Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
27/03/2025, 01:00
General
-
Target
https://github.com/ramrk23/Roblox-Stealer/releases/download/v3.0.9/Roblox-Stealer_v3.0.9.zip
Malware Config
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 14 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 4 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ramrk23/Roblox-Stealer/releases/download/v3.0.9/Roblox-Stealer_v3.0.9.zip1⤵
- DcRat
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x25c,0x7ffb0b1ef208,0x7ffb0b1ef214,0x7ffb0b1ef2202⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1808,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:112⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:132⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4088,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4144,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:92⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4176,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4232,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:92⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3644,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5756,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:142⤵
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6616,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6616,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:142⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11443⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7056,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7172,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7152 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7112,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7328 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7488,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7500 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7640,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7648 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7084,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=7340 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4764,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5436,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6360,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7732,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3660,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,17716641881812758919,4375791191888919164,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:142⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
- Drops file in Windows directory
- NTFS ADS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc daily /st 14:04 /f /tn SystemRestorePointCreation_ODE2 /tr ""C:\Users\Admin\AppData\Local\ODE2\ODE2.exe" "C:\Users\Admin\AppData\Local\ODE2\env.txt""3⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc daily /st 14:04 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest3⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Application.bat"1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\env.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Application.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Users\Admin\Downloads\luajit.exe"C:\Users\Admin\Downloads\luajit.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Application.bat" "1⤵
-
C:\Users\Admin\Downloads\luajit.exeluajit.exe env.txt2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56b766c0a8218fb2ba79c4ebcdfd77575
SHA1b1ab8f2c9fec9fa427c0d31dc01d7f20a5244704
SHA2564a96e87ab4b3f5500dc676cfd2837788998ddee42074b9a376ab514b74f13d97
SHA5129efcb70a09a63dbf9f9685963621b191c741eeb98fd07f33ad33b21a73a64ca902794dbe36d16bac9d57dc3ac7555bed1d93734c1411cacbed56d90f7869366c
-
Filesize
471B
MD516bc7d3ab02bf34e30f0a8153e606bfa
SHA14a1343a0bce1bb4d5b27598ef6f921fc01e8eb14
SHA256faa070b319fe2e45cc8544128c810ff668ab0b98a6130bf74c0f904a568225ea
SHA512a13b6c0224bc583b8950c23e33de333a278c5c006da43d954ffd535204efadcaab3165775d77eab66d43289f061abd2c10c46a56e3c88021e57ad4f2a961c6ae
-
Filesize
471B
MD597d27f3502b7d329a7901e2aa6b6dcdb
SHA13d2b42ac6b6c2f883111d384b27760a865c703e8
SHA25622e587259c009d253fee2f136e29fc4869953b952d2673a45265eae296390dc0
SHA512af8401f926ca46e73a36453e8b40904f94c4fc9deecab406f72a9399e069299531657e27fec764e0cb011b7722ce8ee7253d2a4bf3afe37480dd431e9a83e9f0
-
Filesize
410B
MD5a9cf5436509c2684c818b7bb98cab94a
SHA126f0a03a736c374072177877a14d83691356b3fc
SHA256a40b2d42f4372cb148da5d5899491c4e54fdcb240a3015862645dc9ef17e852c
SHA512eb6053162fe0cdbd628688558cde1da5beed88a307e34443bb7290f7f23f7936592e994555654a51e774528a3dcc7036ee5bfa9b11846626e225ced5f2678f89
-
Filesize
406B
MD56debf22514f385dfd9280e6acba8dfe9
SHA1f17e16712deec7cd9428808f175cfd85a9375a2d
SHA256b82080485bc1293880eb9ed79a451cf79d0b2505b351c11c2d3b9624b48523e4
SHA51251f4fce76992f90f55b4101aa0de90e27a26aa71200a0596009b90da490c735dbbb8e82681ce94587488e32955ea445cfb43e12b2531d180f4bf25f8d807a033
-
Filesize
412B
MD53c401e33a09491f75f2b0419aad56963
SHA180782f8a08b7050c80aa4423618cb6d897885fc1
SHA25634f637ad57d0c68950f6e1d5c5368256b7a8f5ed00b2ea8fcfca0180eef09b01
SHA51225e378c458ea447ec0ec518806c838af720f3733adc2201a65c2dc229a335f7ab5b32d2a39cd893cea8df557f72d3f751422094d77e6a2812918876c913e2b9d
-
Filesize
3KB
MD56bbb18bb210b0af189f5d76a65f7ad80
SHA187b804075e78af64293611a637504273fadfe718
SHA25601594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c
SHA5124788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d
-
Filesize
280B
MD5046b1cdbd636e82e7711ea1fde31d7e3
SHA1f5fa4183cb259a99b4148ee957a5f76e80a77ada
SHA25640328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a
SHA512460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4
-
Filesize
280B
MD5cbc9fc2d9ad2df85283109b48c8e6db0
SHA1721ea0dfafd882d6354f8b0a35560425a60a8819
SHA2567c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe
SHA51209594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609
-
Filesize
3KB
MD504878768e68ae9c455f58e2f9fa4fad1
SHA1dc42df306eba9dd60f46e86367ae3b78d3b5520b
SHA256119af69425dfe105e85b9392a3a919a093088bdd9fed31a939e683c61b670a70
SHA5123d0bd128c1fb25f68963f0a086645c3570b99996e48288c54f35e7b091689853fcfe0e16ec0a5565c73427c7fcbde89340ffbd29c469a5f72f393a8787686ac9
-
Filesize
3KB
MD5bab474e15ace37fc1e8646e4e2064ff1
SHA1b7c5755b17a4d976d5aa590163a0d917f3d13387
SHA25648ecf309c603565bda50215373e890bb6c561599e2463554c293f3b3eeb2346d
SHA51223402fa61e804568ea257a0ca3e8c50acd167ee4b8863ca31b81a5dac1837c28a95354de00b6a3fbe1082b853ffe099fdb70519fa3d69d9823a4ca556f299b47
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD5cc90eb858474ebe8a192da41b3f79b49
SHA11e157e32f7a1ceb37f2e76e97ccfea7fba76d266
SHA25692d77c5e7d2953c64cafc786fe791c1da10be3e5472e93bf7027f8643bc6b860
SHA512894fadd75268446100577079a74dc1545d3901e971cc8c945752d173f10d1ec3b141554adcdec03433f0913484dd5458b865134fe0b561fc590d7f4bd80198af
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
13KB
MD58f1b9ad05fe7c4c447f59bc5a40e1db3
SHA1e4596c31170f3dfc442a6643e2096038b2dcd828
SHA2565ebcfc0534c0560b77c44f009e1c1e6451a263e8f0345ad60d8561fd4a4502b7
SHA5120920f8d6adf7b982e65b1bdd293fb45a53ac673d06c50652adcfd42625ed0bbc3334856e2790815a79353d77d64f73a95ee4c196ec511e4d6911211ba7464676
-
Filesize
14KB
MD59c52e12be2d29548d3d5d9af953f56b2
SHA184c8f98f03202e04d2a0c54a37a24647066cef48
SHA256dc0ddb697499a6e569394e672d6aae58ee001b8415d5bfb51d9bc1aae72a5fcb
SHA512caf6a3fc2cbcef531ede537e9c626ca7e9a4689bd88deb13af05618d62f297cf537e0911de69b24769d0e631e67b7df1ae1c3e21b2bf87a9cf59bff99fe7aa84
-
Filesize
37KB
MD5a36056454fb9d1c036d3768dd645ca6f
SHA1d820923225ca78a6b0d4b250cf633da3299790da
SHA25629a889b223d17aab9a8569b04ce240135fce6e1cd4a398bf9664539a9d5e90ae
SHA51288c2864264579686ab483af716ce32661d87f46e312ab4310f66d5c475fcaeb6afc2120887e3023249c49b2d295bdf6174504a410720dbe78c59ea0a2aa3c538
-
Filesize
872B
MD530d235e922627ddaafabfe100bd5e5e8
SHA17bbf02779659f0a28bd0d51b124278a5e8c13711
SHA25639cc1e250827176e4d08aced91233c9e311e26d0361c49e85594b78d5780ce83
SHA5122b21c52a1e0845a010c218001da3ed5c7be5ad54ea2e11f469f1adbfb9911d256c496c09a44cf7e73c67dfc650e389d3abab62040f072ec170ca4978a75ceb78
-
Filesize
23KB
MD55cb35223dbe74dd2eb8f4a0626cf3f08
SHA13fff0b62ecdfb14f97a0991066fe351a077a3ea6
SHA256bfdf19ff032ee05b0213208d870a43f027afc9322dc70b8e1863c33b6eaecd0d
SHA5121325145d2238b9e72f4abd64e55f745dd766e3a642ce97c469e857e4899764564d70d8dddd2acfc831e0ee56bba92fcec716c5a5b30e1a61a140418cbac8f3f3
-
Filesize
465B
MD5dc990858f6c524771bf40983afd54b04
SHA1d2b1f39f9518db50d43c2ee0d5526828a3d1303e
SHA256df583cdec561770d240b54c63d3593e2103845bbed4b4c6164ec70ab385d2e41
SHA512fde7420523935bc5c28a0332760dd5a45a1fd29dc3574a68c62d073718785ac4f186635b791abcc8094c71ea744f4e789f6297c896fa57f9de2ece723de6d4a3
-
Filesize
21KB
MD597ffbea42e9a0795865f12dedaa14292
SHA182b1a9a09d849ca8e55914ceb05677991729de10
SHA25684db83a7515ea99283ea322d6ae8a7e806287e7e98771a53a5d0e3ff362ecd16
SHA512884e56e3e7419a5ce22725d8b39b6d9424c882185762fe6ebb3a5c67d65e87b846ecce8a26491019acd3ba79641f489a32e20e2c7b99576315352cca1f5a13a4
-
Filesize
3KB
MD594406cdd51b55c0f006cfea05745effb
SHA1a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA2568480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3
-
Filesize
39KB
MD572169f7bf15a0ef43ec041764d560ce7
SHA1db254a13bcabdff18738e9053914837f569065b3
SHA256d18597cec245384df5d5536009bc62d89b5d65f600c9382a063d8e8cd49fc13f
SHA5125fcfeea1257073e45f42fdf79cf336fd1f23b5b56f3c27ff6e01b9e1a1269081352d78568f6693a9201cba2b12b4f85885e5650377fc4cc8d616e220c2848fe9
-
Filesize
30KB
MD5de158a9c78e9ef8aa4c543f68359112f
SHA1a87d636b2a2575f8b9093ea1fd0317ad54c32b6c
SHA256a14390366c90cfb1ff34dc70bcadc1b1e1873e42e3e66138280865420b9d4f3b
SHA5129b5c21a3ecc22200ea98e12140a63eec31d8cf5cb07c780bcb668cec710f5824bb9a64f66be19d7c526c582d5c0408cf513b6f7002024846a8ba84c2c8f18fd9
-
Filesize
6KB
MD58123365a0a8851d3f53889e1c8641df6
SHA157b80cf64cbaccbd9106b8abd88874f86e803363
SHA256695f5b46eb79fa5c824e771a89443df23a4c04f58b073ada071fb62b92acf0ba
SHA5122080edddc1a3c65dde3f8715c70a14afb51e481b64144de31056002beb4d012013f71464e38d1f8157885d41b9ec753666c8121f958d50456891687b84e61c3b
-
Filesize
7KB
MD5d58e6ca64fadd8f839f8f093cc3e4fbc
SHA1b30d1e7924d0d672507fc305d56d5de66ddd72c0
SHA256742c8d432a3b3b6d55e29a17a9d1e7af29c2cff4ccbb074df57ff3c306ee38d8
SHA5126ef74351f26795c2db5cfda8a88ff087aea9cf9b9d9c502f19a0cf71359a4347a04cb5fd9083490cc847300be9c2287bf3c40e234275c9caeb29999e27ec847e
-
Filesize
288B
MD51666bd5cb1768674d456702d7c10b1ca
SHA1912f8c8182ec88e75ca0a4ca351b8c4c736ede10
SHA25686f2793420d5cb9b2d2937e774810a406fc626f13183423665987f505d88c75b
SHA5126053af897c7bb0cb237b86fbe202dc217d1d4f5ab3de27e9f8f64ebae4099543e9632d35eea17a7f0219b034c76206a96c5813735d7eb089f42e7c26300c532a
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
696B
MD5eb29fcfbc10d5777f266ab47da5f32fc
SHA1c92f198da4083b597a4b07db13436080e677c606
SHA2569df90fc1795421b03bb5ad0d975f0467045605b78ec123e495efba7f25c01f51
SHA51209aa449b5674f8db48d85126a6d593fe728140941a5dd4d4c2bc783430e9875b601157959ce150c0e33e1feb51ad2960381d3f82a36ce29c9cf547c0eb1f999f
-
Filesize
696B
MD5e9272f583ca9d4a0e7aaf0d594f491bc
SHA177474a308a2d2470bcfa03ba2e34cfe80fda9cfd
SHA25698bdfee86496046e6e8a8ca199129eaa2dceb4dea2d7ed4ef4c4145ddb1a965e
SHA51283e5858a9b1456c2d1a85c1adee0dd0de589966556cddf17a23ebd16f285a323173a820d292e515e29d2f7889444f44214e75170e972aa66e3977f5034c7df1d
-
Filesize
1.2MB
MD5a59ff3e38a9c4fd75b33fb6fc6ebea44
SHA18376ba8d8fffc3e64d3b7fee86fd131c9972f0ea
SHA25603654a057c0217fb7461ab8549920d7ef5b54b9ddbd2dd586033f27c292995a3
SHA5128e5144e5aa03082aa6f50e7409a6cf935adcf83ddb7076aa02e66792fcdaeabbb2f3c0ac089950f97e782014738abf88d3c348f974181dc00f32f005f9b6b61f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
43B
MD5af3a9104ca46f35bb5f6123d89c25966
SHA11ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA25681bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA5126a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1
-
Filesize
160B
MD5a24a1941bbb8d90784f5ef76712002f5
SHA15c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA2562a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2
-
Filesize
134B
MD558d3ca1189df439d0538a75912496bcf
SHA199af5b6a006a6929cc08744d1b54e3623fec2f36
SHA256a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437
SHA512afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB