dcrat | 0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1

General

Target

0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
Size

1.7MB
MD5

e28689bf7ea24c8051fd6e910fd259d4
SHA1

fd55b3eb6123754cdb8dcc1d42f8d9aefa429758
SHA256

0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1
SHA512

32d8d58c0c9178980c6ca8e202cbaa51cba951a4bcee19bf0022d657dbf50012d12e52f77b8f6c0c69a34f0c2ffce883fd9a629f9b3b026ce9039bac73e015aa
SSDEEP

24576:U2G/nvxW3Ww0tpaKkjLB0zOyM6/aAUIFGAqo2mSNgaMhYYSJvL87:UbA308Kk+ze2GAdSNzYSNLQ

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Registry.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\\lsass.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\browserwinsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\Registry.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	browserwinsvc.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3120	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3120	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00070000000233e6-10.dat	dcrat
behavioral2/memory/4580-13-0x00000000000C0000-0x0000000000222000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3756	powershell.exe
2136	powershell.exe
4368	powershell.exe
2060	powershell.exe
4488	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	browserwinsvc.exe

Executes dropped EXE 2 IoCs

pid	Process
4580	browserwinsvc.exe
2936	browserwinsvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\\lsass.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\browserwinsvc = "\"C:\\Recovery\\WindowsRE\\browserwinsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\browserwinsvc = "\"C:\\Recovery\\WindowsRE\\browserwinsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\AppReadiness\\Registry.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\AppReadiness\\Registry.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Install\\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\\lsass.exe\""	browserwinsvc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\6203df4a6bafc7	browserwinsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe	browserwinsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\eddb19405b7ce1	browserwinsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\Registry.exe	browserwinsvc.exe
File opened for modification	C:\Windows\AppReadiness\Registry.exe	browserwinsvc.exe
File created	C:\Windows\AppReadiness\ee2ad38f3d4382	browserwinsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2208	schtasks.exe
3580	schtasks.exe
1896	schtasks.exe
4184	schtasks.exe
2132	schtasks.exe
1168	schtasks.exe
1040	schtasks.exe
2716	schtasks.exe
2700	schtasks.exe
5080	schtasks.exe
3416	schtasks.exe
4292	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
4580	browserwinsvc.exe
2060	powershell.exe
2060	powershell.exe
4488	powershell.exe
4488	powershell.exe
2136	powershell.exe
2136	powershell.exe
4368	powershell.exe
4368	powershell.exe
4488	powershell.exe
3756	powershell.exe
3756	powershell.exe
2136	powershell.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2060	powershell.exe
4368	powershell.exe
3756	powershell.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe
2936	browserwinsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2936	browserwinsvc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	browserwinsvc.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	2936	browserwinsvc.exe
Token: SeDebugPrivilege	3756	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 4392	2152	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	83
PID 2152 wrote to memory of 4392	2152	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	83
PID 2152 wrote to memory of 4392	2152	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	83
PID 4392 wrote to memory of 2956	4392	WScript.exe	86
PID 4392 wrote to memory of 2956	4392	WScript.exe	86
PID 4392 wrote to memory of 2956	4392	WScript.exe	86
PID 2956 wrote to memory of 4580	2956	cmd.exe	88
PID 2956 wrote to memory of 4580	2956	cmd.exe	88
PID 4580 wrote to memory of 3756	4580	browserwinsvc.exe	102
PID 4580 wrote to memory of 3756	4580	browserwinsvc.exe	102
PID 4580 wrote to memory of 4488	4580	browserwinsvc.exe	103
PID 4580 wrote to memory of 4488	4580	browserwinsvc.exe	103
PID 4580 wrote to memory of 2060	4580	browserwinsvc.exe	104
PID 4580 wrote to memory of 2060	4580	browserwinsvc.exe	104
PID 4580 wrote to memory of 4368	4580	browserwinsvc.exe	105
PID 4580 wrote to memory of 4368	4580	browserwinsvc.exe	105
PID 4580 wrote to memory of 2136	4580	browserwinsvc.exe	106
PID 4580 wrote to memory of 2136	4580	browserwinsvc.exe	106
PID 4580 wrote to memory of 2936	4580	browserwinsvc.exe	111
PID 4580 wrote to memory of 2936	4580	browserwinsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
"C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
      "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\browserwinsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Recovery\WindowsRE\browserwinsvc.exe
        
        "C:\Recovery\WindowsRE\browserwinsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\AppReadiness\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "browserwinsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\browserwinsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat

Filesize
63B

MD5
6de687cf7ca366429c953cb49905b70a

SHA1
58e2c1823c038d8da8a2f042672027184066279e

SHA256
80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611

SHA512
6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

Download Submit
C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

Filesize
1.4MB

MD5
841209ab771bde66b25dfd03ff84c68a

SHA1
3c23b1e5d84698723316059a0458350c0a67fb91

SHA256
d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4

SHA512
99039987c13b7092ef15fabc7f2a49ea08b41882c41bb27fa776cd13d3cefc7a104e6777530151fbf43e232eba127b29dc6bc5ac9c51f86320800f868a59d160

Download Submit
C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe

Filesize
233B

MD5
a43d6dd506db81004ed806f215426812

SHA1
64393ef16431d921a0b0a4c2e827c4cb31001706

SHA256
146e72957d4b362943fef3010cf3fffa001bdebd71700cdd5086ab89a7991e8d

SHA512
042210ce96a57a688c25ea82fa3caa5ce44fab23d5edc01ee4df478b7a607da3b4c04336c5e695555eb1930b9f310841fe752b87448c02c2da3a4e63de127818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rw4pk3tj.btb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4488-41-0x000002291ED80000-0x000002291EDA2000-memory.dmp

Filesize
136KB

Download
memory/4580-17-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/4580-19-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/4580-21-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/4580-20-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/4580-16-0x0000000002410000-0x0000000002460000-memory.dmp

Filesize
320KB

Download
memory/4580-18-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/4580-15-0x0000000002380000-0x000000000239C000-memory.dmp

Filesize
112KB

Download
memory/4580-14-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/4580-13-0x00000000000C0000-0x0000000000222000-memory.dmp

Filesize
1.4MB

Download
memory/4580-12-0x00007FFE5B0A3000-0x00007FFE5B0A5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads