dcrat | 217c37e7c32187616ece92b2a79d53b7bbdcdddb4fd34defaf3a1a59e5f641c2

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0525b7e6060d595fa110a4f468a021a8.exe
Size

1.8MB
MD5

0525b7e6060d595fa110a4f468a021a8
SHA1

cdd9e1dd4b69ba4917741496f7b9c5d24f76e13b
SHA256

217c37e7c32187616ece92b2a79d53b7bbdcdddb4fd34defaf3a1a59e5f641c2
SHA512

a2e841cc5b57d4397393fdc2c225e5efbef00d991e955955aa8ffd75721acf8724bf1e1bbb502e3e07681adf4fd265718141ca2e4d92372dcc7c96d338fc2b5f
SSDEEP

49152:bBIqIVwuuaS/hq15Q4B6wq8QsNly9yi5PV3/a:lyiuuaHAw/9Ly9f5PJC

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3920	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3920	schtasks.exe	89

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/440-23-0x0000000000560000-0x0000000000968000-memory.dmp	dcrat
behavioral2/memory/440-62-0x0000000000560000-0x0000000000968000-memory.dmp	dcrat
behavioral2/memory/2012-63-0x0000000000040000-0x0000000000448000-memory.dmp	dcrat
behavioral2/memory/2012-64-0x0000000000040000-0x0000000000448000-memory.dmp	dcrat
behavioral2/memory/2012-72-0x0000000000040000-0x0000000000448000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0525b7e6060d595fa110a4f468a021a8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	work.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dwaw.exe

Executes dropped EXE 3 IoCs

pid	Process
4088	work.exe
440	dwaw.exe
2012	RuntimeBroker.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
440	dwaw.exe
2012	RuntimeBroker.exe
2012	RuntimeBroker.exe
2012	RuntimeBroker.exe
2012	RuntimeBroker.exe
2012	RuntimeBroker.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\TextInputHost.exe	dwaw.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\22eafd247d37c3	dwaw.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe	dwaw.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\5b884080fd4f94	dwaw.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	dwaw.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e	dwaw.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\sihost.exe	dwaw.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\66fc9ff0ee96c2	dwaw.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\ee2ad38f3d4382	dwaw.exe
File created	C:\Windows\Branding\RuntimeBroker.exe	dwaw.exe
File created	C:\Windows\Branding\9e8d7a4ca61bd9	dwaw.exe
File created	C:\Windows\Sun\Java\Registry.exe	dwaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0525b7e6060d595fa110a4f468a021a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	work.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5084	schtasks.exe
740	schtasks.exe
1868	schtasks.exe
4980	schtasks.exe
4400	schtasks.exe
4752	schtasks.exe
4148	schtasks.exe
1856	schtasks.exe
2860	schtasks.exe
3220	schtasks.exe
1768	schtasks.exe
4296	schtasks.exe
3944	schtasks.exe
3252	schtasks.exe
4308	schtasks.exe
4176	schtasks.exe
4200	schtasks.exe
2616	schtasks.exe
5088	schtasks.exe
3656	schtasks.exe
3364	schtasks.exe
4876	schtasks.exe
4956	schtasks.exe
1388	schtasks.exe
1680	schtasks.exe
4476	schtasks.exe
1624	schtasks.exe
2972	schtasks.exe
4504	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
440	dwaw.exe
2012	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	dwaw.exe
Token: SeDebugPrivilege	2012	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
440	dwaw.exe
2012	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3804	220	0525b7e6060d595fa110a4f468a021a8.exe	84
PID 220 wrote to memory of 3804	220	0525b7e6060d595fa110a4f468a021a8.exe	84
PID 220 wrote to memory of 3804	220	0525b7e6060d595fa110a4f468a021a8.exe	84
PID 3804 wrote to memory of 4088	3804	cmd.exe	87
PID 3804 wrote to memory of 4088	3804	cmd.exe	87
PID 3804 wrote to memory of 4088	3804	cmd.exe	87
PID 4088 wrote to memory of 440	4088	work.exe	88
PID 4088 wrote to memory of 440	4088	work.exe	88
PID 4088 wrote to memory of 440	4088	work.exe	88
PID 440 wrote to memory of 2012	440	dwaw.exe	120
PID 440 wrote to memory of 2012	440	dwaw.exe	120
PID 440 wrote to memory of 2012	440	dwaw.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0525b7e6060d595fa110a4f468a021a8.exe
"C:\Users\Admin\AppData\Local\Temp\0525b7e6060d595fa110a4f468a021a8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwaw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwaw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Users\Public\Downloads\RuntimeBroker.exe
        
        "C:\Users\Public\Downloads\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Branding\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\Sun\Java\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.7MB

MD5
a3ef36f9ba80480afdc9ef13a44ef7a7

SHA1
990f0cc1699f9a6547843a4b632380bc9116a6c3

SHA256
4d2e074aa4ab9dfbcf256e9e251cd30a9b1008b5ae6a7cc3bf73adced014a1bf

SHA512
f7c899293b8ed07b3f83f061109c1343306a662cb8af6f547604c1f694a6864defa8d9af1aa7ee1e345d41a493b412ef31a7d03eefa451a7522a3ec9a78ade64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwaw.exe

Filesize
1.4MB

MD5
61fd97a52a127b8e338e30c2eaf71f13

SHA1
f285da8ac1585dbbd82fb5d77fbcc223995b4fc6

SHA256
c4fe571cf266ccc21df800b613095b663d2c5b95a451ad98fb0242ee3efd67d1

SHA512
0dca3721fa3e18ddcfe59d243d9911b408577d63cc89ae659eb8be9a706f243a329d49e068e35404178cea28e737a00c79f170871e336ff16efbf725d1edda36

Download Submit
memory/440-27-0x0000000006220000-0x0000000006236000-memory.dmp

Filesize
88KB

Download
memory/440-23-0x0000000000560000-0x0000000000968000-memory.dmp

Filesize
4.0MB

Download
memory/440-24-0x0000000006540000-0x0000000006AE4000-memory.dmp

Filesize
5.6MB

Download
memory/440-25-0x0000000005910000-0x000000000592C000-memory.dmp

Filesize
112KB

Download
memory/440-26-0x0000000006270000-0x00000000062C0000-memory.dmp

Filesize
320KB

Download
memory/440-22-0x0000000000560000-0x0000000000968000-memory.dmp

Filesize
4.0MB

Download
memory/440-30-0x0000000006430000-0x0000000006496000-memory.dmp

Filesize
408KB

Download
memory/440-62-0x0000000000560000-0x0000000000968000-memory.dmp

Filesize
4.0MB

Download
memory/2012-58-0x0000000000040000-0x0000000000448000-memory.dmp

Filesize
4.0MB

Download
memory/2012-63-0x0000000000040000-0x0000000000448000-memory.dmp

Filesize
4.0MB

Download
memory/2012-64-0x0000000000040000-0x0000000000448000-memory.dmp

Filesize
4.0MB

Download
memory/2012-66-0x0000000000040000-0x0000000000448000-memory.dmp

Filesize
4.0MB

Download
memory/2012-72-0x0000000000040000-0x0000000000448000-memory.dmp

Filesize
4.0MB

Download