dcrat | 54b542bd706838bc61c23ef8189935fc74e0099b14e509d33649b43ff108d85f

Analysis

max time kernel
0s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Redline-crack-by-rzt/Panel/RedLine_20_2/Panel/panel.exe
Size

16.4MB
MD5

1246b7d115005ce9fcc96848c5595d72
SHA1

fa3777c7fe670cea2a4e8267945c3137091c64b5
SHA256

f01393937f06be201400703d1dbfb35397c4a5162f16278ba9d9bb63ddcbcc78
SHA512

5bf90904cf74a8c3775498578d856dd9f4837077928cd7ce24e4a6ccec00827bcfb28c2079498ba682a4f53204d7ad2bb8de2489005c429dc968e75e26d29101
SSDEEP

393216:gyOsihmjY/uAKJkDk4x/aQsY3K/jRsBp:FOLhmjY/utek4x/aQsyKLuBp

Score

10^/10

dcrat redline discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	1804	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5672	1804	schtasks.exe	90

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral24/memory/3932-3968-0x000000001F030000-0x000000001F04A000-memory.dmp	family_redline

Redline family
redline

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/2252-74-0x00000000003F0000-0x000000000082C000-memory.dmp	dcrat
behavioral24/memory/2252-2089-0x00000000003F0000-0x000000000082C000-memory.dmp	dcrat
behavioral24/memory/4368-2117-0x00000000003F0000-0x000000000082C000-memory.dmp	dcrat
behavioral24/memory/4368-4057-0x00000000003F0000-0x000000000082C000-memory.dmp	dcrat
behavioral24/memory/4596-4085-0x00000000001B0000-0x00000000005EC000-memory.dmp	dcrat
behavioral24/memory/4596-4084-0x00000000001B0000-0x00000000005EC000-memory.dmp	dcrat
behavioral24/memory/4596-4092-0x00000000001B0000-0x00000000005EC000-memory.dmp	dcrat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	panel.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4516	schtasks.exe
5208	schtasks.exe
1368	schtasks.exe
4744	schtasks.exe
5672	schtasks.exe
3384	schtasks.exe
6140	schtasks.exe
3968	schtasks.exe
4612	schtasks.exe
5032	schtasks.exe
5564	schtasks.exe
2192	schtasks.exe
2856	schtasks.exe
3644	schtasks.exe
4180	schtasks.exe
4532	schtasks.exe
2096	schtasks.exe
1660	schtasks.exe
3684	schtasks.exe
3352	schtasks.exe
4528	schtasks.exe
652	schtasks.exe
3344	schtasks.exe
3808	schtasks.exe
2260	schtasks.exe
3096	schtasks.exe
880	schtasks.exe
860	schtasks.exe
5976	schtasks.exe
3344	schtasks.exe
3188	schtasks.exe
2884	schtasks.exe
6056	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe
"C:\Users\Admin\AppData\Local\Temp\Redline-crack-by-rzt\Panel\RedLine_20_2\Panel\panel.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4632
- C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
  2⤵
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe"
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTBQS3RKhw.bat"
      4⤵
      PID:224
    - - C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2280
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        5⤵
        
        PID:4596
- C:\Users\Admin\AppData\Local\Temp\Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Panel.exe"
  2⤵
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Panel.exe" "--monitor"
    3⤵
    PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Panel.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Panel" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Panel.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PanelP" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Panel.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mssurrogateProvider_protected.exe.log

Filesize
1KB

MD5
d56746574a07d336d54eecc2a75626b7

SHA1
69f9eb5d18fec3bdff15fe2230783e405efffafb

SHA256
90ae7d9d7baf1855a980d2ce2ec58754c1664d9626cfa76ecc8eb0701d737e81

SHA512
001086afbe6aebb17cfd272a7fe6e3c737eb2946f385f14046d1a6f2a01dce3365de30072ba6b5029ec47a4bc850d42df293efb41c4a513e861253a4d863f12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
5.1MB

MD5
af34a9e45043794951e8dceb8997c9e2

SHA1
5ee570646f97017c253d3e584a87156d8de3b659

SHA256
f331d61c5691b595536f2f8423386f3c39a941c59a6dec1958af2347591b97c3

SHA512
56a5726f9f0250fec6b1461da6379d0cef6c615140cae0f043e68636fb801bc0955c92740bbc1abe4a386b1e1eaaede134b36e6d5d48a97e379ec702674b3061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
6.3MB

MD5
58bfeeccf3874ab0e9d1240b9e18e2d3

SHA1
6a74d03fa6219f4ff081b2d6e084584abb2bb988

SHA256
ee2ad11d9f2ed8a39e8c0c8c920a543605d6826d1731727bda840d3ff7a0ff01

SHA512
0810c04a1bcb493afefbb00837f6329a46e0d479d349557812449cba5a6b062be64a2b2495a4a4405cee366f9c42eeeff496cd2ea7f75523fd0490d758d41b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
6.1MB

MD5
3b8ad194d208bcc4d8d42ce96ac8303e

SHA1
f18c3666b70271d81b5bb119990a3565a008770b

SHA256
43bbaea14908a1297a514b83e109c1bf03875623d4578cd5d3ee53a25ff5e54f

SHA512
738ed1bb54de3b8e8e236b0b13c202470e5e79fd95341b375c2d5526fbe87f116623edacc420523f74205380dab995f61d385c0e11503660734896bd5d69976e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panel.exe

Filesize
5.9MB

MD5
aa5f20ad31fa94637212c517a4f9625a

SHA1
99b29b4a60f76cb30592220f82d933e2a235d20f

SHA256
22ec7a301db4dffe582585f41d52501593b6c46b483d1f9040f2fdd62b57b71a

SHA512
53056cc28481328273ccff218ced9704cacb496e1925a5fc6d251a4232b2e67fc4504118fd391a04f5166b19bd560b30b82d9b0adec84ce29f426325d2891d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTBQS3RKhw.bat

Filesize
204B

MD5
279f32346c3306abd72f217f0f8745bd

SHA1
9f990b274f593f59d2e8ad9df2c07b6bffddb95d

SHA256
a4155463266968b42ce096f21f9e7813d92ada20635cf60bb670dfe1f652f1e7

SHA512
f64fdd7a31d3df8b655e70216c6be9ea1769304200f7923d36bd0a60d1fae7163be864ff649ca7ac6ba01cc38f7a4515507e29dcf75fea40fee82134b95eeee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mssurrogateProvider_protected.exe

Filesize
1.5MB

MD5
fcbf03d90d4e9ce80f575452266e71d1

SHA1
1b067d0e057db189c71b2f7ac4ee2483ebaf0fa7

SHA256
2ec28f57e64fee2b2f1a40c78c079672f0dddb84da2a84fe3291bd68a4771a73

SHA512
9ce9962f645ab542f135d8560a7095259fe6628afcf598a58dfcf8e96b0d1dfa73e59ce13af3ff97e6c03046634dbd46a278c6535f99f99b3a6051b7bbfcf380

Download Submit
memory/2252-150-0x00000000063F0000-0x0000000006456000-memory.dmp

Filesize
408KB

Download
memory/2252-74-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/2252-2089-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/2252-97-0x0000000006790000-0x0000000006D34000-memory.dmp

Filesize
5.6MB

Download
memory/2252-68-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/2692-111-0x000000001DF60000-0x000000001E0A2000-memory.dmp

Filesize
1.3MB

Download
memory/2692-77-0x000000001AD40000-0x000000001AEE0000-memory.dmp

Filesize
1.6MB

Download
memory/2692-99-0x000000001DE10000-0x000000001DF52000-memory.dmp

Filesize
1.3MB

Download
memory/2692-98-0x000000001DE10000-0x000000001DF52000-memory.dmp

Filesize
1.3MB

Download
memory/2692-138-0x000000001DF30000-0x000000001DF3A000-memory.dmp

Filesize
40KB

Download
memory/2692-130-0x000000001DF20000-0x000000001DF2A000-memory.dmp

Filesize
40KB

Download
memory/2692-128-0x000000001DF20000-0x000000001DF2A000-memory.dmp

Filesize
40KB

Download
memory/2692-126-0x000000001DF20000-0x000000001DF2A000-memory.dmp

Filesize
40KB

Download
memory/2692-125-0x000000001DF20000-0x000000001DF2A000-memory.dmp

Filesize
40KB

Download
memory/2692-87-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2692-73-0x00007FFBAC580000-0x00007FFBAD041000-memory.dmp

Filesize
10.8MB

Download
memory/2692-167-0x000000001E920000-0x000000001E93C000-memory.dmp

Filesize
112KB

Download
memory/2692-86-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2692-76-0x000000001AD40000-0x000000001AEE0000-memory.dmp

Filesize
1.6MB

Download
memory/2692-89-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2692-91-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2692-93-0x0000000180000000-0x0000000180005000-memory.dmp

Filesize
20KB

Download
memory/2692-103-0x000000001DE10000-0x000000001DF52000-memory.dmp

Filesize
1.3MB

Download
memory/2692-75-0x000000001AD40000-0x000000001AEE0000-memory.dmp

Filesize
1.6MB

Download
memory/3932-3996-0x000000001F2E0000-0x000000001F31A000-memory.dmp

Filesize
232KB

Download
memory/3932-3982-0x000000001F080000-0x000000001F092000-memory.dmp

Filesize
72KB

Download
memory/3932-3968-0x000000001F030000-0x000000001F04A000-memory.dmp

Filesize
104KB

Download
memory/3932-4047-0x000000001F5F0000-0x000000001F664000-memory.dmp

Filesize
464KB

Download
memory/3932-4073-0x0000000020830000-0x0000000020880000-memory.dmp

Filesize
320KB

Download
memory/3932-4072-0x0000000020880000-0x00000000208CA000-memory.dmp

Filesize
296KB

Download
memory/3932-4013-0x000000001F3D0000-0x000000001F480000-memory.dmp

Filesize
704KB

Download
memory/4368-2087-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/4368-4057-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/4368-2117-0x00000000003F0000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/4596-4083-0x00000000001B0000-0x00000000005EC000-memory.dmp

Filesize
4.2MB

Download
memory/4596-4085-0x00000000001B0000-0x00000000005EC000-memory.dmp

Filesize
4.2MB

Download
memory/4596-4084-0x00000000001B0000-0x00000000005EC000-memory.dmp

Filesize
4.2MB

Download
memory/4596-4092-0x00000000001B0000-0x00000000005EC000-memory.dmp

Filesize
4.2MB

Download
memory/4632-0-0x0000000000400000-0x0000000001470000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads