dcrat | 225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478

General

Target

DCRatBuild.exe
Size

1.4MB
MD5

890b09aea29e89eaf80df95deefb73c3
SHA1

3c6b2b2e635542eaaf4aefd3e0af6a285aefab50
SHA256

225e120cff3c4735693f6297f074cc50a7eb21709668ac7b283514a497296478
SHA512

2a8388fda1533b06d377ed46457cf2f68919ac62cd0ef6ff79a88383a60c1ca0b27a7dc6b1fdcde09f5a7f5b5b7389f27a2f4e79c7c5d2f01f0c602f3cec5421
SSDEEP

24576:9TbBv5rUCB0nQ1c9yzgS5o/mNHJK7CXiUgRRAJtndHr5k+jp9TO7:XBOQ1Iy0MYRIfj+

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2864	schtasks.exe	34

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0008000000016d30-11.dat	net_reactor
behavioral1/memory/1276-13-0x0000000000BD0000-0x0000000000CD8000-memory.dmp	net_reactor
behavioral1/memory/2316-34-0x00000000001C0000-0x00000000002C8000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
1276	BlockFontdhcp.exe
2316	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
644	cmd.exe
644	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe	BlockFontdhcp.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe	BlockFontdhcp.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\cc11b995f2a76d	BlockFontdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe
824	schtasks.exe
2352	schtasks.exe
1148	schtasks.exe
2060	schtasks.exe
2512	schtasks.exe
2984	schtasks.exe
2440	schtasks.exe
476	schtasks.exe
2144	schtasks.exe
2160	schtasks.exe
2244	schtasks.exe
2884	schtasks.exe
1108	schtasks.exe
332	schtasks.exe
2220	schtasks.exe
2400	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1276	BlockFontdhcp.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	BlockFontdhcp.exe
Token: SeDebugPrivilege	2316	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2556	2816	DCRatBuild.exe	30
PID 2816 wrote to memory of 2556	2816	DCRatBuild.exe	30
PID 2816 wrote to memory of 2556	2816	DCRatBuild.exe	30
PID 2816 wrote to memory of 2556	2816	DCRatBuild.exe	30
PID 2556 wrote to memory of 644	2556	WScript.exe	31
PID 2556 wrote to memory of 644	2556	WScript.exe	31
PID 2556 wrote to memory of 644	2556	WScript.exe	31
PID 2556 wrote to memory of 644	2556	WScript.exe	31
PID 644 wrote to memory of 1276	644	cmd.exe	33
PID 644 wrote to memory of 1276	644	cmd.exe	33
PID 644 wrote to memory of 1276	644	cmd.exe	33
PID 644 wrote to memory of 1276	644	cmd.exe	33
PID 1276 wrote to memory of 1300	1276	BlockFontdhcp.exe	53
PID 1276 wrote to memory of 1300	1276	BlockFontdhcp.exe	53
PID 1276 wrote to memory of 1300	1276	BlockFontdhcp.exe	53
PID 1300 wrote to memory of 1620	1300	cmd.exe	55
PID 1300 wrote to memory of 1620	1300	cmd.exe	55
PID 1300 wrote to memory of 1620	1300	cmd.exe	55
PID 1300 wrote to memory of 2316	1300	cmd.exe	56
PID 1300 wrote to memory of 2316	1300	cmd.exe	56
PID 1300 wrote to memory of 2316	1300	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe
      "C:\reviewsavesperfCrtSvc\BlockFontdhcp.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CJzVRWpvS5.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1620
      - C:\Users\Default\PrintHood\spoolsv.exe
        
        "C:\Users\Default\PrintHood\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockFontdhcpB" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\BlockFontdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockFontdhcp" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\BlockFontdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockFontdhcpB" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\BlockFontdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\reviewsavesperfCrtSvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\reviewsavesperfCrtSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\reviewsavesperfCrtSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CJzVRWpvS5.bat

Filesize
203B

MD5
0b3bc3d3cfafb14c1af0c2d34ea5aac6

SHA1
ad44eab76dc8a8cc0daf01be731bd66b9d15fa4d

SHA256
f64e16a848393be0ddad6ae3b5cb943b06291200b07337666e88a58cb1c22117

SHA512
4035da7cd7a5d0019c5d66990db76105eaa0990038405142f853b83e6dccebe69b7763f0305de087871fd9e72488f81176463a479f982e3e8fc26ad734da2f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp

Filesize
700B

MD5
0405fd1cf4358e25a78cd17a532ffa70

SHA1
025823053a69b6ec1bcb9811b0f05ebdb38db3c3

SHA256
d386184c5476febe2351866272c264915fa3af1c3f44c7fbb174615258038288

SHA512
6dad0cde941d16b362efac77eb3251380351d15765a717f27d41c0794e47ab0fadb95c10d3279db3ea8b7c05847bdffcc2f9afb7b3c3924c4c741916120069ab

Download Submit
C:\reviewsavesperfCrtSvc\aYwgBEDNgkB8QtolbNtXXxbWyY.bat

Filesize
44B

MD5
db8867c0cc3be41674b6be7526a43ed0

SHA1
7633be3ae90e93f7f2db61814ba49604341bdfe3

SHA256
093e64e9e0ca0087984f60b67c531086646966361c6f3255fef2bb5c55d6dd8a

SHA512
bffb69ceab7517f863bf20849f51d967854da8863573869dc282d99f34680f411183977b56db4ac2351c0816fb535cbb628e0dad60fc4970ec3987b00c7493a7

Download Submit
C:\reviewsavesperfCrtSvc\tzMZVm1abJD3pde4yd.vbe

Filesize
225B

MD5
531f115a8a6adab2a86a1af79fb53765

SHA1
084f53afdd7317f85a148610d68c2931cc9c0465

SHA256
73b48abb75373b9f1bb726491723a345fa63bcbdf65d7ae416dbf3301671409a

SHA512
1a82abf9d3cb84192a4f3f0880a09e0ba3eeed6c2a798476eb78fa9c43bfb6ea5f3f401784f31091707c1be18579d0ac76e3a5402ee92e9eda8c3dec524a3d60

Download Submit
\reviewsavesperfCrtSvc\BlockFontdhcp.exe

Filesize
1.0MB

MD5
3f658d28250f84d99535f21b813ec7cb

SHA1
a9b2cc33893de0489eacee3387d0ce8e925852ac

SHA256
8c46f055a6dacf41bea4eaca78b4a3eab9e95ec322a1224592f2d49ba0d0ab52

SHA512
5e7031c27a6025fee74d63b4590432a662885c8f237d4446f487c851b9c1be03fc43311fd09af028762c64da488bff41d13386cfaf5db0ec741be2e3537ee866

Download Submit
memory/1276-13-0x0000000000BD0000-0x0000000000CD8000-memory.dmp

Filesize
1.0MB

Download
memory/2316-34-0x00000000001C0000-0x00000000002C8000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads