dcrat | 40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7d

General

Target

40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Size

2.7MB
MD5

8e6d3e4cdb00a133fd3f33cfde6e37c0
SHA1

91233309e54797dac7c00a9576c38456bc14acba
SHA256

40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7d
SHA512

a1604b3da2eb2dfec99ed830eaa8077e0ba2b2f66c377bf8c1bdea8e8668f2bee7fa90411fdd62f358f1be87ae58dd5e1de71a58f46428550c64262664c671a6
SSDEEP

49152:sqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:pyJlQgGk1wPko1oO30UA7Yqq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2044	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	2044	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3636-1-0x0000000000750000-0x0000000000A04000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b9a-30.dat	dcrat
behavioral2/files/0x000a000000023bc1-47.dat	dcrat
behavioral2/files/0x0008000000023bc4-58.dat	dcrat
behavioral2/files/0x000c000000023b8f-80.dat	dcrat
behavioral2/files/0x000c000000023b94-91.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe

Executes dropped EXE 1 IoCs

pid	Process
3736	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ImmersiveControlPanel\pris\RCXAFC2.tmp	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\pris\RCXB040.tmp	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
File created	C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
File created	C:\Windows\ImmersiveControlPanel\pris\5b884080fd4f94	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1264	schtasks.exe
1872	schtasks.exe
3716	schtasks.exe
4664	schtasks.exe
4352	schtasks.exe
4460	schtasks.exe
2868	schtasks.exe
1252	schtasks.exe
5116	schtasks.exe
2760	schtasks.exe
2004	schtasks.exe
736	schtasks.exe
4564	schtasks.exe
3176	schtasks.exe
3996	schtasks.exe
2592	schtasks.exe
4884	schtasks.exe
2672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe
3736	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3736	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Token: SeDebugPrivilege	3736	sppsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2956	3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe	101
PID 3636 wrote to memory of 2956	3636	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe	101
PID 2956 wrote to memory of 4280	2956	cmd.exe	103
PID 2956 wrote to memory of 4280	2956	cmd.exe	103
PID 2956 wrote to memory of 3736	2956	cmd.exe	104
PID 2956 wrote to memory of 3736	2956	cmd.exe	104

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe
"C:\Users\Admin\AppData\Local\Temp\40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7dN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ea0WjfTxms.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4280
- - C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe
    "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\services.exe

Filesize
2.7MB

MD5
d5544b7e031eb6796158cb5c7c2b19d5

SHA1
db3ecf70450f336c6e53f18a21a19b7af5411411

SHA256
0dbfa8d7878a36d497f0c23481106f206200f4f3b1935f3f83b9cd54146cfb16

SHA512
0ccdacbb0bfbb53dfa453993fe429195798a6553119bef6eb9e096a053ef9a3db90294763a8ad1fb5c3e7e80f59753ade248f2a3fa2387136ca3caad7542c744

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
2.7MB

MD5
797039a45a0b72ddf9582a812d4da87d

SHA1
d61e56a216d9b56b0703a11edde436a9477e9cb2

SHA256
7249a6ae6fa205299c80464b415d181390050f97fbf22c9b48101e1898d9be59

SHA512
30e15e794bdd4b9c36cbd3cabab71f14033ece0db6014159114d242c52db4fd3909602aa9031314394f1c36b14ec35d083bac49e387c0b1892958365ba5cece6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea0WjfTxms.bat

Filesize
245B

MD5
6d3f270b7c55db460f7d95d90cab797b

SHA1
6d32b1f39a046647c90a63ad1526de8f49bffb0c

SHA256
2b5958889c282db31e47c2d819a466799c30c791e8f8ce4e3a2d5841953a4cd7

SHA512
72b4b72d5bb6c5ef046bb21da72c75b2b2840d7b70e4abb7a0a6be6b11b936d8dba5db66586afdacfb5afa6938e9640dece8eef35d433f58fa1094e20a5962b6

Download Submit
C:\Users\Public\Pictures\upfc.exe

Filesize
2.7MB

MD5
2a35f6b174d2b46cda13ad105d0c3f15

SHA1
503f3e9d6d4e1e4d12778f522e7df846b9ebf5a5

SHA256
b10c446fd12c881a62eec03c6fe434f40eea6810282c4cc606d1dfdd6499736b

SHA512
eb66c610f175fcabef3c5419260bd597d2a542846aa45765f28e48d58520e4393a6224c171c3ec65a3ad5ae9710b38646933b4be39a6c666d133349030245350

Download Submit
C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe

Filesize
2.7MB

MD5
8e6d3e4cdb00a133fd3f33cfde6e37c0

SHA1
91233309e54797dac7c00a9576c38456bc14acba

SHA256
40a25f4406c2c119fdbee6a530b4dbd78dfad9e98eb0ac785290997976d75d7d

SHA512
a1604b3da2eb2dfec99ed830eaa8077e0ba2b2f66c377bf8c1bdea8e8668f2bee7fa90411fdd62f358f1be87ae58dd5e1de71a58f46428550c64262664c671a6

Download Submit
C:\Windows\ImmersiveControlPanel\pris\fontdrvhost.exe

Filesize
2.7MB

MD5
8bffe1ce57dc2eceb6a4fb7876402f5f

SHA1
f34335364fae6153c3a12443d4a81ca05c1fe8f8

SHA256
3b5e2e86ab844cba552b0d898b6526218bd8a4946789b1bd1714963dd7c9ba34

SHA512
96e8d75f9f29d5ed98a883e9ad84a7ec846f2fc2468e2b5a8a903561eb39812f97ad6656952fba400a04f8b2520f722dc3d1c479a0284597da4c616299f83481

Download Submit
memory/3636-14-0x000000001C2B0000-0x000000001C7D8000-memory.dmp

Filesize
5.2MB

Download
memory/3636-19-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/3636-8-0x000000001B760000-0x000000001B776000-memory.dmp

Filesize
88KB

Download
memory/3636-7-0x000000001B630000-0x000000001B640000-memory.dmp

Filesize
64KB

Download
memory/3636-10-0x000000001B7A0000-0x000000001B7AA000-memory.dmp

Filesize
40KB

Download
memory/3636-11-0x000000001BD10000-0x000000001BD66000-memory.dmp

Filesize
344KB

Download
memory/3636-12-0x000000001B780000-0x000000001B788000-memory.dmp

Filesize
32KB

Download
memory/3636-13-0x000000001B790000-0x000000001B7A2000-memory.dmp

Filesize
72KB

Download
memory/3636-0-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/3636-15-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/3636-17-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

Filesize
48KB

Download
memory/3636-9-0x000000001B640000-0x000000001B648000-memory.dmp

Filesize
32KB

Download
memory/3636-18-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

Filesize
56KB

Download
memory/3636-16-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/3636-21-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

Filesize
48KB

Download
memory/3636-20-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

Filesize
40KB

Download
memory/3636-6-0x000000001B620000-0x000000001B628000-memory.dmp

Filesize
32KB

Download
memory/3636-5-0x000000001B7B0000-0x000000001B800000-memory.dmp

Filesize
320KB

Download
memory/3636-4-0x000000001B600000-0x000000001B61C000-memory.dmp

Filesize
112KB

Download
memory/3636-3-0x000000001B5F0000-0x000000001B5FE000-memory.dmp

Filesize
56KB

Download
memory/3636-2-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-1-0x0000000000750000-0x0000000000A04000-memory.dmp

Filesize
2.7MB

Download
memory/3636-113-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-117-0x000000001BA70000-0x000000001BA82000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads