dcrat | b90c52219d8c75357133266f06849a804b0995d3e20e9e0672c78bc94ebc8c9d

General

Target

02da4648a2941f1f70f9dc3d59f72595.exe
Size

2.6MB
MD5

02da4648a2941f1f70f9dc3d59f72595
SHA1

f04ff761eea9313ebaa1cf5d2914c3de7fe0b1c0
SHA256

b90c52219d8c75357133266f06849a804b0995d3e20e9e0672c78bc94ebc8c9d
SHA512

3b12be79bb99744155b09e34fb392cda54f2f9d55a2da4d930012800fe96d472028c2c09c8c4f5b008257864e8fe50d783f6ec7091f6eff6413054ec762c664f
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1000	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

02da4648a2941f1f70f9dc3d59f72595.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1600-54-0x00000000011E0000-0x0000000001484000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
behavioral1/memory/1800-105-0x0000000001070000-0x0000000001314000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

1800 lsass.exe

pid	process
1800	lsass.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

02da4648a2941f1f70f9dc3d59f72595.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1628	schtasks.exe
1684	schtasks.exe
1524	schtasks.exe
1228	schtasks.exe
1800	schtasks.exe
1960	schtasks.exe
1032	schtasks.exe
1372	schtasks.exe
1204	schtasks.exe
2028	schtasks.exe
1976	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

02da4648a2941f1f70f9dc3d59f72595.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
1600	02da4648a2941f1f70f9dc3d59f72595.exe
952	powershell.exe
1804	powershell.exe
284	powershell.exe
1616	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

02da4648a2941f1f70f9dc3d59f72595.exelsass.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1600	02da4648a2941f1f70f9dc3d59f72595.exe
Token: SeDebugPrivilege	1800	lsass.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

02da4648a2941f1f70f9dc3d59f72595.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 284	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 284	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 284	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 2044	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 2044	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 2044	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 952	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 952	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 952	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1804	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1804	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1804	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1616	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1616	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1616	1600	02da4648a2941f1f70f9dc3d59f72595.exe	powershell.exe
PID 1600 wrote to memory of 1816	1600	02da4648a2941f1f70f9dc3d59f72595.exe	cmd.exe
PID 1600 wrote to memory of 1816	1600	02da4648a2941f1f70f9dc3d59f72595.exe	cmd.exe
PID 1600 wrote to memory of 1816	1600	02da4648a2941f1f70f9dc3d59f72595.exe	cmd.exe
PID 1816 wrote to memory of 2028	1816	cmd.exe	w32tm.exe
PID 1816 wrote to memory of 2028	1816	cmd.exe	w32tm.exe
PID 1816 wrote to memory of 2028	1816	cmd.exe	w32tm.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	lsass.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	lsass.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	lsass.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

02da4648a2941f1f70f9dc3d59f72595.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

C:\Users\Admin\AppData\Local\Temp\02da4648a2941f1f70f9dc3d59f72595.exe
"C:\Users\Admin\AppData\Local\Temp\02da4648a2941f1f70f9dc3d59f72595.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\02da4648a2941f1f70f9dc3d59f72595.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\02da4648a2941f1f70f9dc3d59f72595.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pXlQnQd1ki.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2028

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f725950" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\02da4648a2941f1f70f9dc3d59f72595.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f72595" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\02da4648a2941f1f70f9dc3d59f72595.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f725950" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\02da4648a2941f1f70f9dc3d59f72595.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
2.6MB

MD5
6ed130f3dc3fbf298b9bf30fa684254e

SHA1
1ae9db311dab0798d92f5e4690ad8c5cbd663e49

SHA256
3a874398e9dff72103801cde1c175ff86e169b5c455a99af32c57c7983e1be22

SHA512
003f8982a351a7d7691bede2fd3d3b9926a8dc570d683c2c4171f21c994f6187ae0471c33528edf2d3acd5a6465ada309ea2259fe9fd50de14d09f8ed5759d0c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
2.6MB

MD5
6ed130f3dc3fbf298b9bf30fa684254e

SHA1
1ae9db311dab0798d92f5e4690ad8c5cbd663e49

SHA256
3a874398e9dff72103801cde1c175ff86e169b5c455a99af32c57c7983e1be22

SHA512
003f8982a351a7d7691bede2fd3d3b9926a8dc570d683c2c4171f21c994f6187ae0471c33528edf2d3acd5a6465ada309ea2259fe9fd50de14d09f8ed5759d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pXlQnQd1ki.bat
Filesize
237B

MD5
e87b5aa9fb73edd63a13e9b916bdf92a

SHA1
26935231a180cb553986963f6464aca4695c4c71

SHA256
7eea682106a40dcfaadfef0bd5f52de8e63ec80338dc91cfb16a96322da9a1d1

SHA512
439af90203aba1a1fde3b1c6cce9408a0603d6504609fddfd82e87ac7768c63becc2aa0a8a777b29919b848862731f7c867d1c3ac746b275c2c60e4aa6b716e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ab5677e489f74d1140e580591e9c5c64

SHA1
180fd4daac3283498c9db451a4373ab2e1b6f606

SHA256
bbb5a6c63525081c6dc29b673d5c4e558af85e526eb88db7d87746e3d98e7370

SHA512
1370cfa4816bcd59808ce46561a08a8ec85cf26933fcbaec3e6553e3ef13ca3344df76485d477c8cda44f42c1e201157388e39c0b73ea6ce7ecd5e6f40f926b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ab5677e489f74d1140e580591e9c5c64

SHA1
180fd4daac3283498c9db451a4373ab2e1b6f606

SHA256
bbb5a6c63525081c6dc29b673d5c4e558af85e526eb88db7d87746e3d98e7370

SHA512
1370cfa4816bcd59808ce46561a08a8ec85cf26933fcbaec3e6553e3ef13ca3344df76485d477c8cda44f42c1e201157388e39c0b73ea6ce7ecd5e6f40f926b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ab5677e489f74d1140e580591e9c5c64

SHA1
180fd4daac3283498c9db451a4373ab2e1b6f606

SHA256
bbb5a6c63525081c6dc29b673d5c4e558af85e526eb88db7d87746e3d98e7370

SHA512
1370cfa4816bcd59808ce46561a08a8ec85cf26933fcbaec3e6553e3ef13ca3344df76485d477c8cda44f42c1e201157388e39c0b73ea6ce7ecd5e6f40f926b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ab5677e489f74d1140e580591e9c5c64

SHA1
180fd4daac3283498c9db451a4373ab2e1b6f606

SHA256
bbb5a6c63525081c6dc29b673d5c4e558af85e526eb88db7d87746e3d98e7370

SHA512
1370cfa4816bcd59808ce46561a08a8ec85cf26933fcbaec3e6553e3ef13ca3344df76485d477c8cda44f42c1e201157388e39c0b73ea6ce7ecd5e6f40f926b5

Download Submit
memory/284-103-0x000007FEE9C00000-0x000007FEEA75D000-memory.dmp

Filesize
11.4MB

Download
memory/284-119-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/284-120-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/284-74-0x0000000000000000-mapping.dmp

Download
memory/284-112-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/284-86-0x000007FEEA760000-0x000007FEEB183000-memory.dmp

Filesize
10.1MB

Download
memory/284-109-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/284-118-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/952-95-0x000007FEEA760000-0x000007FEEB183000-memory.dmp

Filesize
10.1MB

Download
memory/952-99-0x000007FEE9C00000-0x000007FEEA75D000-memory.dmp

Filesize
11.4MB

Download
memory/952-107-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/952-123-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/952-125-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/952-76-0x0000000000000000-mapping.dmp

Download
memory/952-114-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1600-65-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1600-73-0x000000001AFD6000-0x000000001AFF5000-memory.dmp

Filesize
124KB

Download
memory/1600-72-0x000000001A990000-0x000000001A99C000-memory.dmp

Filesize
48KB

Download
memory/1600-71-0x00000000011C0000-0x00000000011C8000-memory.dmp

Filesize
32KB

Download
memory/1600-70-0x00000000011B0000-0x00000000011BE000-memory.dmp

Filesize
56KB

Download
memory/1600-69-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/1600-68-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/1600-67-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/1600-66-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1600-64-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1600-63-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/1600-94-0x000000001AFD6000-0x000000001AFF5000-memory.dmp

Filesize
124KB

Download
memory/1600-62-0x0000000000D50000-0x0000000000DA6000-memory.dmp

Filesize
344KB

Download
memory/1600-54-0x00000000011E0000-0x0000000001484000-memory.dmp

Filesize
2.6MB

Download
memory/1600-61-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1600-60-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1600-59-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1600-58-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1600-57-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1600-56-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/1600-111-0x000000001AFD6000-0x000000001AFF5000-memory.dmp

Filesize
124KB

Download
memory/1600-55-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1616-96-0x000007FEEA760000-0x000007FEEB183000-memory.dmp

Filesize
10.1MB

Download
memory/1616-104-0x000007FEE9C00000-0x000007FEEA75D000-memory.dmp

Filesize
11.4MB

Download
memory/1616-110-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1616-121-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1616-122-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1616-79-0x0000000000000000-mapping.dmp

Download
memory/1616-115-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1800-105-0x0000000001070000-0x0000000001314000-memory.dmp

Filesize
2.6MB

Download
memory/1800-97-0x0000000000000000-mapping.dmp

Download
memory/1804-102-0x000007FEE9C00000-0x000007FEEA75D000-memory.dmp

Filesize
11.4MB

Download
memory/1804-116-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1804-117-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1804-77-0x0000000000000000-mapping.dmp

Download
memory/1804-108-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1804-93-0x000007FEEA760000-0x000007FEEB183000-memory.dmp

Filesize
10.1MB

Download
memory/1816-88-0x0000000000000000-mapping.dmp

Download
memory/2028-92-0x0000000000000000-mapping.dmp

Download
memory/2044-113-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2044-98-0x000007FEE9C00000-0x000007FEEA75D000-memory.dmp

Filesize
11.4MB

Download
memory/2044-78-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/2044-82-0x000007FEEA760000-0x000007FEEB183000-memory.dmp

Filesize
10.1MB

Download
memory/2044-106-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2044-75-0x0000000000000000-mapping.dmp

Download
memory/2044-126-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2044-124-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads