dcrat | 56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

General

Target

a99334c099cac557b3bc62ae7654d3b4.exe
Size

1.5MB
MD5

a99334c099cac557b3bc62ae7654d3b4
SHA1

e1c5e919cd32b2ef32a04920a9992bce6f9e677d
SHA256

56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9
SHA512

3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66
SSDEEP

24576:VSMRshqVg7knYt0srvDhKaU80v3X3Po/ZLJVwZZ+Z5bNAsTio:0OXMTt0KbhU8GeZLLI85bNAs

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	940	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/832-54-0x0000000000FE0000-0x000000000115A000-memory.dmp	dcrat
C:\MSOCache\All Users\dwm.exe	dcrat
behavioral1/memory/1376-65-0x00000000013A0000-0x000000000151A000-memory.dmp	dcrat
C:\MSOCache\All Users\dwm.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

1376 dwm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1376	dwm.exe

Drops file in Program Files directory 2 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\lsm.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\101b941d020240	a99334c099cac557b3bc62ae7654d3b4.exe

Drops file in Windows directory 7 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\assembly\explorer.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Microsoft.NET\assembly\7a0fd90576e088	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Setup\State\explorer.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Fonts\smss.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Fonts\69ddcba757bf72	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Microsoft.NET\assembly\explorer.exe	a99334c099cac557b3bc62ae7654d3b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1268	schtasks.exe
864	schtasks.exe
1644	schtasks.exe
928	schtasks.exe
696	schtasks.exe
1568	schtasks.exe
1804	schtasks.exe
1608	schtasks.exe
1596	schtasks.exe
1464	schtasks.exe
1400	schtasks.exe
892	schtasks.exe
1684	schtasks.exe
976	schtasks.exe
1948	schtasks.exe
316	schtasks.exe
1592	schtasks.exe
1844	schtasks.exe
1776	schtasks.exe
1452	schtasks.exe
1876	schtasks.exe
1632	schtasks.exe
388	schtasks.exe
580	schtasks.exe
1716	schtasks.exe
844	schtasks.exe
1872	schtasks.exe
2028	schtasks.exe
1700	schtasks.exe
1688	schtasks.exe
592	schtasks.exe
1452	schtasks.exe
1780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exedwm.exe

pid	process
832	a99334c099cac557b3bc62ae7654d3b4.exe
832	a99334c099cac557b3bc62ae7654d3b4.exe
832	a99334c099cac557b3bc62ae7654d3b4.exe
832	a99334c099cac557b3bc62ae7654d3b4.exe
832	a99334c099cac557b3bc62ae7654d3b4.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe
1376	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exedwm.exe

description pid process

Token: SeDebugPrivilege 832 a99334c099cac557b3bc62ae7654d3b4.exe
Token: SeDebugPrivilege 1376 dwm.exe

description	pid	process
Token: SeDebugPrivilege	832	a99334c099cac557b3bc62ae7654d3b4.exe
Token: SeDebugPrivilege	1376	dwm.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	pid	process	target process
PID 832 wrote to memory of 1376	832	a99334c099cac557b3bc62ae7654d3b4.exe	dwm.exe
PID 832 wrote to memory of 1376	832	a99334c099cac557b3bc62ae7654d3b4.exe	dwm.exe
PID 832 wrote to memory of 1376	832	a99334c099cac557b3bc62ae7654d3b4.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\a99334c099cac557b3bc62ae7654d3b4.exe
"C:\Users\Admin\AppData\Local\Temp\a99334c099cac557b3bc62ae7654d3b4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\MSOCache\All Users\dwm.exe
  "C:\MSOCache\All Users\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\assembly\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe

Filesize
1.5MB

MD5
a99334c099cac557b3bc62ae7654d3b4

SHA1
e1c5e919cd32b2ef32a04920a9992bce6f9e677d

SHA256
56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

SHA512
3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66

Download Submit
C:\MSOCache\All Users\dwm.exe

Filesize
1.5MB

MD5
a99334c099cac557b3bc62ae7654d3b4

SHA1
e1c5e919cd32b2ef32a04920a9992bce6f9e677d

SHA256
56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

SHA512
3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66

Download Submit
memory/832-57-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/832-54-0x0000000000FE0000-0x000000000115A000-memory.dmp

Filesize
1.5MB

Download
memory/832-58-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/832-59-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/832-60-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/832-61-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/832-56-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/832-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1376-62-0x0000000000000000-mapping.dmp

Download
memory/1376-65-0x00000000013A0000-0x000000000151A000-memory.dmp

Filesize
1.5MB

Download
memory/1376-66-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads