winlogon.exe
Token: SeDebugPrivilege	2744	winlogon.exe
Token: SeDebugPrivilege	2720	winlogon.exe
Token: SeDebugPrivilege	1684	winlogon.exe
Token: SeDebugPrivilege	2376	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 2848	636	12d3790d20dcd64ff72360ebd3b199e3.exe	39
PID 636 wrote to memory of 2848	636	12d3790d20dcd64ff72360ebd3b199e3.exe	39
PID 636 wrote to memory of 2848	636	12d3790d20dcd64ff72360ebd3b199e3.exe	39
PID 636 wrote to memory of 700	636	12d3790d20dcd64ff72360ebd3b199e3.exe	40
PID 636 wrote to memory of 700	636	12d3790d20dcd64ff72360ebd3b199e3.exe	40
PID 636 wrote to memory of 700	636	12d3790d20dcd64ff72360ebd3b199e3.exe	40
PID 636 wrote to memory of 2968	636	12d3790d20dcd64ff72360ebd3b199e3.exe	41
PID 636 wrote to memory of 2968	636	12d3790d20dcd64ff72360ebd3b199e3.exe	41
PID 636 wrote to memory of 2968	636	12d3790d20dcd64ff72360ebd3b199e3.exe	41
PID 636 wrote to memory of 1800	636	12d3790d20dcd64ff72360ebd3b199e3.exe	43
PID 636 wrote to memory of 1800	636	12d3790d20dcd64ff72360ebd3b199e3.exe	43
PID 636 wrote to memory of 1800	636	12d3790d20dcd64ff72360ebd3b199e3.exe	43
PID 636 wrote to memory of 2516	636	12d3790d20dcd64ff72360ebd3b199e3.exe	47
PID 636 wrote to memory of 2516	636	12d3790d20dcd64ff72360ebd3b199e3.exe	47
PID 636 wrote to memory of 2516	636	12d3790d20dcd64ff72360ebd3b199e3.exe	47
PID 2516 wrote to memory of 2156	2516	cmd.exe	49
PID 2516 wrote to memory of 2156	2516	cmd.exe	49
PID 2516 wrote to memory of 2156	2516	cmd.exe	49
PID 2516 wrote to memory of 2228	2516	cmd.exe	50
PID 2516 wrote to memory of 2228	2516	cmd.exe	50
PID 2516 wrote to memory of 2228	2516	cmd.exe	50
PID 2228 wrote to memory of 1516	2228	winlogon.exe	51
PID 2228 wrote to memory of 1516	2228	winlogon.exe	51
PID 2228 wrote to memory of 1516	2228	winlogon.exe	51
PID 2228 wrote to memory of 1936	2228	winlogon.exe	52
PID 2228 wrote to memory of 1936	2228	winlogon.exe	52
PID 2228 wrote to memory of 1936	2228	winlogon.exe	52
PID 1516 wrote to memory of 2244	1516	WScript.exe	53
PID 1516 wrote to memory of 2244	1516	WScript.exe	53
PID 1516 wrote to memory of 2244	1516	WScript.exe	53
PID 2244 wrote to memory of 2812	2244	winlogon.exe	54
PID 2244 wrote to memory of 2812	2244	winlogon.exe	54
PID 2244 wrote to memory of 2812	2244	winlogon.exe	54
PID 2244 wrote to memory of 2504	2244	winlogon.exe	55
PID 2244 wrote to memory of 2504	2244	winlogon.exe	55
PID 2244 wrote to memory of 2504	2244	winlogon.exe	55
PID 2812 wrote to memory of 2744	2812	WScript.exe	56
PID 2812 wrote to memory of 2744	2812	WScript.exe	56
PID 2812 wrote to memory of 2744	2812	WScript.exe	56
PID 2744 wrote to memory of 2712	2744	winlogon.exe	57
PID 2744 wrote to memory of 2712	2744	winlogon.exe	57
PID 2744 wrote to memory of 2712	2744	winlogon.exe	57
PID 2744 wrote to memory of 2688	2744	winlogon.exe	58
PID 2744 wrote to memory of 2688	2744	winlogon.exe	58
PID 2744 wrote to memory of 2688	2744	winlogon.exe	58
PID 2712 wrote to memory of 2720	2712	WScript.exe	59
PID 2712 wrote to memory of 2720	2712	WScript.exe	59
PID 2712 wrote to memory of 2720	2712	WScript.exe	59
PID 2720 wrote to memory of 460	2720	winlogon.exe	60
PID 2720 wrote to memory of 460	2720	winlogon.exe	60
PID 2720 wrote to memory of 460	2720	winlogon.exe	60
PID 2720 wrote to memory of 1888	2720	winlogon.exe	61
PID 2720 wrote to memory of 1888	2720	winlogon.exe	61
PID 2720 wrote to memory of 1888	2720	winlogon.exe	61
PID 460 wrote to memory of 1684	460	WScript.exe	62
PID 460 wrote to memory of 1684	460	WScript.exe	62
PID 460 wrote to memory of 1684	460	WScript.exe	62
PID 1684 wrote to memory of 1716	1684	winlogon.exe	63
PID 1684 wrote to memory of 1716	1684	winlogon.exe	63
PID 1684 wrote to memory of 1716	1684	winlogon.exe	63
PID 1684 wrote to memory of 2468	1684	winlogon.exe	64
PID 1684 wrote to memory of 2468	1684	winlogon.exe	64
PID 1684 wrote to memory of 2468	1684	winlogon.exe	64
PID 1716 wrote to memory of 2376	1716	WScript.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe
"C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hf0I0Wzs1Z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2156
- - C:\MSOCache\All Users\winlogon.exe
    "C:\MSOCache\All Users\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acb2dd6d-80bb-4e4b-bc0a-5445882812c4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f339f6dd-673f-4afc-accb-96eefd7329d1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99a5c4dd-587a-4e5b-adfb-59df97b0d441.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f25c5d6-d0f3-4f08-9725-30c054b66f07.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85111fc3-7c73-4ac0-a9ff-c5f126ebb70c.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9c83ea8-f48a-4cc1-90a2-ffa40dd61977.vbs"
        14⤵
        
        PID:2952
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        15⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e542256-04f3-4484-b32c-9ed6e73e258a.vbs"
        16⤵
        
        PID:2576
        
        C:\MSOCache\All Users\winlogon.exe
        
        "C:\MSOCache\All Users\winlogon.exe"
        17⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28fa43db-d719-49e0-839e-75374127aaa9.vbs"
        18⤵
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544afa49-75fc-4f77-a9ce-137481ca83c5.vbs"
        18⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e7d87ac-3455-4dba-9d50-0073e8d00c2a.vbs"
        16⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0df97f0-a0bd-442b-b9b7-1c09d7711bef.vbs"
        14⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f2093b-c755-47d9-9fbb-0704625af5df.vbs"
        12⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add2095f-cf7e-4dba-9e9b-70ca1307b1ed.vbs"
        10⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4154d39c-588e-45c6-a084-8337c2ca829f.vbs"
        8⤵
        
        PID:2688
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7ac51e1-9203-4cac-9275-c5d12b60ba15.vbs"
        6⤵
        
        PID:2504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa4f8864-77fe-4a27-81d2-128b47976e40.vbs"
      4⤵
      PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\winlogon.exe

Filesize
1.6MB

MD5
12d3790d20dcd64ff72360ebd3b199e3

SHA1
548c99a5137a38ed6fefdfdb9fd1d528d7795b74

SHA256
e4f54860982aa850776dbb14e8cd179b9afff0f02a06a7fcf7cada35fee4e6cc

SHA512
32e3da761ac34f1e920190619b2449a96ff2e3ede2cea65b11efbeaf5e049f22645e378bb3187406786b2fd2e8f3a8180ce1d6b3dd75cbd57b8a16a17fdae4fc

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\wininit.exe

Filesize
1.6MB

MD5
02d05096327f7e6985db3e9474069ae0

SHA1
dbd2ff481e5bc8c0076cc085206f4a1026b7fcba

SHA256
1b1c37fd95b7e1b4809dbb0e116fe5570435e275055d6eecae274116eae1d82a

SHA512
cdb9bae4f785f391644248954bade97546a1cc08e01941da77a0333e82819de95d6d84206c0890816d235490ee329bca94ea65111d684684c0a0e447be463a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0813e09b942a486d39d922dcaddd6f26de0bdebf.exe

Filesize
1.1MB

MD5
1b467d6ac1031927c1ab46ace1ed0f05

SHA1
c25202f3f43ee81cedf0bb790cbce98896d738da

SHA256
776c860d7bf503dc2d06a8a6c8547f78a293cd485c85d2d85d00a365241f7b57

SHA512
39f52c19a98460760cfcfac2dd1818d9b96292a8802a8ca776a821687aaa74ae7e763e24ca5e4d82873d9362a8c70d0489a4922026372063462f6921ef85c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\28fa43db-d719-49e0-839e-75374127aaa9.vbs

Filesize
710B

MD5
fae2df0a0e270d3f37cc0d2b380b1363

SHA1
d7c4bd45680979601682e552a2c8a34495979ef6

SHA256
395d1781a877a85d000ee9cdb2edaddf4099d13c42eb5410c501e81441ea8ed5

SHA512
9823c371552428e3329a5551704ba5949d9cab9f477b99f8ebc7babbc018630cb1a9f6e61196c31d5c51450644fac7447e6e909105e6c5a6de25e4b8c0341e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f25c5d6-d0f3-4f08-9725-30c054b66f07.vbs

Filesize
710B

MD5
20ad802a88ff731f448c759acb7a55c9

SHA1
a73b09b438c9112f9f755fa885ee11293a7d9a5c

SHA256
da4b7cac9c518838a22be807ae8ceb19ebbd380b56d0a372bb71799c27e1d90a

SHA512
7df1f1661434cb966c60753b67b3fe0b3f12331d160bd73b16428adb929c52f72760fa5d504d0f220663897d6994df823467d4d30066b486b6120f7f6c9b0c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\85111fc3-7c73-4ac0-a9ff-c5f126ebb70c.vbs

Filesize
710B

MD5
5ed0ec92be183eb4c81644517155125e

SHA1
7508a26bb9d7037d2e10bf46005b94240f22091e

SHA256
4831bba387bc90c0ccdc1449eef612da47c09527774fb79a0748d7bcbc0dd66f

SHA512
72c9591ddd37590ddcb4bcf5400ca5f5c70b18cecef90fef38c233829591c7ca5577e8ba99fc7139ed6f37259e3428f415beab8cafc8f1410a5e263f807f541e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99a5c4dd-587a-4e5b-adfb-59df97b0d441.vbs

Filesize
710B

MD5
d281b7079e55d329f123f6496d48dfc8

SHA1
c0014ab8467044f24ba26d090f40f0bd2b7cb0f8

SHA256
65525e64219232756dbfb037dea81feb6da0f5f2b9a57dd6f957fb8dbe5de9d3

SHA512
5c2258d2fba64b041109de10328b6675e8b2ae9f4ab310faf9de92c3a61c4bbd96ad178c956987c13ea26e4cc2ad6d3a843e84c099b8656ab2b46da6c6711442

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e542256-04f3-4484-b32c-9ed6e73e258a.vbs

Filesize
710B

MD5
516d99232f461b2813aa5a3af916cd5d

SHA1
ccd6bea3965e1af49e956a736bc30d975adc8cf7

SHA256
dcb39333035aaf98166ba9563e67c7896ba2350f2390fa0202a7c4fa68eee802

SHA512
6bf023ffab49e554e37cc1bb505e7dbc9d153a2266d45c2e78f9153f4bd95b283fcd2eb55787bae21b992e4558f51ba605ed509aea5368647642eed37447ffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hf0I0Wzs1Z.bat

Filesize
199B

MD5
a011cd7660c95965b863423a884f4c66

SHA1
d2dc2ff423999621f1586bd2a94ecdac132c4b30

SHA256
7ae210f67b200f4e019aa406824e03ce92ccdc47fcb4a98856366618fa966b3e

SHA512
2b99e40328c1d362558d44175a84dd7768439d15b71041c20608c5fd2782c0b763b590ebbeee16eb7dccb4708d64d700e84c32b733f571844b872ac9b4b6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX271.tmp

Filesize
1.6MB

MD5
a8a9bcdaf9ebe61434094c957a951c6d

SHA1
6a3843896b01b0826ce274aa476a8043a5e74291

SHA256
94afa0d6e868187371f98dbf0e4efcad392da60a1b0e09c22c674d049266587c

SHA512
cf2d8a88bbd179bc8a75084fb6d5041de0536303467a4e7d30eb79efe420e306d5624c01247c3b573c50f64057fc1e17a4bfa7359097661ec55b60153317a10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9c83ea8-f48a-4cc1-90a2-ffa40dd61977.vbs

Filesize
710B

MD5
975e3b084cd6252b3b842ba38a3f5850

SHA1
2018fe7b2a04f633e10952c2757fd94dd02b9923

SHA256
85c67de1062b779b9259e8c515e4c68d6e58d572af1b438744b67655016f7aad

SHA512
e0d5290e12f98b5825e313b8db925a4e8e7f5e59f07a542515432081913f069f78d7f5470e57798ef96b1885f99c46b5539b38a312140346c2a31dfa461f7d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acb2dd6d-80bb-4e4b-bc0a-5445882812c4.vbs

Filesize
710B

MD5
600d328790052306b77e9f55dda8b490

SHA1
d63c39258a9bdcfcda4e74a68fcd435edd4b377c

SHA256
4223fd7a111227dadefabd2c1f8e0323193fc55fcaf6d14747075a47590c3986

SHA512
517cfe74c8d9d5d6b81db9f178caf45eb701d83f5719ea87122137a77b36a981cd94300bd222b8cfba90c733d8b6fef7ba4174431ed1089bdb119f0b4d351750

Download Submit
C:\Users\Admin\AppData\Local\Temp\f339f6dd-673f-4afc-accb-96eefd7329d1.vbs

Filesize
710B

MD5
da33cdfe652abed88411b66bce31360f

SHA1
73cf0c20ab643345e0a8415bf43688edc1e0d7aa

SHA256
51727b8e1138551b35d83af15ecd661c2ad6080e21beb171bb0472d43db052a4

SHA512
eb82b17c8421db5ed2437a6a5d11fd5ab2661260c81dde595cb5bf91ac668eb084d4320a6913aa18f3e146870c6558fbf7be50f0d37932b99b0f67c74de391ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa4f8864-77fe-4a27-81d2-128b47976e40.vbs

Filesize
486B

MD5
4d982be6d83824ff9af325f9b42c04f7

SHA1
357beec7863304a715ed5ed78bbbdc4902b53936

SHA256
ef0c311702df2b76839446ff89ea1459dc22650cd822411c19090d96679fb24f

SHA512
c183cd2ea5052d2b56e4d4e9535389209c7837aa64095d80c0f81fb04a36cbc689d3631151c3ca9823f04ac3887c4c6ca30cd32a785b54c3aabc5710e7eb7560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0314bc828bea930205b9e2f3e9a76c6f

SHA1
15e0642e7a09bb13752c1580b29185bc3ced42c1

SHA256
1b7c004696526f2b1a946d6cd20b8dfd1b3e93a6a9d4e0ed52ba8be0d1ad39b2

SHA512
728dd4726e30375084fe0223c5920db35cb5e57ff38b82f3da65735a64dc4a0ea8231de9eb2e08fa503641baf520bf5512f99e475be587ff8544bfe51168842a

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.6MB

MD5
8395977de9e384ed2c09ec4651a865cb

SHA1
93b30a08111450d60158bd34b3b43843e6104c98

SHA256
2be592dd104b120fe250db4aecb441423600d9140074a97b37fabab093b19b92

SHA512
462a4d18c3a60c231e8c9d067d5837b74c579d6439d20ff54b0c811c225ff39bf916366c33155fb810092bba771c95e2c12515b7ef4658871615ff6b20684439

Download Submit
memory/636-86-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/636-9-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/636-31-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/636-11-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/636-12-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/636-13-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/636-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/636-16-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/636-1-0x0000000000180000-0x0000000000322000-memory.dmp

Filesize
1.6MB

Download
memory/636-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/636-14-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/636-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/636-15-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/636-8-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/636-10-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/636-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/636-6-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/636-5-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/636-7-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/700-88-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/700-89-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/1684-138-0x0000000000290000-0x0000000000432000-memory.dmp

Filesize
1.6MB

Download
memory/2184-162-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/2228-92-0x0000000000AF0000-0x0000000000C92000-memory.dmp

Filesize
1.6MB

Download
memory/2320-174-0x0000000000360000-0x0000000000502000-memory.dmp

Filesize
1.6MB

Download
memory/2376-150-0x00000000010A0000-0x0000000001242000-memory.dmp

Filesize
1.6MB

Download
memory/2720-126-0x0000000000D30000-0x0000000000ED2000-memory.dmp

Filesize
1.6MB

Download
memory/2744-114-0x0000000000350000-0x00000000004F2000-memory.dmp

Filesize
1.6MB

Download