dcrat | ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc

General

Target

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Size

2.7MB
MD5

8a988516d37df432161e208d0d8c42bd
SHA1

58598135c7dced1b5266814edc5e44afc5dda59f
SHA256

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc
SHA512

f546d5ab0de84baa5a580a576df5ed19e90b220501b0f251932fec9755391b8cb7b6080f523fe79322ea25fbca44eaf2bd6f600d94d7e090b624d3f86852e6a3
SSDEEP

49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\", \"C:\\Users\\Default\\lsm.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\lsass.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\", \"C:\\Users\\Default\\lsm.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\", \"C:\\Users\\Default\\lsm.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\", \"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\explorer.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\", \"C:\\Users\\Default\\lsm.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\", \"C:\\Users\\Default\\lsm.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2900	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.exece8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1548-1-0x00000000013B0000-0x0000000001670000-memory.dmp	dcrat
C:\Program Files\VideoLAN\VLC\skins\lsass.exe	dcrat
behavioral1/memory/1208-103-0x0000000000C50000-0x0000000000F10000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1548-6-0x0000000000290000-0x00000000002A0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-11-0x0000000000CA0000-0x0000000000CAA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-12-0x000000001AE20000-0x000000001AE76000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-15-0x0000000000CD0000-0x0000000000CDC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-18-0x0000000000D80000-0x0000000000D8C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-21-0x0000000000DF0000-0x0000000000DFC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-22-0x0000000000E00000-0x0000000000E0C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1548-24-0x00000000012A0000-0x00000000012AA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2776 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

1208 csrss.exe

pid	process
2776	powershell.exe

pid	process
1208	csrss.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Resources\\Ease of Access Themes\\smss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\explorer.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\lsass.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\taskhost.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\lsm.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\\explorer.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\csrss.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\lsm.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\lsass.exe\""	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exece8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 12 IoCs

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\csrss.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\886983d96e3d3e	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\6203df4a6bafc7	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCX3AFF.tmp	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\lsass.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\csrss.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\lsass.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX3D02.tmp	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCX437B.tmp	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

Drops file in Windows directory 4 IoCs

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	ioc	process
File created	C:\Windows\Resources\Ease of Access Themes\smss.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File created	C:\Windows\Resources\Ease of Access Themes\69ddcba757bf72	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX410A.tmp	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\smss.exe	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2572	schtasks.exe
308	schtasks.exe
1296	schtasks.exe
2020	schtasks.exe
3032	schtasks.exe
2676	schtasks.exe
1876	schtasks.exe
1860	schtasks.exe
2228	schtasks.exe
1684	schtasks.exe
2016	schtasks.exe
2632	schtasks.exe
2780	schtasks.exe
344	schtasks.exe
1644	schtasks.exe
2696	schtasks.exe
2516	schtasks.exe
2612	schtasks.exe
2416	schtasks.exe
2544	schtasks.exe
2196	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exepowershell.execsrss.exe

pid	process
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
2776	powershell.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe
1208	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1208	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe

description	pid	process	target process
PID 1548 wrote to memory of 2776	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	powershell.exe
PID 1548 wrote to memory of 2776	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	powershell.exe
PID 1548 wrote to memory of 2776	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	powershell.exe
PID 1548 wrote to memory of 1208	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	csrss.exe
PID 1548 wrote to memory of 1208	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	csrss.exe
PID 1548 wrote to memory of 1208	1548	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe	csrss.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe
"C:\Users\Admin\AppData\Local\Temp\ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe
"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\skins\lsass.exe
Filesize
2.7MB

MD5
8a988516d37df432161e208d0d8c42bd

SHA1
58598135c7dced1b5266814edc5e44afc5dda59f

SHA256
ce8abab7abf2a2ed224d8c9a3fe10114547c743518e905765b8d8ef76500cabc

SHA512
f546d5ab0de84baa5a580a576df5ed19e90b220501b0f251932fec9755391b8cb7b6080f523fe79322ea25fbca44eaf2bd6f600d94d7e090b624d3f86852e6a3

Download Submit
memory/1208-103-0x0000000000C50000-0x0000000000F10000-memory.dmp

Filesize
2.8MB

Download
memory/1548-16-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/1548-4-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1548-17-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/1548-6-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1548-5-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1548-8-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1548-7-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/1548-9-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1548-10-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1548-11-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1548-12-0x000000001AE20000-0x000000001AE76000-memory.dmp

Filesize
344KB

Download
memory/1548-13-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/1548-14-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/1548-15-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/1548-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1548-3-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1548-18-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1548-19-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1548-20-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/1548-21-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

Filesize
48KB

Download
memory/1548-22-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/1548-23-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/1548-24-0x00000000012A0000-0x00000000012AA000-memory.dmp

Filesize
40KB

Download
memory/1548-25-0x000000001AE70000-0x000000001AE7C000-memory.dmp

Filesize
48KB

Download
memory/1548-28-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-1-0x00000000013B0000-0x0000000001670000-memory.dmp

Filesize
2.8MB

Download
memory/1548-104-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-105-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2776-102-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads