dcrat | 9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

General

Target

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Size

1.1MB
MD5

ba182fd81a486ddb460723be522ce562
SHA1

5dc2ad0fa9c62f91ecae3322d433640694248023
SHA256

9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d
SHA512

077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398
SSDEEP

24576:G4VHpBN/oi3FLVAdz3+H1jGt/OzwiI6bHeWsgFFNhtA:G4BpwiVRVjGJfuKWsgFLht

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1292	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	1292	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4376-133-0x00000000003C0000-0x00000000004E6000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	dcrat
C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe	dcrat
C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

2204 fontdrvhost.exe

pid	process
2204	fontdrvhost.exe

Drops file in Program Files directory 10 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\en-US\9e8d7a4ca61bd9	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Portable Devices\55b276f4edf653	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Sidebar\5b884080fd4f94	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Drops file in Windows directory 2 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
File created	C:\Windows\ShellExperiences\sysmon.exe	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
File created	C:\Windows\ShellExperiences\121e5b5079f7c0	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
844	schtasks.exe
216	schtasks.exe
2912	schtasks.exe
4704	schtasks.exe
1172	schtasks.exe
64	schtasks.exe
2540	schtasks.exe
4964	schtasks.exe
1724	schtasks.exe
1608	schtasks.exe
3000	schtasks.exe
3448	schtasks.exe
4576	schtasks.exe
4248	schtasks.exe
3952	schtasks.exe
3916	schtasks.exe
1824	schtasks.exe
3784	schtasks.exe
1132	schtasks.exe
2352	schtasks.exe
2024	schtasks.exe
3844	schtasks.exe
3376	schtasks.exe
4276	schtasks.exe
3764	schtasks.exe
316	schtasks.exe
3412	schtasks.exe

Modifies registry class 1 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exefontdrvhost.exe

pid	process
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe
2204	fontdrvhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fontdrvhost.exe

pid process

2204 fontdrvhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 4376 9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Token: SeDebugPrivilege 2204 fontdrvhost.exe

pid	process
2204	fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
Token: SeDebugPrivilege	2204	fontdrvhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.execmd.exe

description	pid	process	target process
PID 4376 wrote to memory of 852	4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	cmd.exe
PID 4376 wrote to memory of 852	4376	9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe	cmd.exe
PID 852 wrote to memory of 4724	852	cmd.exe	w32tm.exe
PID 852 wrote to memory of 4724	852	cmd.exe	w32tm.exe
PID 852 wrote to memory of 2204	852	cmd.exe	fontdrvhost.exe
PID 852 wrote to memory of 2204	852	cmd.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe
"C:\Users\Admin\AppData\Local\Temp\9E58D61752C75CE86ABC03005F0C75D9E2CF8218A5245.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJXDSSRtH9.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4724

C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe
"C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
C:\Program Files (x86)\Windows Sidebar\fontdrvhost.exe
Filesize
1.1MB

MD5
ba182fd81a486ddb460723be522ce562

SHA1
5dc2ad0fa9c62f91ecae3322d433640694248023

SHA256
9e58d61752c75ce86abc03005f0c75d9e2cf8218a5245d84ccc9abd9fe7a265d

SHA512
077c9beda4f04f5c472f5699ceaee7f3bd0ffed3272c24ce2ace2a926d003f5a2a7e75f7ecc5c1b98ccd8be0c486de97e98cb80965d5b94b46cdd453378df398

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJXDSSRtH9.bat
Filesize
219B

MD5
67d3588c356b68346e8a55120176d3e8

SHA1
759cfcc3374271879f302dbf7cfcc818c63c47fa

SHA256
e67f52e8d352c424ab081030e866cdaae45e3ba93c3caf1067a2cb1e87bf0af8

SHA512
f973cb2c5844b19aa9ae9335f6b540154bc923cfd78da07fc5a55be86f2ee2de628fc43469327e348cc767edc17c7f5e6f8c84239f164a05da00fd88e708b372

Download Submit
memory/2204-163-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/2204-164-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/4376-133-0x00000000003C0000-0x00000000004E6000-memory.dmp

Filesize
1.1MB

Download
memory/4376-134-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/4376-135-0x000000001B050000-0x000000001B0A0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads