dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

General

Target

12dcc1cafbf752f84a12d3bed14cd6e2.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2808	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2528-1-0x0000000000E50000-0x00000000010F8000-memory.dmp	dcrat
behavioral1/files/0x0006000000018f53-27.dat	dcrat
behavioral1/files/0x00070000000190e0-58.dat	dcrat
behavioral1/files/0x000a000000016d46-69.dat	dcrat
behavioral1/files/0x000c000000016dd7-82.dat	dcrat
behavioral1/files/0x000d000000016dd7-92.dat	dcrat
behavioral1/files/0x0006000000019244-121.dat	dcrat
behavioral1/memory/1448-128-0x0000000000280000-0x0000000000528000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1448	System.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\27d1bcfc3c54e0	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXD78C.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXE751.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXE7BF.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\6ccacd8608530f	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXD78D.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCXE099.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXE107.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\Downloaded Program Files\wininit.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\Downloaded Program Files\wininit.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1468	schtasks.exe
2720	schtasks.exe
2596	schtasks.exe
2096	schtasks.exe
2660	schtasks.exe
2704	schtasks.exe
2892	schtasks.exe
2108	schtasks.exe
2044	schtasks.exe
2924	schtasks.exe
1944	schtasks.exe
2856	schtasks.exe
1552	schtasks.exe
2736	schtasks.exe
2208	schtasks.exe
1436	schtasks.exe
2932	schtasks.exe
2644	schtasks.exe
2164	schtasks.exe
792	schtasks.exe
2940	schtasks.exe
2956	schtasks.exe
2700	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe
1448	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1448	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Token: SeDebugPrivilege	1448	System.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1448	2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe	56
PID 2528 wrote to memory of 1448	2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe	56
PID 2528 wrote to memory of 1448	2528	12dcc1cafbf752f84a12d3bed14cd6e2.exe	56

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe
"C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e2" /sc ONLOGON /tr "'C:\Users\Default User\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12dcc1cafbf752f84a12d3bed14cd6e21" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\12dcc1cafbf752f84a12d3bed14cd6e2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCXDE76.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\System.exe

Filesize
2.6MB

MD5
815319b5c4f6c69ea9593e7b725e9636

SHA1
e1c782ccbecc109a5beb7368d02ac35182937efe

SHA256
bc9e8d0e1541cb75e8e206075f098437b7923ca48bc17cc81e8cd071d3fc0c22

SHA512
fa310c41fbbe82065a028894112bdac2b85f9ee73e359a4c473aec490f0e41834a1dd8021237094908b4bb07c2f004d390f8918401d144bca0f166472fe17697

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe

Filesize
2.6MB

MD5
a6df87ddc91bc4e3476daeab632c09c3

SHA1
2a1c31410d79651102394c4cf9323a27b6b8600f

SHA256
a436a2a835c411ba1f6184872d963284028ef33d6137d6d2629ccdee28af8776

SHA512
2103b6f9c7420d101b6017cb8a557870d1a37cbaa7186a643c27fcb0d2d6bb834c26cbc8de29452ade10a070db7b6142fef4329977dded3d08a7ba81e508b955

Download Submit
C:\Users\Default\12dcc1cafbf752f84a12d3bed14cd6e2.exe

Filesize
2.6MB

MD5
440abd1272ea5a7cd69c38750046447e

SHA1
fc68a1c81309057f887706f1a68f5dcf67710b9e

SHA256
e4260bee8372e2c5cefbf731d0ec0d5dcd76a1154c61446c001e5d3e22c879be

SHA512
47b0808b3eb1596e8b99b1dbc0897a2c0080760297d8999d586ac309176d83b44f1e0b0ed50963cf10f40d95587646bbda6e71a1d0acfc12d4a658a3bb7d2237

Download Submit
C:\Windows\Downloaded Program Files\wininit.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Windows\Downloaded Program Files\wininit.exe

Filesize
2.6MB

MD5
9c6c93f7a4f1984e4d6087188186c33d

SHA1
1407c49a2668ab51b3bb4a42be5f178a0ae25baa

SHA256
0cb9b50ce28ec16d25c2e34e62d0100487793788f7fef5e2a5fa26dd89aac0af

SHA512
f0e83c49472d02e664ff812e025af9b2bc1e04f9d9f09f55b6364e3e422fb589b232152543fe75db6ed4798b2115b68bf425112a95e98f95e5c8be114b44e0d5

Download Submit
memory/1448-130-0x000000001A8A0000-0x000000001A8B2000-memory.dmp

Filesize
72KB

Download
memory/1448-128-0x0000000000280000-0x0000000000528000-memory.dmp

Filesize
2.7MB

Download
memory/2528-7-0x0000000000BF0000-0x0000000000C06000-memory.dmp

Filesize
88KB

Download
memory/2528-17-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/2528-10-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/2528-11-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2528-12-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/2528-13-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2528-14-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2528-15-0x0000000002510000-0x000000000251C000-memory.dmp

Filesize
48KB

Download
memory/2528-16-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/2528-9-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2528-18-0x0000000002540000-0x000000000254A000-memory.dmp

Filesize
40KB

Download
memory/2528-8-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2528-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2528-6-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2528-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2528-4-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2528-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2528-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-129-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-1-0x0000000000E50000-0x00000000010F8000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads