dcrat | 3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

General

Target

0e444044fdfea512ca18fc3396abb65b.exe
Size

2.4MB
MD5

0e444044fdfea512ca18fc3396abb65b
SHA1

8b601ccad5b2a76967c0ca7579dc13d092307f34
SHA256

3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755
SHA512

7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119
SSDEEP

49152:bkcwlRFUh2b69Cs9MR3uh+tytRY1aLXYqIiiJd2EHt:bkdlRI3ceI1azYqWj

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 51 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe0e444044fdfea512ca18fc3396abb65b.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4124	schtasks.exe
544	schtasks.exe
3336	schtasks.exe
380	schtasks.exe
4320	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e444044fdfea512ca18fc3396abb65b.exe
3260	schtasks.exe
2820	schtasks.exe
3908	schtasks.exe
4960	schtasks.exe
1916	schtasks.exe
5036	schtasks.exe
2644	schtasks.exe
4420	schtasks.exe
3248	schtasks.exe
4152	schtasks.exe
1544	schtasks.exe
1052	schtasks.exe
704	schtasks.exe
2220	schtasks.exe
4816	schtasks.exe
2276	schtasks.exe
4128	schtasks.exe
1600	schtasks.exe
4032	schtasks.exe
3088	schtasks.exe
2328	schtasks.exe
4904	schtasks.exe
1116	schtasks.exe
2880	schtasks.exe
3212	schtasks.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\27d1bcfc3c54e0	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Windows\de-DE\24dbde2999530e	0e444044fdfea512ca18fc3396abb65b.exe
1484	schtasks.exe
4420	schtasks.exe
3776	schtasks.exe
2448	schtasks.exe
1856	schtasks.exe
4216	schtasks.exe
4384	schtasks.exe
1952	schtasks.exe
1528	schtasks.exe
4856	schtasks.exe
1348	schtasks.exe
4812	schtasks.exe
2128	schtasks.exe
4508	schtasks.exe
1956	schtasks.exe
4924	schtasks.exe
64	schtasks.exe
4564	schtasks.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4852	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/224-133-0x0000000000D70000-0x0000000000FE8000-memory.dmp	dcrat
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe	dcrat
C:\Users\Admin\Links\RuntimeBroker.exe	dcrat
C:\Users\Admin\Links\RuntimeBroker.exe	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	0e444044fdfea512ca18fc3396abb65b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	0e444044fdfea512ca18fc3396abb65b.exe

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

996 RuntimeBroker.exe

pid	process
996	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RuntimeBroker.exe0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in Program Files directory 14 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\es-ES\27d1bcfc3c54e0	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\ea1d8f6d871115	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\24dbde2999530e	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files\Uninstall Information\System.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\6ccacd8608530f	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\unsecapp.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\System.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\WmiPrvSE.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Idle.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\29c1c3cc0f7685	0e444044fdfea512ca18fc3396abb65b.exe

Drops file in Windows directory 4 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exe

description	ioc	process
File created	C:\Windows\de-DE\WmiPrvSE.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Windows\de-DE\24dbde2999530e	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\RuntimeBroker.exe	0e444044fdfea512ca18fc3396abb65b.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\9e8d7a4ca61bd9	0e444044fdfea512ca18fc3396abb65b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4152	schtasks.exe
2276	schtasks.exe
4564	schtasks.exe
1544	schtasks.exe
4508	schtasks.exe
1956	schtasks.exe
4856	schtasks.exe
2448	schtasks.exe
3088	schtasks.exe
4216	schtasks.exe
3212	schtasks.exe
4420	schtasks.exe
1600	schtasks.exe
4812	schtasks.exe
3260	schtasks.exe
1856	schtasks.exe
1052	schtasks.exe
4320	schtasks.exe
2644	schtasks.exe
4420	schtasks.exe
3908	schtasks.exe
4816	schtasks.exe
1116	schtasks.exe
4128	schtasks.exe
2220	schtasks.exe
4032	schtasks.exe
2328	schtasks.exe
4960	schtasks.exe
2820	schtasks.exe
380	schtasks.exe
544	schtasks.exe
1484	schtasks.exe
2128	schtasks.exe
4904	schtasks.exe
1952	schtasks.exe
4124	schtasks.exe
2880	schtasks.exe
1916	schtasks.exe
5036	schtasks.exe
704	schtasks.exe
1348	schtasks.exe
4384	schtasks.exe
64	schtasks.exe
4924	schtasks.exe
3248	schtasks.exe
3776	schtasks.exe
3336	schtasks.exe
1528	schtasks.exe

Modifies registry class 2 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	0e444044fdfea512ca18fc3396abb65b.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	0e444044fdfea512ca18fc3396abb65b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exeRuntimeBroker.exe

pid	process
224	0e444044fdfea512ca18fc3396abb65b.exe
224	0e444044fdfea512ca18fc3396abb65b.exe
224	0e444044fdfea512ca18fc3396abb65b.exe
224	0e444044fdfea512ca18fc3396abb65b.exe
224	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
3692	0e444044fdfea512ca18fc3396abb65b.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe
996	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

996 RuntimeBroker.exe

pid	process
996	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	224	0e444044fdfea512ca18fc3396abb65b.exe
Token: SeDebugPrivilege	3692	0e444044fdfea512ca18fc3396abb65b.exe
Token: SeDebugPrivilege	996	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0e444044fdfea512ca18fc3396abb65b.execmd.exe0e444044fdfea512ca18fc3396abb65b.execmd.exe

description	pid	process	target process
PID 224 wrote to memory of 2008	224	0e444044fdfea512ca18fc3396abb65b.exe	cmd.exe
PID 224 wrote to memory of 2008	224	0e444044fdfea512ca18fc3396abb65b.exe	cmd.exe
PID 2008 wrote to memory of 4692	2008	cmd.exe	w32tm.exe
PID 2008 wrote to memory of 4692	2008	cmd.exe	w32tm.exe
PID 2008 wrote to memory of 3692	2008	cmd.exe	0e444044fdfea512ca18fc3396abb65b.exe
PID 2008 wrote to memory of 3692	2008	cmd.exe	0e444044fdfea512ca18fc3396abb65b.exe
PID 3692 wrote to memory of 1484	3692	0e444044fdfea512ca18fc3396abb65b.exe	cmd.exe
PID 3692 wrote to memory of 1484	3692	0e444044fdfea512ca18fc3396abb65b.exe	cmd.exe
PID 1484 wrote to memory of 4732	1484	cmd.exe	w32tm.exe
PID 1484 wrote to memory of 4732	1484	cmd.exe	w32tm.exe
PID 1484 wrote to memory of 996	1484	cmd.exe	RuntimeBroker.exe
PID 1484 wrote to memory of 996	1484	cmd.exe	RuntimeBroker.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

0e444044fdfea512ca18fc3396abb65b.exe0e444044fdfea512ca18fc3396abb65b.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e444044fdfea512ca18fc3396abb65b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e444044fdfea512ca18fc3396abb65b.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe
"C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bfl7XIBvmU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe
    "C:\Users\Admin\AppData\Local\Temp\0e444044fdfea512ca18fc3396abb65b.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JuJ5QxI6Wj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4732
    - - C:\Users\Admin\Links\RuntimeBroker.exe
        
        "C:\Users\Admin\Links\RuntimeBroker.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\odt\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\fr-FR\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\upfc.exe

Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0e444044fdfea512ca18fc3396abb65b.exe.log

Filesize
1KB

MD5
c6ecc3bc2cdd7883e4f2039a5a5cf884

SHA1
20c9dd2a200e4b0390d490a7a76fa184bfc78151

SHA256
b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

SHA512
892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bfl7XIBvmU.bat

Filesize
235B

MD5
ab5e26cda1275839ef312afa621137ca

SHA1
6a2b72643be8b69590d81678c3b27373b32b8d9a

SHA256
ebc0b9f121409ec0e15efe219795ad1099829f5f40fe72d684dfe999c18cea90

SHA512
964e2d242e583804915226d501af56403e7618b94ca9ca9ab772945b27ff010ccf14a3b36fd72d23920a843a94694aa978d9ba40929527e623fbee9c63420749

Download Submit
C:\Users\Admin\AppData\Local\Temp\JuJ5QxI6Wj.bat

Filesize
203B

MD5
801ba7f126e7b8a5bf996b8e775e4978

SHA1
57ecc320b20b12e06bac8768d5a58f7be6529cd6

SHA256
b55f6aeb46cea058f8613f6c240062096ccb4591f67c2fe7d8e33cb0724191d3

SHA512
6074efc641f3b10d59d4edfa816b776452575c45f3604877f88213d961fd2dcbef824b0d490e7c13b20cea8d1b774c3ce6085048775ac33ae377017d778fbfdd

Download Submit
C:\Users\Admin\Links\RuntimeBroker.exe

Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
C:\Users\Admin\Links\RuntimeBroker.exe

Filesize
2.4MB

MD5
0e444044fdfea512ca18fc3396abb65b

SHA1
8b601ccad5b2a76967c0ca7579dc13d092307f34

SHA256
3041f94ecddb3116d07dc174c4297b43d022b48282df8acc25dfac2ffc5b0755

SHA512
7b58b88c7fbcd7b97d1a08f2145794beefa2960382140bac74f1f4fe630cdd0314cd9bceb599a32c56788df1e0e9dccf84c1598c52f9c581389327428696e119

Download Submit
memory/224-133-0x0000000000D70000-0x0000000000FE8000-memory.dmp

Filesize
2.5MB

Download
memory/224-134-0x000000001D180000-0x000000001D190000-memory.dmp

Filesize
64KB

Download
memory/224-135-0x000000001D120000-0x000000001D170000-memory.dmp

Filesize
320KB

Download
memory/3692-149-0x000000001C9E0000-0x000000001C9F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads