dcrat | 40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62

General

Target

900eb9fef2464a9f9d8f8e6583bcb8a1.exe
Size

1.4MB
MD5

900eb9fef2464a9f9d8f8e6583bcb8a1
SHA1

5941e80798f6aa3ea56bc4891494a27f55bb2c10
SHA256

40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62
SHA512

2f3a72d450c35a96ed9ac40bd889cb558d42d15581d1df91857551dee7f7429ebaa4e6d67cfa8b1f56b590f924306d0ac35bbe880c33ff14933e28291aa2416e

Score

10^/10

dcrat infostealer persistence rat spyware stealer suricata

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

123.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
1104	schtasks.exe
416	schtasks.exe
384	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
1792	schtasks.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
3252	schtasks.exe
1148	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

123.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\", \"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1860	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1860	schtasks.exe

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Executes dropped EXE 2 IoCs

Processes:

123.exedllhost.exe

pid process

840 123.exe
1308 dllhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ipinfo.io
22 ipinfo.io
20 ipinfo.io

flow	ioc
21	ipinfo.io
22	ipinfo.io
20	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

123.exe

description	ioc	process
File created	C:\Windows\System32\Sens\audiodg.exe	123.exe
File created	C:\Windows\System32\Sens\42af1c969fbb7b	123.exe
File created	C:\Windows\System32\expand\fontdrvhost.exe	123.exe
File created	C:\Windows\System32\expand\5b884080fd4f94	123.exe

Drops file in Program Files directory 5 IoCs

Processes:

123.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\Media Renderer\ea9f0e6c9e2dcd	123.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe	123.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\5b884080fd4f94	123.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	123.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3252 schtasks.exe
1148 schtasks.exe
1792 schtasks.exe
1104 schtasks.exe
416 schtasks.exe
384 schtasks.exe
Modifies registry class 1 IoCs

Processes:

123.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 123.exe

pid	process
3252	schtasks.exe
1148	schtasks.exe
1792	schtasks.exe
1104	schtasks.exe
416	schtasks.exe
384	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	123.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

123.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
840	123.exe
536	powershell.exe
2928	powershell.exe
64	powershell.exe
920	powershell.exe
1636	powershell.exe
1508	powershell.exe
2284	powershell.exe
1636	powershell.exe
1508	powershell.exe
2928	powershell.exe
920	powershell.exe
64	powershell.exe
536	powershell.exe
2284	powershell.exe
64	powershell.exe
536	powershell.exe
920	powershell.exe
1508	powershell.exe
2284	powershell.exe
1636	powershell.exe
2928	powershell.exe
1308	dllhost.exe
1308	dllhost.exe
1308	dllhost.exe
1308	dllhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

123.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	840	123.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1308	dllhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

900eb9fef2464a9f9d8f8e6583bcb8a1.exe123.execmd.exe

description	pid	process	target process
PID 3708 wrote to memory of 840	3708	900eb9fef2464a9f9d8f8e6583bcb8a1.exe	123.exe
PID 3708 wrote to memory of 840	3708	900eb9fef2464a9f9d8f8e6583bcb8a1.exe	123.exe
PID 840 wrote to memory of 536	840	123.exe	powershell.exe
PID 840 wrote to memory of 536	840	123.exe	powershell.exe
PID 840 wrote to memory of 1636	840	123.exe	powershell.exe
PID 840 wrote to memory of 1636	840	123.exe	powershell.exe
PID 840 wrote to memory of 1508	840	123.exe	powershell.exe
PID 840 wrote to memory of 1508	840	123.exe	powershell.exe
PID 840 wrote to memory of 920	840	123.exe	powershell.exe
PID 840 wrote to memory of 920	840	123.exe	powershell.exe
PID 840 wrote to memory of 2928	840	123.exe	powershell.exe
PID 840 wrote to memory of 2928	840	123.exe	powershell.exe
PID 840 wrote to memory of 2284	840	123.exe	powershell.exe
PID 840 wrote to memory of 2284	840	123.exe	powershell.exe
PID 840 wrote to memory of 64	840	123.exe	powershell.exe
PID 840 wrote to memory of 64	840	123.exe	powershell.exe
PID 840 wrote to memory of 1960	840	123.exe	cmd.exe
PID 840 wrote to memory of 1960	840	123.exe	cmd.exe
PID 1960 wrote to memory of 1888	1960	cmd.exe	w32tm.exe
PID 1960 wrote to memory of 1888	1960	cmd.exe	w32tm.exe
PID 1960 wrote to memory of 1308	1960	cmd.exe	dllhost.exe
PID 1960 wrote to memory of 1308	1960	cmd.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\900eb9fef2464a9f9d8f8e6583bcb8a1.exe
"C:\Users\Admin\AppData\Local\Temp\900eb9fef2464a9f9d8f8e6583bcb8a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Public\Videos\123.exe
  "C:\Users\Public\Videos\123.exe"
  2⤵
  - DcRat
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\123.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\expand\fontdrvhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Sens\audiodg.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kk7CMLuTQW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1888
  - - C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe
      "C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\expand\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\Sens\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe

MD5
59201b09f6fc392bdb47394618c44123

SHA1
cab97b0ebf4d41f9e6105db3a3ebaf47998977e6

SHA256
bb5e6247f19aab28d71dc53718c43d397e2424ea57325c4c213988ea22474da0

SHA512
bdf482b3c6880b2de7c763dd8f5fa6d45b83a332b377d1f68fa540d21d5e1e00dd819b153d47781008b65dd6e96e8aa58ab89bbc7cdb3887d8356662021ed362

Download Submit
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe

MD5
59201b09f6fc392bdb47394618c44123

SHA1
cab97b0ebf4d41f9e6105db3a3ebaf47998977e6

SHA256
bb5e6247f19aab28d71dc53718c43d397e2424ea57325c4c213988ea22474da0

SHA512
bdf482b3c6880b2de7c763dd8f5fa6d45b83a332b377d1f68fa540d21d5e1e00dd819b153d47781008b65dd6e96e8aa58ab89bbc7cdb3887d8356662021ed362

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk7CMLuTQW.bat

MD5
cbe19e3de3d40a003dee8d3e7cb5811d

SHA1
6cda5fbfad5509fcd30bd4157b1605aea678bcd6

SHA256
8f66be635649f5430b30fed2a73251026f670b3b3cfce4dfcb21a089ff996428

SHA512
d37ae3822dc206482c7e8723eec1f9570c33cc1655d0025e3a35b315f614525b0bba26a5e6bc6cd6cbcc0a51ec4f0e6ad7478a7131b4d5534310261a0deaefcb

Download Submit
C:\Users\Public\Videos\123.exe

MD5
59201b09f6fc392bdb47394618c44123

SHA1
cab97b0ebf4d41f9e6105db3a3ebaf47998977e6

SHA256
bb5e6247f19aab28d71dc53718c43d397e2424ea57325c4c213988ea22474da0

SHA512
bdf482b3c6880b2de7c763dd8f5fa6d45b83a332b377d1f68fa540d21d5e1e00dd819b153d47781008b65dd6e96e8aa58ab89bbc7cdb3887d8356662021ed362

Download Submit
C:\Users\Public\Videos\123.exe

MD5
59201b09f6fc392bdb47394618c44123

SHA1
cab97b0ebf4d41f9e6105db3a3ebaf47998977e6

SHA256
bb5e6247f19aab28d71dc53718c43d397e2424ea57325c4c213988ea22474da0

SHA512
bdf482b3c6880b2de7c763dd8f5fa6d45b83a332b377d1f68fa540d21d5e1e00dd819b153d47781008b65dd6e96e8aa58ab89bbc7cdb3887d8356662021ed362

Download Submit
memory/64-248-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/64-176-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/64-175-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/536-155-0x0000017D1D530000-0x0000017D1D532000-memory.dmp

Filesize
8KB

Download
memory/536-244-0x0000017D1D536000-0x0000017D1D538000-memory.dmp

Filesize
8KB

Download
memory/536-168-0x0000017D1D533000-0x0000017D1D535000-memory.dmp

Filesize
8KB

Download
memory/536-165-0x0000017D1D4F0000-0x0000017D1D512000-memory.dmp

Filesize
136KB

Download
memory/840-125-0x00000000025E0000-0x00000000025EC000-memory.dmp

Filesize
48KB

Download
memory/840-119-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/840-126-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/840-117-0x0000000000370000-0x00000000004C8000-memory.dmp

Filesize
1.3MB

Download
memory/840-121-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/840-124-0x000000001B8F0000-0x000000001BE16000-memory.dmp

Filesize
5.1MB

Download
memory/840-118-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/840-127-0x0000000002600000-0x000000000260A000-memory.dmp

Filesize
40KB

Download
memory/840-123-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/840-122-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/840-120-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/920-173-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/920-247-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/920-177-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/1308-213-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/1308-214-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/1308-249-0x000000001DCD0000-0x000000001DE92000-memory.dmp

Filesize
1.8MB

Download
memory/1508-246-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1508-211-0x00000117E47A0000-0x00000117E4816000-memory.dmp

Filesize
472KB

Download
memory/1508-222-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1508-167-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1636-212-0x0000021D12330000-0x0000021D2A500000-memory.dmp

Filesize
385.8MB

Download
memory/1636-166-0x0000021D12330000-0x0000021D2A500000-memory.dmp

Filesize
385.8MB

Download
memory/2284-174-0x0000020A49680000-0x0000020A617E0000-memory.dmp

Filesize
385.4MB

Download
memory/2284-201-0x0000020A49680000-0x0000020A617E0000-memory.dmp

Filesize
385.4MB

Download
memory/2928-170-0x000002466F133000-0x000002466F135000-memory.dmp

Filesize
8KB

Download
memory/2928-169-0x000002466F130000-0x000002466F132000-memory.dmp

Filesize
8KB

Download
memory/2928-245-0x000002466F136000-0x000002466F138000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads