dcrat | 28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479

Analysis

max time kernel
149s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09-11-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

migrate.120.exe
Size

15.7MB
MD5

b27e540aef37c99f3cfd2766c2e61784
SHA1

c516b74daec17d1bc788c54433cf10899ee07e92
SHA256

28ebd60f492ca0957ac7ab3fdbcd8262966dee60dbec71d6bcac8d7efaf65479
SHA512

641d5daaef91d535f279ce7fea1f7c8b50ba87040480602e51951dfc2f3345699d3161d38b1b2ab7b3d4fbbcc56e0d597f125ed65ea3971df4888cb4a63897cd
SSDEEP

393216:XhBqJ0CE8/eXkkM7cGGBNpuXU8ysXVqNIyc2KBcr27eEHTPX:RBe0CiMihuXU8yYqNIygdrX

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	MALWARE_Win_DCRat
C:\ProgramData\dc.exe	dcrat
C:\ProgramData\dc.exe	MALWARE_Win_DCRat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	MALWARE_Win_DCRat
\ProgramData\dc.exe	dcrat
\ProgramData\dc.exe	MALWARE_Win_DCRat
C:\programdata\dc.exe	dcrat
C:\programdata\dc.exe	MALWARE_Win_DCRat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	MALWARE_Win_DCRat
\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	MALWARE_Win_DCRat
\runtimeMonitor\ComdriverSvc.exe	dcrat
\runtimeMonitor\ComdriverSvc.exe	MALWARE_Win_DCRat
C:\runtimeMonitor\ComdriverSvc.exe	dcrat
C:\runtimeMonitor\ComdriverSvc.exe	MALWARE_Win_DCRat
behavioral1/memory/1916-131-0x0000000001170000-0x000000000127C000-memory.dmp	dcrat
behavioral1/memory/1916-131-0x0000000001170000-0x000000000127C000-memory.dmp	MALWARE_Win_DCRat

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1.exe1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	1.exe

Executes dropped EXE 7 IoCs

Processes:

1.exeany.exedc.exe1.exewsappz.exeComdriverSvc.exeAnyDesk.exe

pid process

636 1.exe
1556 any.exe
1964 dc.exe
1876 1.exe
1972 wsappz.exe
1916 ComdriverSvc.exe
2000 AnyDesk.exe

pid	process
636	1.exe
1556	any.exe
1964	dc.exe
1876	1.exe
1972	wsappz.exe
1916	ComdriverSvc.exe
2000	AnyDesk.exe

Loads dropped DLL 14 IoCs

Processes:

migrate.120.execmd.execmd.exewsappz.exe

pid	process
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
2028	migrate.120.exe
572	cmd.exe
824	cmd.exe
824	cmd.exe
1972	wsappz.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

1.exe1.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1584 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1616 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1616 taskkill.exe
1712 taskkill.exe

pid	process
1584	timeout.exe

pid	process
1616	tasklist.exe

pid	process
1616	taskkill.exe
1712	taskkill.exe

Modifies registry class 7 IoCs

Processes:

wsappz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	wsappz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	wsappz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	wsappz.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exewsappz.exeAnyDesk.exepowershell.exe

pid	process
1428	powershell.exe
2036	powershell.exe
636	1.exe
636	1.exe
636	1.exe
1280	powershell.exe
636	1.exe
1972	wsappz.exe
1972	wsappz.exe
2000	AnyDesk.exe
1260	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exe1.exetaskkill.exetaskkill.exepowershell.exeComdriverSvc.exepowershell.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	636	1.exe
Token: SeAssignPrimaryTokenPrivilege	636	1.exe
Token: SeIncreaseQuotaPrivilege	636	1.exe
Token: 0	636	1.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1916	ComdriverSvc.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1616	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

migrate.120.execmd.execmd.exedc.exeany.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2028 wrote to memory of 1428	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 1428	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 1428	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 1428	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 2036	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 2036	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 2036	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 2036	2028	migrate.120.exe	powershell.exe
PID 2028 wrote to memory of 636	2028	migrate.120.exe	1.exe
PID 2028 wrote to memory of 636	2028	migrate.120.exe	1.exe
PID 2028 wrote to memory of 636	2028	migrate.120.exe	1.exe
PID 2028 wrote to memory of 636	2028	migrate.120.exe	1.exe
PID 2028 wrote to memory of 1692	2028	migrate.120.exe	cmd.exe
PID 2028 wrote to memory of 1692	2028	migrate.120.exe	cmd.exe
PID 2028 wrote to memory of 1692	2028	migrate.120.exe	cmd.exe
PID 2028 wrote to memory of 1692	2028	migrate.120.exe	cmd.exe
PID 2028 wrote to memory of 1556	2028	migrate.120.exe	any.exe
PID 2028 wrote to memory of 1556	2028	migrate.120.exe	any.exe
PID 2028 wrote to memory of 1556	2028	migrate.120.exe	any.exe
PID 2028 wrote to memory of 1556	2028	migrate.120.exe	any.exe
PID 1692 wrote to memory of 1072	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1072	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1072	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1072	1692	cmd.exe	cmd.exe
PID 2028 wrote to memory of 1964	2028	migrate.120.exe	dc.exe
PID 2028 wrote to memory of 1964	2028	migrate.120.exe	dc.exe
PID 2028 wrote to memory of 1964	2028	migrate.120.exe	dc.exe
PID 2028 wrote to memory of 1964	2028	migrate.120.exe	dc.exe
PID 1072 wrote to memory of 1968	1072	cmd.exe	chcp.com
PID 1072 wrote to memory of 1968	1072	cmd.exe	chcp.com
PID 1072 wrote to memory of 1968	1072	cmd.exe	chcp.com
PID 1072 wrote to memory of 1968	1072	cmd.exe	chcp.com
PID 1072 wrote to memory of 1584	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 1584	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 1584	1072	cmd.exe	timeout.exe
PID 1072 wrote to memory of 1584	1072	cmd.exe	timeout.exe
PID 1964 wrote to memory of 1672	1964	dc.exe	WScript.exe
PID 1964 wrote to memory of 1672	1964	dc.exe	WScript.exe
PID 1964 wrote to memory of 1672	1964	dc.exe	WScript.exe
PID 1964 wrote to memory of 1672	1964	dc.exe	WScript.exe
PID 1556 wrote to memory of 436	1556	any.exe	cmd.exe
PID 1556 wrote to memory of 436	1556	any.exe	cmd.exe
PID 1556 wrote to memory of 436	1556	any.exe	cmd.exe
PID 1556 wrote to memory of 436	1556	any.exe	cmd.exe
PID 436 wrote to memory of 1320	436	cmd.exe	chcp.com
PID 436 wrote to memory of 1320	436	cmd.exe	chcp.com
PID 436 wrote to memory of 1320	436	cmd.exe	chcp.com
PID 436 wrote to memory of 1320	436	cmd.exe	chcp.com
PID 436 wrote to memory of 1356	436	cmd.exe	net.exe
PID 436 wrote to memory of 1356	436	cmd.exe	net.exe
PID 436 wrote to memory of 1356	436	cmd.exe	net.exe
PID 436 wrote to memory of 1356	436	cmd.exe	net.exe
PID 1356 wrote to memory of 1316	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1316	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1316	1356	net.exe	net1.exe
PID 1356 wrote to memory of 1316	1356	net.exe	net1.exe
PID 436 wrote to memory of 1948	436	cmd.exe	net.exe
PID 436 wrote to memory of 1948	436	cmd.exe	net.exe
PID 436 wrote to memory of 1948	436	cmd.exe	net.exe
PID 436 wrote to memory of 1948	436	cmd.exe	net.exe
PID 1948 wrote to memory of 968	1948	net.exe	net1.exe
PID 1948 wrote to memory of 968	1948	net.exe	net1.exe
PID 1948 wrote to memory of 968	1948	net.exe	net1.exe
PID 1948 wrote to memory of 968	1948	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\migrate.120.exe
"C:\Users\Admin\AppData\Local\Temp\migrate.120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe , c:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1968

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" dir "C:\ProgramData\Microsoft\Windows Defender" "
4⤵
PID:1328

C:\Windows\SysWOW64\findstr.exe
findstr /i "Platform"
4⤵
PID:536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1896

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1320

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:1316

C:\Windows\SysWOW64\net.exe
net stop TaskScs
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskScs
5⤵
PID:968

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit1.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell cmd.exe /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
5⤵
- Loads dropped DLL
PID:572

C:\ProgramData\wsappz.exe
C:\ProgramData\wsappz.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe"
3⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\runtimeMonitor\PsYm20I.bat" "
4⤵
- Loads dropped DLL
PID:824

C:\runtimeMonitor\ComdriverSvc.exe
"C:\runtimeMonitor\ComdriverSvc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
58B

MD5
77ae1fc149007f8910f5d869c0c047b7

SHA1
3132b12bf5f45520497d7ed2392fc4a2448ab805

SHA256
904c374bb4bc06ce3c1d4ffb173199dfb93c17f3403d9a4fcf65c66639116912

SHA512
1ad9b1fc52bbd43c80b6d6354fb0bd3e1a1ffa1eb6e4991aa791cff180b12489c1a5649f1367cd31fea5f41a55c8045de1ff851931fbeb564f326364fe7b61b8

Download Submit
C:\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f3c8ce665431851e4dc5889194b97319

SHA1
ad72756bbf6f80b29ceb1d8ca259c58e7cfbd481

SHA256
600bda5755b916e0682956893f4a42c16fab8b2d91e29a32e530b9aa8434d52f

SHA512
aafc6ce08dea3525ecc5158e158ca2e0ea0c9b93ea84e31914c92d499bd066cf60360d84f04df6a2af5002019970bcc8f2cf5d81e8d8a7d21048fe18db83f244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
eeb161e7cb47a9ae764fefe307667dc6

SHA1
749b4eeb0886a2f22e0aede989cb5bf1bb0725ba

SHA256
dc6f95a259c93ed090563ad13d4d9c376c7ade13388bc19a7a6078726435ea6d

SHA512
ce98a3804282046bb4b127c95a1da452126d6ae4337ea5203f0cbb8b87b48b885608e454d08569fc741cc3606142ba0156c9b10205ed70da3b266c9c7ecf891a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
eeb161e7cb47a9ae764fefe307667dc6

SHA1
749b4eeb0886a2f22e0aede989cb5bf1bb0725ba

SHA256
dc6f95a259c93ed090563ad13d4d9c376c7ade13388bc19a7a6078726435ea6d

SHA512
ce98a3804282046bb4b127c95a1da452126d6ae4337ea5203f0cbb8b87b48b885608e454d08569fc741cc3606142ba0156c9b10205ed70da3b266c9c7ecf891a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
2KB

MD5
7189281b9182a9a412a92af69b77c836

SHA1
d98322de39d62e8d5e6f8fb7fe2ce30f578a4853

SHA256
baae6af47a9b83c57269d62cf17e4d68927adee93e5567ce2bb5ae33cbe845eb

SHA512
211be9213611bdbd44b2dac2462d0688c02f352c6c55cc6602d84b0a8ceff9a96ca79f6989ce825c8ecedf65fb13e6583fb92fb56c551bf61948320f12cbb6be

Download Submit
C:\programdata\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
C:\programdata\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
C:\runtimeMonitor\PsYm20I.bat
Filesize
36B

MD5
13e52857c334ca3b14c44cffece40607

SHA1
eaa9d704385cec30f7841ef6d3c051b225007dbe

SHA256
4e457ab29e89a42a805b427decc8e571e15d857061c939ee7aa8d0bcaff25a6c

SHA512
4b0c23faad00995254ae02b5ce55de33344f66120f1e8640d80059d7cf77f3b149c46ae24bdd459881ef332331cc59e6fc50e55c1fa1a585f63dbf5badb93337

Download Submit
C:\runtimeMonitor\eW0NlR3z8rHah1r0tet2KhNAo.vbe
Filesize
198B

MD5
f3fbd4e6a0097ff2d729be2b6e494e80

SHA1
abed54083af60944e4628718061fa6b9ce402594

SHA256
b7d74a96173fd177dceead637138814738b68799b018437dbd4ba20213977e56

SHA512
f9a7f899cdc423a3214072de0a2858f212e15d9055b22cbb8536d20cea3fe199e3f44f3183c6d3e41e85a04b2b47e0497ead13eeb49e67f91e44cb19fe4a0f57

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
d7c8216954b5eb6037dd1a45dd57a4f0

SHA1
a7edc98e44c55070d28941bfc9f7d88a95576041

SHA256
cf5405b85d6f3e6365707af3302610d84596c23f0f7717c43eb11c1ac702bce7

SHA512
3338f2c096137b568cf1f3ac1ae6ab4be2b2baa7ed08aaa4b7fe6b72ddca231d456a3fa41c817b6dc14abc62c062a390a440b8a3fc6a1ab5243f7f4fc12f29af

Download Submit
\??\c:\programdata\wsappy.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\any.exe
Filesize
6.1MB

MD5
83834462455be62ccf135f3137263119

SHA1
f23d183db2adf37e80469191c7d452e8d39935b6

SHA256
565c7756135d7858e8963928fff8d1fdb99a452d8568319aeda4a073f51d0a23

SHA512
7aa6374b4bafae925a1da59212fdb7f262f98848c058173777c0f30c61243b982cfc3d13ce106e9eb59cfb9957c81a5b496e82a5522e9209f0c30f53f864c411

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\dc.exe
Filesize
1.3MB

MD5
dae7ec3880731dcd27311b4e1dab5e49

SHA1
52d88c8917cbbe4c40bf2e3a67ef8eaad2b52ffc

SHA256
59a058a95f24d57c98b1801a1bc1e1545db8be230a628e2f7dcc34c0452f2d19

SHA512
8064f3819c815db7cafe243de781bd7755f208ea932f383687421ecd56d610c1929426f6ca55b592e51147386f2ece42bc9b2ebb5a208381a510f9dd88d6e5da

Download Submit
\ProgramData\wsappz.exe
Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
\runtimeMonitor\ComdriverSvc.exe
Filesize
1.0MB

MD5
18557c37efdef82648622fa471a2db2f

SHA1
e72f774a0bd16c3d7074a826f7f1711845738972

SHA256
04142a2c4e3157a371266a5705959946268fc74b942597062e4dc3ce5f570c27

SHA512
fa0a4e1f74806ff77ad71315d2fc4e008b74c0aac3fc8cbb7e6fe44278e0edde62f99c4d9c3aaff41bc134fc083fe73b638035382c279169f378b66a9bf09d9b

Download Submit
memory/436-95-0x0000000000000000-mapping.dmp

Download
memory/536-143-0x0000000000000000-mapping.dmp

Download
memory/572-115-0x0000000000000000-mapping.dmp

Download
memory/636-68-0x0000000000000000-mapping.dmp

Download
memory/824-114-0x0000000000000000-mapping.dmp

Download
memory/968-102-0x0000000000000000-mapping.dmp

Download
memory/1072-80-0x0000000000000000-mapping.dmp

Download
memory/1100-103-0x0000000000000000-mapping.dmp

Download
memory/1260-144-0x0000000000000000-mapping.dmp

Download
memory/1260-150-0x00000000728B0000-0x0000000072E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-154-0x00000000728B0000-0x0000000072E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-109-0x0000000000000000-mapping.dmp

Download
memory/1280-145-0x00000000728B0000-0x0000000072E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-119-0x00000000728B0000-0x0000000072E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1316-100-0x0000000000000000-mapping.dmp

Download
memory/1320-98-0x0000000000000000-mapping.dmp

Download
memory/1328-140-0x0000000000000000-mapping.dmp

Download
memory/1356-99-0x0000000000000000-mapping.dmp

Download
memory/1428-58-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-57-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-55-0x0000000000000000-mapping.dmp

Download
memory/1556-75-0x0000000000000000-mapping.dmp

Download
memory/1584-92-0x0000000000000000-mapping.dmp

Download
memory/1616-104-0x0000000000000000-mapping.dmp

Download
memory/1616-156-0x0000000000000000-mapping.dmp

Download
memory/1672-93-0x0000000000000000-mapping.dmp

Download
memory/1692-70-0x0000000000000000-mapping.dmp

Download
memory/1712-105-0x0000000000000000-mapping.dmp

Download
memory/1896-157-0x0000000000000000-mapping.dmp

Download
memory/1916-152-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1916-159-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1916-155-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1916-148-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1916-153-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1916-131-0x0000000001170000-0x000000000127C000-memory.dmp

Filesize
1.0MB

Download
memory/1916-124-0x0000000000000000-mapping.dmp

Download
memory/1916-158-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1916-151-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/1948-101-0x0000000000000000-mapping.dmp

Download
memory/1964-85-0x0000000000000000-mapping.dmp

Download
memory/1968-90-0x0000000000000000-mapping.dmp

Download
memory/1972-149-0x0000000000A20000-0x0000000001A79000-memory.dmp

Filesize
16.3MB

Download
memory/1972-129-0x0000000000A20000-0x0000000001A79000-memory.dmp

Filesize
16.3MB

Download
memory/1972-128-0x0000000000A20000-0x0000000001A79000-memory.dmp

Filesize
16.3MB

Download
memory/1972-120-0x0000000000000000-mapping.dmp

Download
memory/2000-142-0x0000000000990000-0x00000000019E9000-memory.dmp

Filesize
16.3MB

Download
memory/2000-135-0x0000000000990000-0x00000000019E9000-memory.dmp

Filesize
16.3MB

Download
memory/2028-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-63-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads