dcrat | 54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece

Analysis

max time kernel
65s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a31d7675a4858c9c1ddb7c818782d5.exe
Size

1.4MB
MD5

04a31d7675a4858c9c1ddb7c818782d5
SHA1

991b6bd9ed58869e8e408158b99a050791e15f17
SHA256

54096c1f199a69326018b8a54c3c2e8b6a2e0a1f4724d0fceb8016cf4ae0cece
SHA512

2fac1ab544a88b0476e474d0990ab24fa5a678f0ae983aca1666910774d85a0b5dcc2040ef5fff21a25ef04d57fdc35de34af28d24c73af8b66c163b890b5d97
SSDEEP

24576:u2G/nvxW3WieCO0Kktota4CJjOEn3v02OSPm0woqLvs4eI3x9WE+4Q:ubA3jY4oLCJjNn/wGb8eASb

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 20 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exe

pid	process
1612	schtasks.exe
2112	schtasks.exe
2976	schtasks.exe
2640	schtasks.exe
1784	schtasks.exe
536	schtasks.exe
1916	schtasks.exe
1056	schtasks.exe
2384	schtasks.exe
784	schtasks.exe
1988	schtasks.exe
2252	schtasks.exe
2448	schtasks.exe
2688	schtasks.exe
1068	schtasks.exe
2548	schtasks.exe
484	schtasks.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
1700	schtasks.exe
2712	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\spoolsv.exe\", \"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Process spawned unexpected child process 19 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	552	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	552	schtasks.exe

DCRat payload 42 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2284-38-0x0000000000A90000-0x0000000000BB6000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2156-51-0x0000000001090000-0x00000000011B6000-memory.dmp	dcrat
behavioral1/memory/2156-53-0x0000000001000000-0x0000000001080000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2836-59-0x000000001B1A0000-0x000000001B220000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\csrss.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\explorer.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2812-89-0x0000000000520000-0x00000000005A0000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/788-104-0x0000000000290000-0x00000000003B6000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\dwm.exe	dcrat
behavioral1/memory/2704-124-0x0000000000020000-0x0000000000146000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2704-126-0x000000001B040000-0x000000001B0C0000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\explorer.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/1496-143-0x0000000000F90000-0x00000000010B6000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\csrss.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\dwm.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\WmiPrvSE.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
behavioral1/memory/2868-178-0x0000000000170000-0x0000000000296000-memory.dmp	dcrat
behavioral1/memory/2116-190-0x0000000000810000-0x0000000000936000-memory.dmp	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\Users\Admin\AppData\Local\explorer.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

pid process

2284 driverSavesPerfsvcCrtNetSvc.exe
2156 driverSavesPerfsvcCrtNetSvc.exe
2836 driverSavesPerfsvcCrtNetSvc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
2620 cmd.exe

pid	process
2284	driverSavesPerfsvcCrtNetSvc.exe
2156	driverSavesPerfsvcCrtNetSvc.exe
2836	driverSavesPerfsvcCrtNetSvc.exe

pid	process
2620	cmd.exe
2620	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

driverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:/Users/Admin/AppData/Local/\\explorer.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	driverSavesPerfsvcCrtNetSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	driverSavesPerfsvcCrtNetSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2252	schtasks.exe
1700	schtasks.exe
1784	schtasks.exe
2112	schtasks.exe
784	schtasks.exe
1056	schtasks.exe
2384	schtasks.exe
536	schtasks.exe
2712	schtasks.exe
2448	schtasks.exe
2688	schtasks.exe
2640	schtasks.exe
1068	schtasks.exe
1988	schtasks.exe
2548	schtasks.exe
484	schtasks.exe
1612	schtasks.exe
2976	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

pid process

2780 powershell.exe
2284 driverSavesPerfsvcCrtNetSvc.exe
2156 driverSavesPerfsvcCrtNetSvc.exe
2836 driverSavesPerfsvcCrtNetSvc.exe

pid	process
2780	powershell.exe
2284	driverSavesPerfsvcCrtNetSvc.exe
2156	driverSavesPerfsvcCrtNetSvc.exe
2836	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exedriverSavesPerfsvcCrtNetSvc.exe

description	pid	process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2284	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2156	driverSavesPerfsvcCrtNetSvc.exe
Token: SeDebugPrivilege	2836	driverSavesPerfsvcCrtNetSvc.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

04a31d7675a4858c9c1ddb7c818782d5.execmd.exeWScript.execmd.exedriverSavesPerfsvcCrtNetSvc.execmd.exedriverSavesPerfsvcCrtNetSvc.exe

description	pid	process	target process
PID 3012 wrote to memory of 2712	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 3012 wrote to memory of 2712	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 3012 wrote to memory of 2712	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 3012 wrote to memory of 2712	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	WScript.exe
PID 3012 wrote to memory of 2816	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 3012 wrote to memory of 2816	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 3012 wrote to memory of 2816	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 3012 wrote to memory of 2816	3012	04a31d7675a4858c9c1ddb7c818782d5.exe	cmd.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	powershell.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	powershell.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	powershell.exe
PID 2816 wrote to memory of 2780	2816	cmd.exe	powershell.exe
PID 2712 wrote to memory of 2620	2712	WScript.exe	cmd.exe
PID 2712 wrote to memory of 2620	2712	WScript.exe	cmd.exe
PID 2712 wrote to memory of 2620	2712	WScript.exe	cmd.exe
PID 2712 wrote to memory of 2620	2712	WScript.exe	cmd.exe
PID 2620 wrote to memory of 2284	2620	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2620 wrote to memory of 2284	2620	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2620 wrote to memory of 2284	2620	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2620 wrote to memory of 2284	2620	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2284 wrote to memory of 1724	2284	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2284 wrote to memory of 1724	2284	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 2284 wrote to memory of 1724	2284	driverSavesPerfsvcCrtNetSvc.exe	cmd.exe
PID 1724 wrote to memory of 1108	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1108	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1108	1724	cmd.exe	chcp.com
PID 1724 wrote to memory of 1368	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 1368	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 1368	1724	cmd.exe	w32tm.exe
PID 1724 wrote to memory of 2156	1724	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 1724 wrote to memory of 2156	1724	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 1724 wrote to memory of 2156	1724	cmd.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2156 wrote to memory of 2836	2156	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2156 wrote to memory of 2836	2156	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe
PID 2156 wrote to memory of 2836	2156	driverSavesPerfsvcCrtNetSvc.exe	driverSavesPerfsvcCrtNetSvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04a31d7675a4858c9c1ddb7c818782d5.exe
"C:\Users\Admin\AppData\Local\Temp\04a31d7675a4858c9c1ddb7c818782d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\driverSaves\LHhDtlPF.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\driverSaves\elBs4FCCK.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeXkRdLw8y.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1108

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1368

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2588

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1904

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
8⤵
PID:1812

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
9⤵
PID:1916

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
10⤵
PID:1096

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
11⤵
PID:2220

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
12⤵
PID:2812

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
13⤵
PID:2292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hSE0YgZDij.bat"
14⤵
PID:1576

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
15⤵
PID:788

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
16⤵
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5JZmJExGGl.bat"
17⤵
PID:1520

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:1356

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:472

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
18⤵
PID:2704

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
19⤵
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oIUbzGIzk2.bat"
20⤵
PID:2204

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
21⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RGuvQlBp4V.bat"
22⤵
PID:2232

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
23⤵
PID:808

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
24⤵
PID:2440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFFYU50O7W.bat"
25⤵
PID:2844

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
26⤵
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jwReWzakrt.bat"
27⤵
PID:1636

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
28⤵
PID:2116

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
29⤵
PID:2948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L10brAl3c7.bat"
30⤵
PID:1368

C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
"C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
31⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\driverSaves\mKLt1agSNSLByUmKEYd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe"
3⤵
- DcRat
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "driverSavesPerfsvcCrtNetSvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\driverSavesPerfsvcCrtNetSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1172

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2508

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2052

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2808

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2840

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\24dbde2999530ef5fd907494bc374d663924116c
Filesize
218B

MD5
8bc5bd94e72fceccf261402d376017c7

SHA1
ac1b9803e0b7bb2809183b103b817a59388f6a9e

SHA256
8120da6178383974d9fdce2e90bee2f9162dbc0b6e4832418955ac200f4ff8fa

SHA512
b7611931f9c034279a869a75304fc00d3703f7e4bdfb8e3158237d6625b7b35a62ef2678c6b5f3721aae64f13594e320346fe72a020ce73c5eaa37fb999afde8

Download Submit
C:\Users\Admin\AppData\Local\6cb0b6c459d5d3455a3da700e713f2e2529862ff
Filesize
943B

MD5
7f6edfbc6878c2f2b06ee192e46bb234

SHA1
42462db4f53610f7a81eb2c9ef8799efb7437914

SHA256
9f2ef4a787b54f222395aefa32978f3cd6268826459100df4b86a8d57d3d2ab8

SHA512
66840984a9ef148257b998ff2cdfd9fcec7bcedf8849b5606f37f740c2910a19a8a734fc90e167792f96040c77105bbf378d2a07ce70c52c5df5c09386eedd5b

Download Submit
C:\Users\Admin\AppData\Local\6cb0b6c459d5d3455a3da700e713f2e2529862ff
Filesize
722B

MD5
167ee1735c608d2e9d46809eefd390bb

SHA1
f088313dd1c4fc5a231dcf31f10e77589d6920f8

SHA256
00ed43da84c4a3a672b06500e6d7d0de36715919a66897a01ee35e0de477d16f

SHA512
6ae4122feb12acd97b6a047269e407a983562c41ce882e17066369d932cb5e469425ca6f376e18426fd4285282b3200202b5e8cbaf515083d40657c50fa9bb3a

Download Submit
C:\Users\Admin\AppData\Local\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
Filesize
485B

MD5
fc61e0f20c2ab9ef58dd241b2f082494

SHA1
338fea2b2ac38f5a0a9d8973698648f4685dbaa1

SHA256
85f05de43d94ab8daa85c34b367b6ff4df2d5437dd138ed4b3878e19d86903a0

SHA512
709ebca3e083828e89114f2c3608d636c19e91935f3da03c4316c907d6ac67aacbaa0d47aceb14f40f93122e0575ec601c5b311423f52d1341ed6af1765305a8

Download Submit
C:\Users\Admin\AppData\Local\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
Filesize
473B

MD5
27bca47fd47737803615456c9f685ad3

SHA1
32c6fad6320fd5c645dc0269798e2ae3d9b4bab9

SHA256
e7a39d73ad43cf28d8cad55b97bf66a62f3f59c3a4df535f2f6a25ad82b969ff

SHA512
5c226b9d72c6b0fe4fefd48ae59a8a528c20ce7a2b4a6bdd8168591ae02b24f15c86acc1e4b7a432037cc8ae2557016520014cd303163156de306bde6f465c64

Download Submit
C:\Users\Admin\AppData\Local\7a0fd90576e08807bde2cc57bcf9854bbce05fe3
Filesize
716B

MD5
eca0e67991bb13b87f515e14a44d502b

SHA1
3c089dd83fbac517290671947a5afc8907b91a7e

SHA256
6f1fff976c027dbe3f4963dfcabcb2567a194428bc26ff7ce4ae9774be57dbd1

SHA512
e357de5440c1f0f3a3cbf843dcc3e5357432adf127ead303e9fc46c59971ba08a90585342491eda8907bc9b157000434c7146a57089ecb028305d002319036c1

Download Submit
C:\Users\Admin\AppData\Local\886983d96e3d3e31032c679b2d4ea91b6c05afef
Filesize
373B

MD5
e3048805b3e777416256afb6cfa1165e

SHA1
fc93201806e6e9f2ae53fd4b9d243b793f8a572a

SHA256
9236c7bd96a9ab3057926c261d2589d62c0c5d3c281aada17e198bed9e16fe02

SHA512
1e37b6f9ba0f1412b631beb549982f639101c0fdfa3d39f8823ca932327be896d2ec9c4ec558559a178a2f9a27209794e2a46c45c08125d9452726c9762aa9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5JZmJExGGl.bat
Filesize
262B

MD5
2471f5c7116662dfa2bb8296527338ee

SHA1
267b3577629e6287dcf7739a69c868cf62e8b565

SHA256
7164b2145a6579d953abaab959d616e9236f6abdaea75d9965f46cdad43a9be7

SHA512
df05c4fd116bd97d73ee611f600711c9a703cec31c4ca41b5c8eb99495b88465cc32d1b825631a5fa1111d7707b74115619741132ec700048d6a84719b9b458e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeXkRdLw8y.bat
Filesize
262B

MD5
eda55a563ac38acddb88444839c9fd63

SHA1
26e0562a4b1fc92b5faded9892f40add7814b4fa

SHA256
841e10168f8454bec0aa29a672c399f487d1751bb2de503eeecf994bcf7c8cdf

SHA512
21c2359922e682b9c1c8341fd83e36e790a89b90a1e1e2d9fc79108e2031fce8fc91246f8810bf65ea63e61cc43199299daee7a2aab8fe5378094aba7997bd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\L10brAl3c7.bat
Filesize
262B

MD5
9ea7168f950578aca6bf19ffc2b21053

SHA1
0e4b6e00ea3a62164c2f6c2748f90ecff7c74d94

SHA256
5e33fcc5288aa7440ebd50e241956e525f992907927bdd92bb3d10138a669277

SHA512
3c0ca98e3d7129ba3b8cf94217d98551840a2f11990a38be057b3ec2c2665332f8c4caac9163aa1c49d894761b023b0d1571fb4a6050ceed15922029cee4d212

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGuvQlBp4V.bat
Filesize
262B

MD5
39b32bdd6d3df200f9943393a205262d

SHA1
bf2b8bdaf46ed92e546540822571f48b470b841c

SHA256
7d19f2adf28599c024f0f1e3f358531e244ad65f1fe7459d8d680c885eebbd59

SHA512
d138035a291f9b924677c2804e815fc5f244ae34aa0ee3e53d979b99e6f17e67b5dd3a1d205aa26b39c4b807d9c82c2f14d92e5be5d77b7164b47dfcd0ba79b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSE0YgZDij.bat
Filesize
262B

MD5
7fd2ec8591cccdae107672bd9f22fa19

SHA1
213c77ac883ffa6b7dad74b68b135bbc90100f8c

SHA256
2c65782b50d138dd140eb6302dbe1fbdf297cbc059508a26767e9f4e02003786

SHA512
8f3605bde69733c4276ee06d5e81bf58cb236b98c77d2eb8d5d78dda0a28153fad90becdf2bda35ee0b399c5b05e18c32484e9f5d12e19cb68b6128f497d8c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFFYU50O7W.bat
Filesize
262B

MD5
aaaa993c828cf3c9d013ae2c7772aa34

SHA1
95602defdb0434199b14430b81fa7fe427ec71dc

SHA256
3da51f4d1b548208b598195f6aba2f0a181048a860c242b063f658f2afa6aeb2

SHA512
3b27f0bf5a1d155a53ed5dba47475a7274b08fac14c4ecd7f67998649725c0209be69a5f890f3c4325bff42e7c2a9fa4bbe19f864f99ad515fd253bf925fe71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwReWzakrt.bat
Filesize
262B

MD5
9728c12e64f76f758c33a13fb56a97f8

SHA1
73184abbe4750abd00e78aee6c6fa4245ca32c16

SHA256
cc956d89ea41ce529bc8bd9783132c4a02cccd871652acb80a5a783e65ae8ad0

SHA512
e38dd93ec6bde23c90bb6ab820910fe890a354a081dac2b33a7218a738816bb190bf845a90f78e788d464ab54be2802b1c304f414436840b861e135f0a271bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIUbzGIzk2.bat
Filesize
262B

MD5
105708557dd1ec9983e803cd6e8b051c

SHA1
7397aff688a27f35d9588c907021193ba9a2595b

SHA256
5dcd9fd6659107ebbcf076fa006411056e122ef5245e35ad18460243aee2c080

SHA512
6c54d5ffbfbb411b6d182b8d7b49530cd8ee4a10891915822c27f15eceb724b2bcb1aaf0909ab49face6554525db5e7166ce36117e0817eddc0bd4c7d7815e6e

Download Submit
C:\Users\Admin\AppData\Local\WmiPrvSE.exe
Filesize
93KB

MD5
2b02fa71c029fc04ca30263d763be6a3

SHA1
e39b9c4fa19582d0f9f98936f94ebc14c04c8d7b

SHA256
4809e352aa95db0195b019b6822fb90f21d64504b1699508586a03af2bbd329e

SHA512
8a5b4bf698e57cf89306bd26a818031d70b6736c32c140dffcbd810c44d6fcaf99ac6f1a5551455ce15de9c40b2cba540e403888b6911e2ebb9f5bc13af78261

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe
Filesize
19KB

MD5
9009e426c9aed9c236387e6f5fc189ce

SHA1
fc4463c5e5cd6f824fb98eafb257692be688c0d8

SHA256
dff8785b7269c3baaddb6cb78662f5d5bf88badbd788767d7e75415a4d322e63

SHA512
ec988050070b56126d87eac09fff2606eeb67d5bc0dc2520fc260ce3d22c1525348911f05441ae4279e4b941fedcf230ab49389e8edafe17f1d4533ace0eef4f

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe
Filesize
460KB

MD5
e99b27861ca2d907685153d230c2fdbd

SHA1
31c604e5542283991b2f28858875ab75f05ebb63

SHA256
bdae391898160d99a7cdf97e525bb1a86db8b5db7f1141d0194b14efdb0c4cf6

SHA512
8ae9568d55dd47851c3c70677ad3cd6b254149d80334989343b8abacf0e8d919c8ca6d905c9272ffa5defdcd378f8d79816da279d0f333f507d8e088ea79b62c

Download Submit
C:\Users\Admin\AppData\Local\dwm.exe
Filesize
169KB

MD5
fd691478d6dec822f7ed80fc51be52cc

SHA1
7fa7ea6add72ad73597c4a7605fd25f3b0f238e9

SHA256
4fb9a817c58ecdc5714778bd8c459eea26c7ce1b1d194e5ad45f4b0d146ce2a0

SHA512
23af1e293dd7866f0d200d3cbb001c89ead73c7ce5abb32dab4cd443cf7effedf28263d38bbc4c1afa407f916b6d7114f9f7f89daa5351876bb5ee76aaa166de

Download Submit
C:\Users\Admin\AppData\Local\dwm.exe
Filesize
104KB

MD5
c65b4bc917942345666afeeee0c86796

SHA1
045de6c91899667aa522232fe08c8a58b9315afb

SHA256
e92c4d9aebd182c36d4a27c4545ea5a32e8e48696e99f029aef98584a57a3ca5

SHA512
ec6f0588c235fbb0829f328fbbb6f61443970d50d6d5af3a99a23d3378c5849acfd6ab8e9bae903b743913a47634b910df85461cb798389e93ac895dc3adf715

Download Submit
C:\Users\Admin\AppData\Local\explorer.exe
Filesize
33KB

MD5
9018069271e704b1d2869fef6cf9b721

SHA1
04dfab7064880acaf5535008be0bb8916475ee9e

SHA256
bca4a3d86a47d9136c471e3430677c335b6aa9d576fd18c4ec77af50ffd24c99

SHA512
7d5f01575dac6bd18aabcdd769f390537bb9234e35d77f343749b5b0d5d1e9f48b7d7514a5a78e150d86ef38b40d2e5842ab01befe2434acfd66583f096ce775

Download Submit
C:\Users\Admin\AppData\Local\explorer.exe
Filesize
120KB

MD5
5ae677444d44cc8c81222d776e9a8614

SHA1
90dc5be51cc01f441686ec3508ab8db3b42efa41

SHA256
ad628b612bce3552ea6145c668329946b4b95d962f2e073ef8bfeacc3e56e51e

SHA512
1d27eb2cb44d27b6021e3e4ccc8d75dea90487b50ed7556813b4133c0fa9ba69f0ef655a094ac356d19d1760a9c3a89727dbbbd8c6ad54b50c0063c1de50b6e9

Download Submit
C:\Users\Admin\AppData\Local\explorer.exe
Filesize
83KB

MD5
186d3e6be3fbdbc798c17d7449edc163

SHA1
d04ba827b621f54a5dd48c345f3ab67be3e5bd56

SHA256
dc5847c6e5e669edd7235d7c379a59edaff1045bc2133e4cb3331a068708034d

SHA512
294f3cc4f362dc4b4e39b860d65fcbdc0ff7e9c282cfa81cf054a6da6d2964fba77663e7100be361c5d3ae38ddd4c8a26097271efb63c19924b753bd24dafb82

Download Submit
C:\driverSaves\LHhDtlPF.vbe
Filesize
197B

MD5
d54777130b957cce5fd98b014f22692b

SHA1
d4b1c5213c32b5d50535f5532a68fce906cd34a6

SHA256
b23e310e937017998d80569f06c4c2de1098bb8a313167332036ec4f77d75957

SHA512
0193afdbf04ae421a44133c41576e0bf719e9ea2c3044d7f75c0dc59bbe9565c04ebe942ccf5f4fea123b4073c51a51b8319b3b85ae5b683e38ae51e14f25232

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
210KB

MD5
66e95c4458174dd41a12e12c0bbcdbde

SHA1
68749fe2f3b77116609a3e9e04b7d4420689ff88

SHA256
2bddff11c4a680f014f1b09bccd0c60d77cd42d2b0e932a8b8b42b8b56712025

SHA512
7b59324584f9990655753db3029f72274fa389a5309c99d34be2f34544a3885c5ce69195c311743023f5c9a79a568f5b2b27cf027a47e012d62dfde90e839430

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
81KB

MD5
87c5da8c1cb79ea2d35674ef45786e2d

SHA1
510f6868e03f71c22dbea9eddd50fd0b3298fadf

SHA256
c0da7abcc8d06c10f243cfeadcbb58100d4ed558214d04a0233eb06729d3ab4c

SHA512
9b7c8bc73431aae9f9935a298e9516e48bb7dd7737c2776abe1f08d5003b807e52b23624eb925495f0cb14483f6fb9b616a57b5ef51288eb6d952b9db6e0484f

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
274KB

MD5
e974e0801b65164d892ac30170f0be4b

SHA1
4328e019ea0977c16773c9294ec6b59018170bf2

SHA256
5cef3dfd5039d0f87f482556bb94eacb94f8127d31b854530656ac47f39a3f6f

SHA512
8ed42e6e6ba5990a8bbf56d65141d38ed105362f3bac608b94adb9ae546dbe5e886d7f12e432095225d884f3e379577f817b873e66f946e98ac3763931515e05

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
55KB

MD5
d7571f26db0d1c7f72554b6fbcb6bbdc

SHA1
a8be8c7698960ffe72409cfa9132cf86ad5d38bb

SHA256
8ddedc46fee5dd5f8c6cc4ace68f189c7ddbf1e98f432ba2cb3277e49830b2bb

SHA512
9a792297652fe29babedb0f293541ecfcccc8aba80a37457f4ba29143c84e4b5fb688cfe8df28a0db397fe8cf4f63156ea7e01ae30bc1f872d64b45481e6d372

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
56KB

MD5
868c4953666dc8ecc1c48c973e65f0d3

SHA1
9e372b1db5cd424bb999523761db07c228bf8aa6

SHA256
1380d319880afeaa26d0a228120918b2b949d9dc88de683debcbcc0a7728279d

SHA512
9a9aaaee38055bc7da0ced7e812715518b6542cfc3dcff2d11ea00d34a6d332b3e94293df23ffa1eaa6913d8af64a8b244a5279bafb4de6bb08e42acde233d85

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
79KB

MD5
b403ffb3a671a9e53f27f7e8558ff099

SHA1
0d40f645c1d14a1445d91b03804eb7dec9c5bbb1

SHA256
891689c438b959399530ee512c3727c215a2ced6a2b22acdef90adb0cfc72190

SHA512
1a291507c738b4d1fe79bf9b5b0d245d4e1f20dd196756c9b9aca3e5f863b584c2beed7556a34f4dd507e99d96c27a2390f663c389cc375026ac981dd541603a

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
66KB

MD5
288eb2eb85fc56e469c6ea9aeee01ae7

SHA1
a4c90986e5089925a6f75f2c1ecb22e128c7a210

SHA256
1a1f62153ac45626d9a680f993b4e6a9b5edc4ebd715bc0f2811c0fdd7fc8602

SHA512
27428423db7bb3d2c6eb90ad0f9a1f49edb1030ec3a2fccd1d53bf9bdbf64f5cab56ec0bc4093e7aea4705509f8c960c8dd2f23a5c4784434ff1315fa89bb3b1

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
111KB

MD5
91d9199b40aa004d24178d2840bc2590

SHA1
60a407f71c12b8f98a8e992ea340d1bd39de157a

SHA256
16a71f13f5eb859790223837e952faaae693be66a3bd54c6d7d39046c7fddeb2

SHA512
793998cb2a3b6d860b379784e42671f6f95af1e134dce80b0ab33f8b2ebf247f597bc3d29c62efbaea55f3f8959a79eea7336986dd52574d2aa91582b507c13a

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
179KB

MD5
d5c881debe429033c163ad493a7f0364

SHA1
72588cb8047ecd4a303bf0e5797931d6f46d54f6

SHA256
93676899fef2d9ae28d0ed1830ef425134031c25e052491359117a91962ff202

SHA512
83a5637b9c7fb8b197b19a6acd6b9be61c84dfacc51b648a917845ec531f97013eb56632df17584ffc979a6da8a2264f90617b609e37d0de57122b423ddd2694

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
66KB

MD5
6d4001b4adf9099664e1740e0b51d5dc

SHA1
eb31eeab20ff2e838c35b98c596a9779ed6cbf49

SHA256
972a8555dac1633fbfa993eda72dc7691caa0481334fe3e68dd518743a206588

SHA512
c118d97c812993d84535732fe8f87aa6a96a202b3ee9fe8715d1d1022ed087211df29295af3a38cdf57fcd2c881cee88ebda123258444e057dff4dd77be06f2e

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
55KB

MD5
43dd11235fc7e3a33bacd64c0c7ea737

SHA1
4016090be3a9ebe8a038849ebc5603c954479e16

SHA256
106becc534862c089a5d84e108cbc43b137bb20d7921917d1c87b012fe0f44bd

SHA512
ad7911b8084e1c3ae94588bc94c3f61e65beed026b050aedd1483fd017d21a3272a29cbb11ac78607937c1af330c016246a618179a08add7a6f8d8a11cfd3eaf

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
597KB

MD5
7360d4cec7aa4868883893dc1dcc77fe

SHA1
36cd3330957cb7de88eea00f308a95b6e4bbed59

SHA256
aea8a2bd666aaeff5974ca15af0c688952e3f77c067fcfbcad72421a61b574c5

SHA512
52240d566c5d81d7ead248faa863b9d7bf955bec6df0437cf8054840edff88c4022d14fc394d8f20d14f904edd09faad3a7fa2939a6b41658078058286517f9a

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
676KB

MD5
dbeea23bc6e90973368b95169386c973

SHA1
901ee716307681d5794928ede583d123774d8a9d

SHA256
ce3576741e466e26a93396dc251c1877c845756994e89507aa91d696b60f39a4

SHA512
a8cdc4bcccf0935ee4a152fbdfd80157d8fa9caf492fab40b24b2aaad8ad31b33ec65a075d514365b8a4596ac4b65137f96c09cbbbdba969bc10d351657842c9

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
1.1MB

MD5
54f65064c78656d0f9d8ea838682481e

SHA1
2d0700c2ed2e8bdc7f3017f9630c7a8104108e71

SHA256
f9167e3b80dd8d2047ecc695558cffaf5871d48659dd68f9e49c7b2709f6acad

SHA512
8b35076cca8e83de3cfe6c51eeff194e37fcf773af948a45767ccede36d4efea2bbc65b127305f8467b74479549006a00518bb3ca42560300342e9c19c1a7f12

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
314KB

MD5
6f096af0349d111efe4ec286a16848bb

SHA1
132795cca87b523ce4d089e46954dda14ff4e792

SHA256
6ef2fe0bdd8ea5dff9e1e5d7b9d6739dd5dd4ed66e403bcc927b678b3032804f

SHA512
4e3b60b823106d775541100ac9b6f92437a1aafdaba10bfa37b576928c43d5804ae8b9bb0f62102a3eb4f56a67b951c90c4e73c1cec59fa7310eff1a7a09eb1d

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
192KB

MD5
331cf6d0284899ef42bf1aac7b6806a8

SHA1
32f4b137f3296a0aa8ff12dcd63cb12c289056f1

SHA256
39f24d6525bfa5f32d309d6081b961bdd20c041f2655962de71173cb04022148

SHA512
54ee3d0610de1ae73ddad13fbcc0f91f226e4ce3e2b53c99c591b510118320d32292bb0088a92285362a26c28415840526676560010d0a4c6a94ddc1468a409d

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
27KB

MD5
0064bae0eff5bce88c9ce1bd23776344

SHA1
182e7d4311de475c6f5f9b384e656dc4c1d8e2c0

SHA256
c59b213d838d48cf7b4466c7f21d24367703172f4a11610dca7dfb1f098e1d54

SHA512
94bde1f091c487e50a0ee9fc1c9bf9029a61ea0063c1a4abfe23c0fbaa5964f45e6b329470dc3b38de0c26c48df75a834f089791a6b671eb2b63b824abef37c0

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
352KB

MD5
b9b65b1258c47635a5088783756e164b

SHA1
ad90aaeab3dde1cb6694ecdf11aed22e249ec941

SHA256
87b7c4d07328462b2ce2e19226f2ac798e74f053a4c8e8aa5e279a528a55ad62

SHA512
700f52c346119bf1829497b7b6e7d7f92f11d3d2f4b060998afd99a63a3eddb1205fcc8f12d6ad54fbe3fc48faad531613d8d0eff79fb7241999ed99935332d1

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
99KB

MD5
4fe356df331fa981ceed2abbd16dc2ff

SHA1
1eb3a09693c930313f91fa16e81a9d3da791792c

SHA256
a57a5587d16160ad6c679f44fcfa48f6d89000597b24df73cb93ee5ed0fc26d7

SHA512
f64082eb92ba7e66ca10e0d3778f957da89b6751266244cce24a72c22949e2d00b1860b851286ae65012b9de22b75a19a8265fe3aa757ceaa9d2fe2f82833c16

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
560KB

MD5
7f0a8859e45d582de8319153eafae28b

SHA1
ab7700c7cd912bc64d506f322277086ad7b969b7

SHA256
76e8cd1760de74f573382bd2e34ff5c362c8a8fc65ba85a6af198d642f135db4

SHA512
1377736979b31d37aedda8e9ccd98d833d28daaf8ff736c094830e7bf847e0fe47a8e8fc25c09b7a284613a5f748abf90e8801fcb7ef54235fa574cb634133ff

Download Submit
C:\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
334KB

MD5
53b4fdfcf731e76eadb493275bb7869b

SHA1
88ee3e00cf31830cdb49361df4e39913825de87b

SHA256
ae45b4ecfe9c00e6c38eecd08a80e38be52eebeb3d0b28095067155ef9395325

SHA512
b69485f6c573ffb0f28f256fc04141a1ef707f040c26be8c3bd9028fe567f72a116bec0ac5b6615839f610353edc4ec4df97a1dfa161a615f2eb9908d62c2c5c

Download Submit
C:\driverSaves\elBs4FCCK.bat
Filesize
48B

MD5
0407b07db5462f371d0d7f737ebf973a

SHA1
11dd83edf63febdf2ea0935e8e7b2519a610738b

SHA256
7b0b55005ae6b1a19be753db6670fc86088a6618888eb7780566ff0ce122a8ec

SHA512
ef5cbed89e0b72627a2345b6a0a0aa7690b4e9991816794e50b6125d78a1e2e9d6268216ae14397d14cb67f9c78ef1ef0c5ad2913f1d7b3d57a125f872267474

Download Submit
C:\driverSaves\mKLt1agSNSLByUmKEYd.bat
Filesize
159B

MD5
6c33c4c06022c7bbafc1d01caedd0abe

SHA1
3f6e17989ce3a09d183adc2380c659525a67ca0a

SHA256
f78fccb7e0e0d6b89508758a739041ff31526ead74167d22f2aa754db19f6dfc

SHA512
e1f0a27d5c459bdf865612a513d62bd0d6ef7ba649c7f4fac003e6d684cad6e3469b532c0e8689589bdb8ccc0b3d7442f875e97cfec9105481b6b5733f8137b0

Download Submit
\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
607KB

MD5
354b794e30fc54cafdc6375ee114eff9

SHA1
e58455de0c77f11d9c4e6d8c3090adbf03a774cf

SHA256
35ca6a4721e16b38737cc224af0a1317abd96356a9298265b9accd2138010180

SHA512
a357ac9637dadd20f69d8dcbf7b5b944a682b1da83aec74538234a67ea9dc8b42e19b2b14c4d4c7d9832151fc12c9be7116e52cff38fedd31ba52a54494d1ef6

Download Submit
\driverSaves\driverSavesPerfsvcCrtNetSvc.exe
Filesize
446KB

MD5
e7f638d65b618a18ae1e54c7fa0ba7cd

SHA1
c4de449c285975920611bda2fe8292978b3b35dc

SHA256
952e00aa519e1684dce658eaff2bdd6275207a8dc1a24102653c5cdaf62f1252

SHA512
2239d241b502ff298449a853b36a8f33d797cc55ce91706ec6b6cf6cada75d366c31e8b9f23665bc3507045f25d757f05d12f8146e7d70df52852c5639d6289b

Download Submit
memory/788-106-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/788-104-0x0000000000290000-0x00000000003B6000-memory.dmp

Filesize
1.1MB

Download
memory/788-110-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/788-105-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/808-157-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/808-158-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/808-164-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/996-130-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/996-141-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1096-81-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1096-76-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1496-145-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/1496-155-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1496-144-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1496-143-0x0000000000F90000-0x00000000010B6000-memory.dmp

Filesize
1.1MB

Download
memory/1812-65-0x000000001B190000-0x000000001B210000-memory.dmp

Filesize
512KB

Download
memory/1812-63-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1812-82-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-71-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-75-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-191-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-190-0x0000000000810000-0x0000000000936000-memory.dmp

Filesize
1.1MB

Download
memory/2116-192-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2156-58-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-53-0x0000000001000000-0x0000000001080000-memory.dmp

Filesize
512KB

Download
memory/2156-51-0x0000000001090000-0x00000000011B6000-memory.dmp

Filesize
1.1MB

Download
memory/2156-52-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-87-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-80-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2220-83-0x0000000000530000-0x00000000005B0000-memory.dmp

Filesize
512KB

Download
memory/2284-49-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-38-0x0000000000A90000-0x0000000000BB6000-memory.dmp

Filesize
1.1MB

Download
memory/2284-39-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-40-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2292-101-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2292-94-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-166-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2440-176-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-165-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-126-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2704-131-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-124-0x0000000000020000-0x0000000000146000-memory.dmp

Filesize
1.1MB

Download
memory/2704-125-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-26-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-29-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2780-37-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2780-27-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-36-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-41-0x00000000737E0000-0x0000000073D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2780-30-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2780-28-0x00000000022A0000-0x00000000022E0000-memory.dmp

Filesize
256KB

Download
memory/2812-89-0x0000000000520000-0x00000000005A0000-memory.dmp

Filesize
512KB

Download
memory/2812-88-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-93-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-57-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-59-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2836-64-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-180-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2868-188-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-179-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-178-0x0000000000170000-0x0000000000296000-memory.dmp

Filesize
1.1MB

Download
memory/2924-112-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/2924-111-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-122-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads