dcrat | 91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

Analysis

max time kernel
13s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5779722125.exe
Size

5.7MB
MD5

44e4646b76a889c2115bdacc6e63ba2a
SHA1

efe7c1dae715922ff19121ff4f0e97ca904ee536
SHA256

91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8
SHA512

b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d
SSDEEP

1536:gpyA0Sdf7CwS+1iSpyOVvBkHA/BGGG/DoFVuZB3ZnMALr/pQZw3MIeqVz1iU80hy:gQcYyOx2TsuVxt11oPvZBhYU2

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1696	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	1696	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1764-55-0x000000001BB50000-0x000000001BCAE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

tmp20BB.tmp.exe

pid process

1028 tmp20BB.tmp.exe
Loads dropped DLL 3 IoCs

Processes:

WerFault.exe

pid process

1528 WerFault.exe
1528 WerFault.exe
1528 WerFault.exe

pid	process
1028	tmp20BB.tmp.exe

pid	process
1528	WerFault.exe
1528	WerFault.exe
1528	WerFault.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5779722125.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe

Drops file in Windows directory 3 IoCs

Processes:

5779722125.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	5779722125.exe
File created	C:\Windows\Downloaded Program Files\24dbde2999530e	5779722125.exe
File opened for modification	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	5779722125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1528 1028 WerFault.exe tmp20BB.tmp.exe

pid	pid_target	process	target process
1528	1028	WerFault.exe	tmp20BB.tmp.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1240	schtasks.exe
924	schtasks.exe
2004	schtasks.exe
1072	schtasks.exe
1960	schtasks.exe
1884	schtasks.exe
1556	schtasks.exe
1352	schtasks.exe
1756	schtasks.exe
1924	schtasks.exe
1508	schtasks.exe
1496	schtasks.exe
1564	schtasks.exe
1084	schtasks.exe
1816	schtasks.exe
1840	schtasks.exe
1008	schtasks.exe
732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5779722125.exe

pid	process
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe
1764	5779722125.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5779722125.exe

description pid process

Token: SeDebugPrivilege 1764 5779722125.exe

description	pid	process
Token: SeDebugPrivilege	1764	5779722125.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

5779722125.exetmp20BB.tmp.exe

description	pid	process	target process
PID 1764 wrote to memory of 1028	1764	5779722125.exe	tmp20BB.tmp.exe
PID 1764 wrote to memory of 1028	1764	5779722125.exe	tmp20BB.tmp.exe
PID 1764 wrote to memory of 1028	1764	5779722125.exe	tmp20BB.tmp.exe
PID 1764 wrote to memory of 1028	1764	5779722125.exe	tmp20BB.tmp.exe
PID 1028 wrote to memory of 1528	1028	tmp20BB.tmp.exe	WerFault.exe
PID 1028 wrote to memory of 1528	1028	tmp20BB.tmp.exe	WerFault.exe
PID 1028 wrote to memory of 1528	1028	tmp20BB.tmp.exe	WerFault.exe
PID 1028 wrote to memory of 1528	1028	tmp20BB.tmp.exe	WerFault.exe
PID 1764 wrote to memory of 1820	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1820	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1820	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 976	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 976	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 976	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1992	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1992	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1992	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1152	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1152	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1152	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1984	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1984	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1984	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1604	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1604	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1604	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1672	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1672	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1672	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 728	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 728	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 728	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 968	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 968	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 968	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1724	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1724	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1724	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1692	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1692	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1692	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1084	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1084	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 1084	1764	5779722125.exe	powershell.exe
PID 1764 wrote to memory of 944	1764	5779722125.exe	cmd.exe
PID 1764 wrote to memory of 944	1764	5779722125.exe	cmd.exe
PID 1764 wrote to memory of 944	1764	5779722125.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5779722125.exe
"C:\Users\Admin\AppData\Local\Temp\5779722125.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764

C:\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 96
3⤵
- Loads dropped DLL
- Program crash
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
PID:728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
PID:1084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VLZ7RDs3pv.bat"
2⤵
PID:944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:764

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe
"C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe"
3⤵
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\5779722125.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5779722125" /sc ONLOGON /tr "'C:\Users\Default\Favorites\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLZ7RDs3pv.bat
Filesize
224B

MD5
4ecbc7d8eb26f8f98d90670c01d8db1c

SHA1
dad8a74256d50ff4274d85cb094b1ebac670d744

SHA256
6b8fa8819053d579eba2934db4b61eae380d9d68545f4b86512586aa387e0faa

SHA512
d587887581aa81a90d932c6f538b6799128133dd08b3dd1663d854a7f42d4ed43c43f1b4fd831aa5a3c23f914b67716695e9292fbed5eb75f10f191fdb87848e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W043M8LDO4ASP3SJ745D.temp
Filesize
7KB

MD5
01b711d2943f4311d9f7b188f0c35190

SHA1
d9a033383519b02cb2a844c884de357f35af693f

SHA256
2001bda6719f463d06e07110bd44322fb9bd2d931bbdc9dae1e3cfd7ab9d06e7

SHA512
636c5b275bbd6f8ccc2ed8a0e6227ad40efb0f0a248f18b83d5066a32fbf73b2c6fb988ef5183b84b438dfa3302ef833b24852764d3812f5f72cb92a553bc3d5

Download Submit
C:\Windows\Downloaded Program Files\WmiPrvSE.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp20BB.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/728-178-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/728-183-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/728-206-0x00000000028FB000-0x0000000002932000-memory.dmp

Filesize
220KB

Download
memory/968-190-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/968-203-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/968-189-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/976-186-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/976-187-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/976-188-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1084-157-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1084-177-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1084-176-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1084-174-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1152-196-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1152-197-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1152-198-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1604-202-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1604-179-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1604-181-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1604-209-0x00000000029EB000-0x0000000002A22000-memory.dmp

Filesize
220KB

Download
memory/1672-194-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1672-193-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1672-195-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/1672-205-0x000000000242B000-0x0000000002462000-memory.dmp

Filesize
220KB

Download
memory/1692-185-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1692-184-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1724-200-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1724-201-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1724-199-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/1724-207-0x00000000024CB000-0x0000000002502000-memory.dmp

Filesize
220KB

Download
memory/1764-65-0x000000001ABA0000-0x000000001ABA8000-memory.dmp

Filesize
32KB

Download
memory/1764-71-0x000000001ACF0000-0x000000001ACFE000-memory.dmp

Filesize
56KB

Download
memory/1764-55-0x000000001BB50000-0x000000001BCAE000-memory.dmp

Filesize
1.4MB

Download
memory/1764-56-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/1764-74-0x000000001AD20000-0x000000001AD2C000-memory.dmp

Filesize
48KB

Download
memory/1764-58-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/1764-57-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/1764-60-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/1764-61-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/1764-62-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/1764-63-0x0000000002700000-0x000000000270A000-memory.dmp

Filesize
40KB

Download
memory/1764-64-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/1764-54-0x0000000000140000-0x0000000000702000-memory.dmp

Filesize
5.8MB

Download
memory/1764-73-0x000000001AD10000-0x000000001AD1E000-memory.dmp

Filesize
56KB

Download
memory/1764-72-0x000000001AD00000-0x000000001AD08000-memory.dmp

Filesize
32KB

Download
memory/1764-75-0x000000001AD30000-0x000000001AD3C000-memory.dmp

Filesize
48KB

Download
memory/1764-66-0x000000001ABB0000-0x000000001ABBC000-memory.dmp

Filesize
48KB

Download
memory/1764-59-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/1764-67-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/1764-68-0x000000001ACE0000-0x000000001ACE8000-memory.dmp

Filesize
32KB

Download
memory/1764-69-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/1764-105-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/1764-102-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/1764-98-0x000000001B200000-0x000000001B280000-memory.dmp

Filesize
512KB

Download
memory/1764-70-0x000000001ACD0000-0x000000001ACDA000-memory.dmp

Filesize
40KB

Download
memory/1820-151-0x000000001B060000-0x000000001B342000-memory.dmp

Filesize
2.9MB

Download
memory/1820-191-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1820-204-0x000000000284B000-0x0000000002882000-memory.dmp

Filesize
220KB

Download
memory/1820-175-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/1984-192-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1984-173-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1992-208-0x000000000273B000-0x0000000002772000-memory.dmp

Filesize
220KB

Download
memory/1992-182-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/1992-180-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads