dcrat | 6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
Size

1.4MB
MD5

dd32729dcf73c31a478099c25da5789c
SHA1

dad05d17829936c6136d16962c38d2981e56bb21
SHA256

6aedcdfc3f6fdc1ca86554a6ba351d9dbccec6c0ab5a0aec82ef583a4e690f0e
SHA512

fcf113386c292d03c39071587907f0700936d0ac060c8b96f1ce71683b5e78b1c4b730fdc79b35bb1fe097010844e237034a4184e32fc0b4566ef2f31d382fc0
SSDEEP

24576:U2G/nvxW3Ww0tdGyavpdrgnar7l2odPdcsZHpa+AGO05d2GqXW+lWR++40:UbA30alr7tcsZHpaVwulmJ

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
2128	schtasks.exe
1936	schtasks.exe
2420	schtasks.exe
3656	schtasks.exe
3532	schtasks.exe
1992	schtasks.exe
3808	schtasks.exe
856	schtasks.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4412	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
behavioral2/memory/3968-139-0x0000000000520000-0x0000000000642000-memory.dmp	dcrat
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe	dcrat
C:\Windows\System32\werdiagcontroller\fontdrvhost.exe	dcrat
C:\Windows\System32\werdiagcontroller\fontdrvhost.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exe

pid process

3968 winPerfdhcpCommonSvcsavesperfMonitor.exe
3308 winPerfdhcpCommonSvcsavesperfMonitor.exe
1844 fontdrvhost.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeWScript.exewinPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winPerfdhcpCommonSvcsavesperfMonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winPerfdhcpCommonSvcsavesperfMonitor.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\werdiagcontroller\\fontdrvhost.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winPerfdhcpCommonSvcsavesperfMonitor = "\"C:\\winPerfdhcpCommonSvc\\qBt7GIlH160\\winPerfdhcpCommonSvcsavesperfMonitor.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources\\SearchApp.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\odt\\wininit.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\PeerDistHttpTrans\\RuntimeBroker.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\RuntimeBroker.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\wincredui\\taskhostw.exe\""	winPerfdhcpCommonSvcsavesperfMonitor.exe

Drops file in System32 directory 6 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
File created	C:\Windows\System32\werdiagcontroller\5b884080fd4f94e2695da25c503f9e33b9605b83	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\PeerDistHttpTrans\RuntimeBroker.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\PeerDistHttpTrans\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\wincredui\taskhostw.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\wincredui\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\System32\werdiagcontroller\fontdrvhost.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe

Drops file in Program Files directory 3 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe

Drops file in Windows directory 3 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\38384e6a620884a6b69bcc56f80d556f9200171c	winPerfdhcpCommonSvcsavesperfMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1992 schtasks.exe
3808 schtasks.exe
2128 schtasks.exe
1936 schtasks.exe
2420 schtasks.exe
856 schtasks.exe
3656 schtasks.exe
3532 schtasks.exe

pid	process
1992	schtasks.exe
3808	schtasks.exe
2128	schtasks.exe
1936	schtasks.exe
2420	schtasks.exe
856	schtasks.exe
3656	schtasks.exe
3532	schtasks.exe

Modifies registry class 1 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exe

pid	process
3968	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
1844	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

winPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	3968	winPerfdhcpCommonSvcsavesperfMonitor.exe
Token: SeDebugPrivilege	3308	winPerfdhcpCommonSvcsavesperfMonitor.exe
Token: SeDebugPrivilege	1844	fontdrvhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exeWScript.execmd.exewinPerfdhcpCommonSvcsavesperfMonitor.exewinPerfdhcpCommonSvcsavesperfMonitor.exe

description	pid	process	target process
PID 4252 wrote to memory of 2404	4252	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 4252 wrote to memory of 2404	4252	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 4252 wrote to memory of 2404	4252	HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe	WScript.exe
PID 2404 wrote to memory of 216	2404	WScript.exe	cmd.exe
PID 2404 wrote to memory of 216	2404	WScript.exe	cmd.exe
PID 2404 wrote to memory of 216	2404	WScript.exe	cmd.exe
PID 216 wrote to memory of 3968	216	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 216 wrote to memory of 3968	216	cmd.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 3968 wrote to memory of 3308	3968	winPerfdhcpCommonSvcsavesperfMonitor.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 3968 wrote to memory of 3308	3968	winPerfdhcpCommonSvcsavesperfMonitor.exe	winPerfdhcpCommonSvcsavesperfMonitor.exe
PID 3308 wrote to memory of 1844	3308	winPerfdhcpCommonSvcsavesperfMonitor.exe	fontdrvhost.exe
PID 3308 wrote to memory of 1844	3308	winPerfdhcpCommonSvcsavesperfMonitor.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-6aedcdfc3f6f.exe"
1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
"C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\System32\werdiagcontroller\fontdrvhost.exe
"C:\Windows\System32\werdiagcontroller\fontdrvhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\PeerDistHttpTrans\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\wincredui\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\werdiagcontroller\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winPerfdhcpCommonSvcsavesperfMonitor" /sc ONLOGON /tr "'C:\winPerfdhcpCommonSvc\qBt7GIlH160\winPerfdhcpCommonSvcsavesperfMonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winPerfdhcpCommonSvcsavesperfMonitor.exe.log
Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Windows\System32\werdiagcontroller\fontdrvhost.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\Windows\System32\werdiagcontroller\fontdrvhost.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\winPerfdhcpCommonSvc\nuhjZzEl1l8CltfoWi77.vbe
Filesize
205B

MD5
abd20005732c70524b80234027cf0db4

SHA1
d0cdbcfce900f87af778847ef0d3cab111d81a96

SHA256
a3f95542fdf730753c47edb849267864f0cff972bfa20cab36065c24953c45d6

SHA512
c3a71016fa58d8d1cd173c9b9ba32c157d2277535fd8f658cc87981cc4721d7c04e822b96a58d8f31d87724237b24c81635c13bb746dc12db1f2379e4867f7ba

Download Submit
C:\winPerfdhcpCommonSvc\qBt7GIlH160.bat
Filesize
66B

MD5
58afc535c3d36e78abb3677a61dc4737

SHA1
bd3914278bba89d1b88dac33ca2b1ca9c04c3aa4

SHA256
ebdb6f3c9799886ce3dd7e9ed19333446b94303c8ad00d5b49d744a0c867d4d4

SHA512
8f609700f10ce525feee7a3e7bd1799e573bd6b1e67783478cf5e1390a18de5eb37bf179bbd805532f7e05d12602205af00e7b3c214d09516bdcbd90c25aa4b3

Download Submit
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
C:\winPerfdhcpCommonSvc\winPerfdhcpCommonSvcsavesperfMonitor.exe
Filesize
1.1MB

MD5
4f85fd9da0e6d825b520f09905b16301

SHA1
11b96ca925a09cd96569c4be2930b9b2bad9dd07

SHA256
fd9e479531a11076bfa97269d4562bda4571f3f03f00e049e3e125d82099e942

SHA512
cd7d31d8cec1f0aca5597216baffa5fbdaa7b4cf8134f8b0de7f2ed0b97c24c5964cf0508dc115360d5264e093436081970d7acfa6917e0d1a14d34a4774003e

Download Submit
memory/216-135-0x0000000000000000-mapping.dmp

Download
memory/1844-146-0x0000000000000000-mapping.dmp

Download
memory/1844-150-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/1844-151-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/2404-132-0x0000000000000000-mapping.dmp

Download
memory/3308-141-0x0000000000000000-mapping.dmp

Download
memory/3308-145-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/3308-149-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-140-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-139-0x0000000000520000-0x0000000000642000-memory.dmp

Filesize
1.1MB

Download
memory/3968-144-0x00007FF8F91A0000-0x00007FF8F9C61000-memory.dmp

Filesize
10.8MB

Download
memory/3968-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads