File name:	Fivem-Woofer.exe
Full analysis:	https://app.any.run/tasks/7277dccd-0a7a-4d56-9b51-1340f120a963
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	March 08, 2025, 14:48:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	auto rat dcrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:	53FB0718A29D94340A747782F758CDB3
SHA1:	5C7B1B6C23EFBE21525053330F2E23D70EE5D119
SHA256:	8E14D235CAAAFBA051492C6B173364286A57F8D7C51C4B7201362FB7AF18F34E
SSDEEP:	98304:adq6fDBNDMrrM7ZjcCfMNFxYVPVDG73vm7qoVHNorJ/egyxU3w5Yvaxo+YFiOlHq:n6HPnu

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	AMD AMD64
TimeStamp:	2025:02:03 18:33:29+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	503296
InitializedDataSize:	2063360
UninitializedDataSize:	-
EntryPoint:	0x78548
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(1324) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:	(1324) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:	(1324) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:	(5204) ntoskrnl2.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\7455cbbde3db12daf8b799e881ef1ad4f24d6f79
Operation:	write	Name:	da52f2ad8763e29d9bb815ac843e67d0b85e338e
Value: H4sIAAAAAAAEAI2QMU/DMBSE/0rUiUokctOEGjaaBMGAWpVKDDwGE7+0ll9s5OeIIsR/p+1QdanEdMt9p7t7G1V3AK/Gaf/FAE+OoyLCAPBT5OK+KUWdyrmYpYUsylSWt3k6nTdVVc8mdSPF7x7RhBnucHR9jFoGvwmqTx4MISdXO3kzBlh8YlAAH6q1m+AHp9eK7aPn+E9w0XWmxYpMa9d+NbhL2GlJ8jxQND1qo5Ilqdj50AMwDeYM7Q5NMiEEgDZhr5Os3VoAYsV85ju98/LNEftpDuCiZxsc5Ufb+x8IjV1qRgEAAA==
(PID) Process:	(5204) ntoskrnl2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(5204) ntoskrnl2.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(8116) slui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\slui_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(8116) slui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\slui_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(8116) slui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\slui_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(8116) slui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\slui_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:

PID	Process	Filename		Type
5204	ntoskrnl2.exe	C:\found.000\dir0001.chk\lsass.exe		executable
		MD5:C8848D70C25CF0A1E0A4122CAB55E5F8	SHA256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
5204	ntoskrnl2.exe	C:\Program Files\Windows Multimedia Platform\a29f4157103644		text
		MD5:00210ED5E67EDA283E84C63C4D71A785	SHA256:86EC437B81D30807AB6A64AF7FC26780370C1A97EB136C6E942FD8664DD262EE
5204	ntoskrnl2.exe	C:\Users\admin\Desktop\oZvGiwLC.log		executable
		MD5:D8BF2A0481C0A17A634D066A711C12E9	SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
5204	ntoskrnl2.exe	C:\found.000\dir0001.chk\6203df4a6bafc7		text
		MD5:730926E7BCC869DC90156EA6D6FB9B0A	SHA256:F5E03F472B5B2AF08F59414841CFB4BD6F3F47D42DEFCB9850C6CBC7C4E0D704
5204	ntoskrnl2.exe	C:\Program Files (x86)\Opera\OfficeClickToRun.exe		executable
		MD5:C8848D70C25CF0A1E0A4122CAB55E5F8	SHA256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
5204	ntoskrnl2.exe	C:\Program Files (x86)\Opera\e6c9b481da804f		text
		MD5:AE4328F7AAEEA0D22D2528F5E32D32EE	SHA256:9454FB7409C64D279DF8E571835360845AD06F8275BED1C21ED3411182823AF0
5204	ntoskrnl2.exe	C:\Program Files (x86)\Opera\eddb19405b7ce1		text
		MD5:F053F6203B5567E4E800F97A56F7391D	SHA256:AA449D4BB9507E6C3E7B237C324CC408B53B500779ADD738994A0ABA13E7AE2F
5204	ntoskrnl2.exe	C:\Program Files\Windows Multimedia Platform\slui.exe		executable
		MD5:C8848D70C25CF0A1E0A4122CAB55E5F8	SHA256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
5204	ntoskrnl2.exe	C:\Windows\Installer\{420AE50D-8B07-4845-8592-3BECCD71DE80}\Idle.exe		executable
		MD5:C8848D70C25CF0A1E0A4122CAB55E5F8	SHA256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
5008	Fivem-Woofer.exe	C:\Windows\System32\ntoskrnl2.exe		executable
		MD5:C8848D70C25CF0A1E0A4122CAB55E5F8	SHA256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
3304	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5008	Fivem-Woofer.exe	104.26.0.5:443	keyauth.win	CLOUDFLARENET	US	malicious
5280	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6576	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	172.217.16.142	whitelisted
keyauth.win	104.26.0.5 172.67.72.57 104.26.1.5	malicious
128538cm.n9shteam3.top	—	malicious
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
5008	Fivem-Woofer.exe	Potentially Bad Traffic	ET INFO KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI
2196	svchost.exe	Potentially Bad Traffic	ET INFO KeyAuth Open-source Authentication System Domain in DNS Lookup (keyauth .win)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

General Info

Fivem-Woofer.exe

53FB0718A29D94340A747782F758CDB3

5C7B1B6C23EFBE21525053330F2E23D70EE5D119

8E14D235CAAAFBA051492C6B173364286A57F8D7C51C4B7201362FB7AF18F34E

98304:adq6fDBNDMrrM7ZjcCfMNFxYVPVDG73vm7qoVHNorJ/egyxU3w5Yvaxo+YFiOlHq:n6HPnu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DCRAT has been found (auto)

Adds path to the Windows Defender exclusion list

SUSPICIOUS

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Executed via WMI

Script adds exclusion path to Windows Defender

Starts application with an unusual extension

Executing commands from a ".bat" file

Runs PING.EXE to delay simulation

Starts POWERSHELL.EXE for commands execution

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Starts MODE.COM to configure console settings

Reads the machine GUID from the registry

Reads Environment values

Gets the hash of the file via CERTUTIL.EXE

Creates files in the program directory

Create files in a temporary directory

Changes the display of characters in the console

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Disables trace logs

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests