dcrat | 413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

General

Target

9781aaa439fcf85da08d40c5c3e3909f.exe
Size

2.9MB
MD5

9781aaa439fcf85da08d40c5c3e3909f
SHA1

edd84aae94017cdde7dd564d2791c6389f98c01f
SHA256

413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35
SHA512

27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02
SSDEEP

49152:VVqaWggE8cLbTM0Qpx80y5tq4JyiK+RzzO/twfoLFAq4JNpFLP7:zqLggl0QpC0qt/JyV+hz5foLB4Jn

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1804	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1804	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/928-54-0x00000000010C0000-0x00000000013A6000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe	dcrat
C:\Windows\DigitalLocker\en-US\csrss.exe	dcrat
C:\Windows\DigitalLocker\en-US\csrss.exe	dcrat
behavioral1/memory/1808-99-0x0000000000E80000-0x0000000001166000-memory.dmp	dcrat
behavioral1/memory/1808-100-0x0000000000410000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1808-112-0x0000000000410000-0x0000000000490000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1808 csrss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1808	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 2 IoCs

Processes:

9781aaa439fcf85da08d40c5c3e3909f.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Office14\wininit.exe	9781aaa439fcf85da08d40c5c3e3909f.exe
File created	C:\Program Files\Microsoft Office\Office14\56085415360792	9781aaa439fcf85da08d40c5c3e3909f.exe

Drops file in Windows directory 4 IoCs

Processes:

9781aaa439fcf85da08d40c5c3e3909f.exe

description	ioc	process
File created	C:\Windows\schemas\WCN\wininit.exe	9781aaa439fcf85da08d40c5c3e3909f.exe
File created	C:\Windows\schemas\WCN\56085415360792	9781aaa439fcf85da08d40c5c3e3909f.exe
File created	C:\Windows\DigitalLocker\en-US\csrss.exe	9781aaa439fcf85da08d40c5c3e3909f.exe
File created	C:\Windows\DigitalLocker\en-US\886983d96e3d3e	9781aaa439fcf85da08d40c5c3e3909f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1396 1808 WerFault.exe csrss.exe

pid	pid_target	process	target process
1396	1808	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1796	schtasks.exe
1012	schtasks.exe
1476	schtasks.exe
1508	schtasks.exe
316	schtasks.exe
608	schtasks.exe
1732	schtasks.exe
340	schtasks.exe
1624	schtasks.exe
1704	schtasks.exe
1400	schtasks.exe
1580	schtasks.exe
632	schtasks.exe
1600	schtasks.exe
1972	schtasks.exe
1788	schtasks.exe
1680	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exe

pid	process
928	9781aaa439fcf85da08d40c5c3e3909f.exe
928	9781aaa439fcf85da08d40c5c3e3909f.exe
928	9781aaa439fcf85da08d40c5c3e3909f.exe
928	9781aaa439fcf85da08d40c5c3e3909f.exe
928	9781aaa439fcf85da08d40c5c3e3909f.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe
1808	csrss.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	928	9781aaa439fcf85da08d40c5c3e3909f.exe
Token: SeDebugPrivilege	1808	csrss.exe
Token: SeBackupPrivilege	872	vssvc.exe
Token: SeRestorePrivilege	872	vssvc.exe
Token: SeAuditPrivilege	872	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exe

description	pid	process	target process
PID 928 wrote to memory of 1808	928	9781aaa439fcf85da08d40c5c3e3909f.exe	csrss.exe
PID 928 wrote to memory of 1808	928	9781aaa439fcf85da08d40c5c3e3909f.exe	csrss.exe
PID 928 wrote to memory of 1808	928	9781aaa439fcf85da08d40c5c3e3909f.exe	csrss.exe
PID 1808 wrote to memory of 1992	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1992	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1992	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1860	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1860	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1860	1808	csrss.exe	WScript.exe
PID 1808 wrote to memory of 1396	1808	csrss.exe	WerFault.exe
PID 1808 wrote to memory of 1396	1808	csrss.exe	WerFault.exe
PID 1808 wrote to memory of 1396	1808	csrss.exe	WerFault.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

9781aaa439fcf85da08d40c5c3e3909f.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9781aaa439fcf85da08d40c5c3e3909f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9781aaa439fcf85da08d40c5c3e3909f.exe
"C:\Users\Admin\AppData\Local\Temp\9781aaa439fcf85da08d40c5c3e3909f.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928

C:\Windows\DigitalLocker\en-US\csrss.exe
"C:\Windows\DigitalLocker\en-US\csrss.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35f10857-d0d7-4190-b39c-c724a616977e.vbs"
3⤵
PID:1992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\442c095f-b395-4c21-9640-ca3e028ae66b.vbs"
3⤵
PID:1860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1808 -s 1936
3⤵
- Program crash
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\WCN\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\WCN\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe
Filesize
2.9MB

MD5
9781aaa439fcf85da08d40c5c3e3909f

SHA1
edd84aae94017cdde7dd564d2791c6389f98c01f

SHA256
413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

SHA512
27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\35f10857-d0d7-4190-b39c-c724a616977e.vbs
Filesize
716B

MD5
c5f99bcab3c5cec7db40c675e0a18b49

SHA1
bbd9bb193d4ec1851cdac38a58f269068ce5dd67

SHA256
7941943383c7eedc1da1bd1f8627eab078d363cd6c6c5de007457310be1f3e1d

SHA512
0a5d0847d195b62d78440f2474c59d5593fc1195ee6a5890d30e3d904ebf8fe38e1de78334d6ddf8c19294102642e4e7e47f22c3510e940b6a3930c466f282f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\442c095f-b395-4c21-9640-ca3e028ae66b.vbs
Filesize
492B

MD5
e2c404bc9cf04aec6318d9eebcce65fb

SHA1
65f0bdac062d6ab7a633487eceab4d6b43335bc7

SHA256
9ddc872dc450898f690962d18a62463c743c94ed45097d9567a75d584170fde1

SHA512
933f53f4e8d263d3d31552ae2f29a8e2b2f0489595e7608d3ec2ac957eba323754b2ee8477d46e209f1cec2d697a2eeea6243b07004ec3ae308d6ae10acda215

Download Submit
C:\Windows\DigitalLocker\en-US\csrss.exe
Filesize
2.9MB

MD5
9781aaa439fcf85da08d40c5c3e3909f

SHA1
edd84aae94017cdde7dd564d2791c6389f98c01f

SHA256
413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

SHA512
27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

Download Submit
C:\Windows\DigitalLocker\en-US\csrss.exe
Filesize
2.9MB

MD5
9781aaa439fcf85da08d40c5c3e3909f

SHA1
edd84aae94017cdde7dd564d2791c6389f98c01f

SHA256
413e93938387abf6009f38e415cdbb6d2c800a4a163cd3987c68bee89d432f35

SHA512
27be25ed8a4df487bbb3066a9d67ee8403cb91ec8f21aeb2367252c57cf209903f01f770394f6e9d05e627a7697a9ba446bea98f65f5be166f7be33c74dedd02

Download Submit
memory/928-63-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/928-74-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/928-62-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/928-61-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/928-54-0x00000000010C0000-0x00000000013A6000-memory.dmp

Filesize
2.9MB

Download
memory/928-64-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/928-65-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/928-66-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/928-67-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/928-68-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/928-69-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/928-70-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/928-71-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/928-72-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/928-73-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/928-60-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/928-75-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/928-76-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/928-77-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/928-78-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/928-79-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/928-80-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/928-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/928-58-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/928-57-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/928-55-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/928-56-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/1808-101-0x0000000000C30000-0x0000000000C86000-memory.dmp

Filesize
344KB

Download
memory/1808-102-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1808-100-0x0000000000410000-0x0000000000490000-memory.dmp

Filesize
512KB

Download
memory/1808-99-0x0000000000E80000-0x0000000001166000-memory.dmp

Filesize
2.9MB

Download
memory/1808-112-0x0000000000410000-0x0000000000490000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads