dcrat | 21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3

General

Target

21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe
Size

2.6MB
MD5

45777274a1f089648085d8f60a401ec3
SHA1

7edbcea87c3cd17890ad5ad9bb48b96f18ca45fe
SHA256

21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3
SHA512

f8b952594f07a29a782c35e4a412e50dd8d5f532a1598f3fcf3e03ea0d7773835c0848b745c8c8026b77d718e2112056cfc350359224696686cc36edf3223eed
SSDEEP

49152:ubA3jtXf3wo6e1Sp/y+susVvipA7yQlcALZ/jZvaJOBoyI3l04EaJ:ubW3H51Sp+usgK7lcAZjUOKyIV07aJ

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat 13 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exeschtasks.exeschtasks.exe

pid	process
2076	schtasks.exe
1888	schtasks.exe
1160	schtasks.exe
3060	schtasks.exe
2924	schtasks.exe
1332	schtasks.exe
2136	schtasks.exe
2912	schtasks.exe
2816	schtasks.exe
3020	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe
1692	schtasks.exe
2908	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

blockprovider.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\lsm.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\OSPPSVC.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\", \"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	blockprovider.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	388	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\chainContainersavesSessiondhcp\blockprovider.exe	dcrat
behavioral1/memory/2848-18-0x0000000000B00000-0x0000000000D52000-memory.dmp	dcrat
behavioral1/memory/1832-41-0x0000000000B50000-0x0000000000DA2000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

blockprovider.exeOSPPSVC.exe

pid process

2848 blockprovider.exe
1832 OSPPSVC.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2664 cmd.exe
2664 cmd.exe

pid	process
2848	blockprovider.exe
1832	OSPPSVC.exe

pid	process
2664	cmd.exe
2664	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

blockprovider.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\OSPPSVC.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wininit.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\services.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\lsm.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\ba13f242-3a65-11ef-94cb-d685e2345d05\\lsm.exe\""	blockprovider.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\OSPPSVC.exe\""	blockprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exeWScript.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1888	schtasks.exe
1160	schtasks.exe
2136	schtasks.exe
2076	schtasks.exe
3060	schtasks.exe
2908	schtasks.exe
2924	schtasks.exe
1692	schtasks.exe
2912	schtasks.exe
2816	schtasks.exe
3020	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

blockprovider.exeOSPPSVC.exe

pid process

2848 blockprovider.exe
1832 OSPPSVC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

blockprovider.exeOSPPSVC.exe

description pid process

Token: SeDebugPrivilege 2848 blockprovider.exe
Token: SeDebugPrivilege 1832 OSPPSVC.exe

pid	process
2848	blockprovider.exe
1832	OSPPSVC.exe

description	pid	process
Token: SeDebugPrivilege	2848	blockprovider.exe
Token: SeDebugPrivilege	1832	OSPPSVC.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exeWScript.execmd.exeblockprovider.execmd.exe

description	pid	process	target process
PID 1272 wrote to memory of 2740	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2740	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2740	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2740	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2932	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2932	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2932	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 1272 wrote to memory of 2932	1272	21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe	WScript.exe
PID 2740 wrote to memory of 2664	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 2664	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 2664	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 2664	2740	WScript.exe	cmd.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	blockprovider.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	blockprovider.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	blockprovider.exe
PID 2664 wrote to memory of 2848	2664	cmd.exe	blockprovider.exe
PID 2848 wrote to memory of 2408	2848	blockprovider.exe	cmd.exe
PID 2848 wrote to memory of 2408	2848	blockprovider.exe	cmd.exe
PID 2848 wrote to memory of 2408	2848	blockprovider.exe	cmd.exe
PID 2408 wrote to memory of 1476	2408	cmd.exe	w32tm.exe
PID 2408 wrote to memory of 1476	2408	cmd.exe	w32tm.exe
PID 2408 wrote to memory of 1476	2408	cmd.exe	w32tm.exe
PID 2408 wrote to memory of 1832	2408	cmd.exe	OSPPSVC.exe
PID 2408 wrote to memory of 1832	2408	cmd.exe	OSPPSVC.exe
PID 2408 wrote to memory of 1832	2408	cmd.exe	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe
"C:\Users\Admin\AppData\Local\Temp\21241ffa8c021cc337901145fcdaae68713abb75c22a74e39001fe1da15f35f3.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainersavesSessiondhcp\JemHIHhpiZI0N8EhV7.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\chainContainersavesSessiondhcp\EeHn5JjD.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664

C:\chainContainersavesSessiondhcp\blockprovider.exe
"C:\chainContainersavesSessiondhcp\blockprovider.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzzvgsdaUB.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1476

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainContainersavesSessiondhcp\file.vbs"
2⤵
- System Location Discovery: System Language Discovery
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qzzvgsdaUB.bat
Filesize
248B

MD5
dd98d2ca8b613a117b333408ef549faf

SHA1
99a2fcb163c0e86549e5e97145e544e35dba853b

SHA256
b5cc38d163f58049d02b5ec88ba37857eaf5e19bd2eea161c31586f7b021823d

SHA512
03fd6956cdfaf411d5808465064b4d818e0f407b502e30c9148abeab674019eeaec37df299e2acb43832c8294c5640a6f5b7256d58e919cf5e2cc8c24ee1e525

Download Submit
C:\chainContainersavesSessiondhcp\EeHn5JjD.bat
Filesize
53B

MD5
63241e29fa7bdf71862d1d91cc65c14e

SHA1
682453813e14e493ce0e2d0091bff5dd44f3f058

SHA256
c9637ae1ccddaff2f9507633191d455f5f5dba8b65f6ff9e81a7e0f01783c9ca

SHA512
ef9272a8b3fd9206a4cc8fc33741da02a7a802c5a920b908833deea7d194fb2716bf174cb4815fa846feef681949a355a7a07cf673b93844ffac7d11e818b9e1

Download Submit
C:\chainContainersavesSessiondhcp\JemHIHhpiZI0N8EhV7.vbe
Filesize
216B

MD5
623cd030254716a674418adf14747e9d

SHA1
fc3bba95a099cb2e286c6b77e7e375b07c3b447b

SHA256
9ef90d9d5849910473dd8f0610d5385eda91e64075b1a1756d301770183710eb

SHA512
090719e54a3b7b24bd1562c8267b9e66e80baaf4e06262c3d6320d41791a2bbc673d71540ce0e519336160fc8402cdf907724087735855dcddb36d58376fac49

Download Submit
C:\chainContainersavesSessiondhcp\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\chainContainersavesSessiondhcp\blockprovider.exe
Filesize
2.3MB

MD5
d61a906f69d0929d8acc146b02e6feb0

SHA1
2bf0d2b40cc80db69335bf62bc9ce48e476d2e60

SHA256
316b85089ab4ece8d024f3957200f0d1d49738be3bc7588691871a1e5d0fd110

SHA512
4e301ced2d3f2cc1a2b572cc71c361192d2f4316297c46b8a9d6b64f5f40ea1d4af6577e3f3d0e9b90f05376237ce8f26d80ab984ad6def3457df345a1b7ea6d

Download Submit
memory/1832-42-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1832-41-0x0000000000B50000-0x0000000000DA2000-memory.dmp

Filesize
2.3MB

Download
memory/2848-20-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2848-22-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2848-23-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/2848-24-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2848-25-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2848-21-0x0000000000A60000-0x0000000000AB6000-memory.dmp

Filesize
344KB

Download
memory/2848-19-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2848-18-0x0000000000B00000-0x0000000000D52000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads