dcrat | 7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5

General

Target

JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Size

911KB
MD5

5122e9b0deae7300d07a5550c40eabc9
SHA1

1a8509c1adf72145cf58f7a55f9821c7cb952447
SHA256

7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5
SHA512

e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a
SSDEEP

12288:lLpIhnEH6vXGyw/QnLSQy4bEJRG8atNkQ1WzeKWL+A4ZoIV5jCHx42ICtfqn4:FqyywIjbjZtNkQvKM+A4iIb67tf+4

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\", \"C:\\Windows\\System32\\rasdial\\winlogon.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\", \"C:\\Windows\\System32\\rasdial\\winlogon.exe\", \"C:\\Windows\\System32\\KBDTUQ\\services.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\", \"C:\\Windows\\System32\\rasdial\\winlogon.exe\", \"C:\\Windows\\System32\\KBDTUQ\\services.exe\", \"C:\\Windows\\System32\\odbc32\\lsm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\", \"C:\\Windows\\System32\\rasdial\\winlogon.exe\", \"C:\\Windows\\System32\\KBDTUQ\\services.exe\", \"C:\\Windows\\System32\\odbc32\\lsm.exe\", \"C:\\Windows\\System32\\vssadmin\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\", \"C:\\Windows\\System32\\wpnpinst\\smss.exe\", \"C:\\Windows\\System32\\rasdial\\winlogon.exe\", \"C:\\Windows\\System32\\KBDTUQ\\services.exe\", \"C:\\Windows\\System32\\odbc32\\lsm.exe\", \"C:\\Windows\\System32\\vssadmin\\dwm.exe\", \"C:\\Windows\\System32\\KBDCR\\taskhost.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\mscms\\sppsvc.exe\", \"C:\\ProgramData\\Start Menu\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2656	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3004-1-0x00000000013B0000-0x000000000149A000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d36-11.dat	dcrat
behavioral1/memory/1244-29-0x0000000000290000-0x000000000037A000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1244	wininit.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\wpnpinst\\smss.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\vssadmin\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\KBDCR\\taskhost.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\KBDTUQ\\services.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\vssadmin\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\mscms\\sppsvc.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\wpnpinst\\smss.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\rasdial\\winlogon.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\rasdial\\winlogon.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\odbc32\\lsm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\odbc32\\lsm.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\KBDCR\\taskhost.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\mscms\\sppsvc.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Documents\\My Pictures\\wininit.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\KBDTUQ\\services.exe\""	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\mscms\sppsvc.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\wpnpinst\69ddcba757bf72f7d36c464c71f42baab150b2b9	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\rasdial\cc11b995f2a76da408ea6a601e682e64743153ad	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\KBDTUQ\services.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\KBDCR\b75386f1303e64d8139363b71e44ac16341adf4e	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\wpnpinst\smss.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\rasdial\winlogon.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\KBDTUQ\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\vssadmin\dwm.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\KBDCR\taskhost.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\mscms\sppsvc.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\odbc32\lsm.exe	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\odbc32\101b941d020240259ca4912829b53995ad543df6	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\vssadmin\6cb0b6c459d5d3455a3da700e713f2e2529862ff	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
File created	C:\Windows\System32\mscms\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
716	schtasks.exe
1856	schtasks.exe
2812	schtasks.exe
2576	schtasks.exe
2768	schtasks.exe
892	schtasks.exe
2852	schtasks.exe
2636	schtasks.exe
304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
1244	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
Token: SeDebugPrivilege	1244	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2828	3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe	40
PID 3004 wrote to memory of 2828	3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe	40
PID 3004 wrote to memory of 2828	3004	JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe	40
PID 2828 wrote to memory of 2384	2828	cmd.exe	42
PID 2828 wrote to memory of 2384	2828	cmd.exe	42
PID 2828 wrote to memory of 2384	2828	cmd.exe	42
PID 2828 wrote to memory of 1244	2828	cmd.exe	43
PID 2828 wrote to memory of 1244	2828	cmd.exe	43
PID 2828 wrote to memory of 1244	2828	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5122e9b0deae7300d07a5550c40eabc9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fRmPIiclsm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2384
- - C:\Users\Public\Documents\My Pictures\wininit.exe
    "C:\Users\Public\Documents\My Pictures\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\mscms\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\wpnpinst\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\rasdial\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\KBDTUQ\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\odbc32\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\vssadmin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDCR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fRmPIiclsm.bat

Filesize
213B

MD5
4e0a0c65d21e1843a94c547ea989c12f

SHA1
aaad8ba66c9eb1cc5d8429175b0fadcbeac6df6a

SHA256
d90100a86a731266a7055fe79c397783d329172e84c29ea83598e14dbfe4116c

SHA512
92875747e811f609e00a9030a6a7d8320f028414bd93a0187b9aaf9346ee64557a55175856dbcce8bca13579693a951bfabfe407ce2eabbbcc9382b943cb2557

Download Submit
C:\Windows\System32\rasdial\winlogon.exe

Filesize
911KB

MD5
5122e9b0deae7300d07a5550c40eabc9

SHA1
1a8509c1adf72145cf58f7a55f9821c7cb952447

SHA256
7bb34de9af0096fcda6707bc8fea5925c8507ae15b4a76e3d03525170ec1ecc5

SHA512
e7ed78d4c5662587b949ab28878c557e07e8052e2ee59628440d379d0db9f72507049b7d523e20551e5809869f9e605838e7bd96a13e14a6d7338ff964d1f92a

Download Submit
memory/1244-29-0x0000000000290000-0x000000000037A000-memory.dmp

Filesize
936KB

Download
memory/3004-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x00000000013B0000-0x000000000149A000-memory.dmp

Filesize
936KB

Download
memory/3004-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/3004-25-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads