dcrat | 7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795

Analysis

max time kernel
141s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-01-2023 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04bc55e59d87e74f4c0ec46372abd189.exe
Size

1.2MB
MD5

04bc55e59d87e74f4c0ec46372abd189
SHA1

b56a220ce878cc0aced7b9245e9ecc91d34595df
SHA256

7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795
SHA512

0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d
SSDEEP

24576:AWFIGSbrjVGH+PZmriNz9GNTq6w1ZdTM0QfbSQk4j46oHO:PIxmxvlaO

Score

10^/10

dcrat agilenet infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2212 schtasks.exe
2232 schtasks.exe
2264 schtasks.exe
632 schtasks.exe
728 schtasks.exe
940 schtasks.exe

pid	process
2212	schtasks.exe
2232	schtasks.exe
2264	schtasks.exe
632	schtasks.exe
728	schtasks.exe
940	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

04bc55e59d87e74f4c0ec46372abd189.exe04bc55e59d87e74f4c0ec46372abd189.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\conhost.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1740	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2020-54-0x0000000000CD0000-0x0000000000E12000-memory.dmp	dcrat
behavioral1/memory/2124-107-0x00000000010B0000-0x00000000011F2000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\conhost.exe	dcrat
C:\Users\Admin\AppData\Local\conhost.exe	dcrat
behavioral1/memory/2328-222-0x0000000000D60000-0x0000000000EA2000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

conhost.exe

pid process

2328 conhost.exe

pid	process
2328	conhost.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2020-54-0x0000000000CD0000-0x0000000000E12000-memory.dmp	agile_net
behavioral1/memory/2124-107-0x00000000010B0000-0x00000000011F2000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\conhost.exe	agile_net
C:\Users\Admin\AppData\Local\conhost.exe	agile_net
behavioral1/memory/2328-222-0x0000000000D60000-0x0000000000EA2000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04bc55e59d87e74f4c0ec46372abd189.exe04bc55e59d87e74f4c0ec46372abd189.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:/Users/Admin/AppData/Local/\\conhost.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:/Users/Admin/AppData/Local/\\conhost.exe\""	04bc55e59d87e74f4c0ec46372abd189.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

632 schtasks.exe
728 schtasks.exe
2212 schtasks.exe
2232 schtasks.exe
2264 schtasks.exe
940 schtasks.exe

pid	process
632	schtasks.exe
728	schtasks.exe
2212	schtasks.exe
2232	schtasks.exe
2264	schtasks.exe
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

04bc55e59d87e74f4c0ec46372abd189.exe04bc55e59d87e74f4c0ec46372abd189.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2020	04bc55e59d87e74f4c0ec46372abd189.exe
2124	04bc55e59d87e74f4c0ec46372abd189.exe
2392	powershell.exe
2320	powershell.exe
1276	powershell.exe
2344	powershell.exe
608	powershell.exe
1744	powershell.exe
860	powershell.exe
1280	powershell.exe
1308	powershell.exe
1584	powershell.exe
924	powershell.exe
1420	powershell.exe
2044	powershell.exe
1928	powershell.exe
2368	powershell.exe
2300	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2020	04bc55e59d87e74f4c0ec46372abd189.exe
Token: SeDebugPrivilege	2124	04bc55e59d87e74f4c0ec46372abd189.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04bc55e59d87e74f4c0ec46372abd189.execmd.exe04bc55e59d87e74f4c0ec46372abd189.exe

description	pid	process	target process
PID 2020 wrote to memory of 1276	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1276	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1276	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1280	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1280	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1280	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 924	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 924	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 924	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 608	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 608	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 608	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 2044	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 2044	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 2044	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1584	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1584	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1584	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1928	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1928	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1928	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1420	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1420	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1420	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1744	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1744	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1744	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1308	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1308	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1308	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 860	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 860	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 860	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1604	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1604	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1604	2020	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2020 wrote to memory of 1620	2020	04bc55e59d87e74f4c0ec46372abd189.exe	cmd.exe
PID 2020 wrote to memory of 1620	2020	04bc55e59d87e74f4c0ec46372abd189.exe	cmd.exe
PID 2020 wrote to memory of 1620	2020	04bc55e59d87e74f4c0ec46372abd189.exe	cmd.exe
PID 1620 wrote to memory of 2100	1620	cmd.exe	w32tm.exe
PID 1620 wrote to memory of 2100	1620	cmd.exe	w32tm.exe
PID 1620 wrote to memory of 2100	1620	cmd.exe	w32tm.exe
PID 1620 wrote to memory of 2124	1620	cmd.exe	04bc55e59d87e74f4c0ec46372abd189.exe
PID 1620 wrote to memory of 2124	1620	cmd.exe	04bc55e59d87e74f4c0ec46372abd189.exe
PID 1620 wrote to memory of 2124	1620	cmd.exe	04bc55e59d87e74f4c0ec46372abd189.exe
PID 2124 wrote to memory of 2284	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2284	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2284	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2300	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2300	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2300	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2320	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2320	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2320	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2344	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2344	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2344	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2368	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2368	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2368	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2392	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2392	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2392	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe
PID 2124 wrote to memory of 2424	2124	04bc55e59d87e74f4c0ec46372abd189.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\04bc55e59d87e74f4c0ec46372abd189.exe
"C:\Users\Admin\AppData\Local\Temp\04bc55e59d87e74f4c0ec46372abd189.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N9Q7SmhqYe.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\04bc55e59d87e74f4c0ec46372abd189.exe
"C:\Users\Admin\AppData\Local\Temp\04bc55e59d87e74f4c0ec46372abd189.exe"
3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
4⤵
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
4⤵
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
4⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
4⤵
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
4⤵
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
4⤵
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
4⤵
PID:2076

C:\Users\Admin\AppData\Local\conhost.exe
"C:\Users\Admin\AppData\Local\conhost.exe"
4⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\N9Q7SmhqYe.bat
Filesize
235B

MD5
e1c0d44b422a3faca6c0e2fd870c8ee4

SHA1
9c11e35c21c9e09e9a140f7a87b73ce8d512c00f

SHA256
c7167944956336fabea0296ce7a2686413c047dbc4c3d61bfa095433be9e2af0

SHA512
2929e402d9a2695c6dac950a1651565d6e02ddf65bc3dc3a72b72c205ba228f819c8fcfb6641ae2449ce96e3d0e07de46e6fa78859617089b0e48d157af57ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C8A7.tmp
Filesize
256B

MD5
ea1663a684781a8e2655ea76f417fff9

SHA1
e5386b1d896b0e4734e0aaae277ea36c02964c11

SHA256
83a3ece3797f3d11f2ee34939c5ca214b3c72080a1e03c2fa9e75181abd0c997

SHA512
f419623a0855707bc117dc05e2baabfbfdf205e8edb3e9710b8c33c16539dcefa1391decc0bbcf5f6502d77d8975ceadea7166050965153b42ac2b8b4ee778c7

Download Submit
C:\Users\Admin\AppData\Local\conhost.exe
Filesize
1.2MB

MD5
04bc55e59d87e74f4c0ec46372abd189

SHA1
b56a220ce878cc0aced7b9245e9ecc91d34595df

SHA256
7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795

SHA512
0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d

Download Submit
C:\Users\Admin\AppData\Local\conhost.exe
Filesize
1.2MB

MD5
04bc55e59d87e74f4c0ec46372abd189

SHA1
b56a220ce878cc0aced7b9245e9ecc91d34595df

SHA256
7061c7e12d504439149ec1e7cdb81a90bb54b6f067b14e62372bfd9398df3795

SHA512
0fc1c2a801331149a296e060347eb6ded5eafc22b8fd5b4435f76c04b3d1a2177150319c6c6e52d992d6f7aeb2083496dfded4ddbb993f3cc363833f87e57e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
63855ed35bd65d52cee9f8739866b1af

SHA1
f18b329a4d3727b1c233da36bed4490a4b6b9fd8

SHA256
34a3c0e15cc0e09e42ba4804f6a05315ee64402f8d8c81fd4f4dc8f6a91b9646

SHA512
9bfcbeb733e26ed1e88cac5ca36575d22b4bdddd6927d28a565b10c05ffa55f3b1a2e476b4a7d8db9a5b77dcc20cd33b2dbe1b11c6396ec7bf3c0008632f74e2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/608-69-0x0000000000000000-mapping.dmp

Download
memory/608-178-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/608-249-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/608-131-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/608-165-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/608-150-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/656-192-0x0000000000000000-mapping.dmp

Download
memory/656-248-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/860-251-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/860-253-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/860-163-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/860-86-0x0000000000000000-mapping.dmp

Download
memory/860-179-0x000000001B910000-0x000000001BC0F000-memory.dmp

Filesize
3.0MB

Download
memory/860-243-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/860-144-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/860-112-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/924-207-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/924-201-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/924-92-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/924-148-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/924-68-0x0000000000000000-mapping.dmp

Download
memory/924-160-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1276-105-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1276-177-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1276-136-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1276-66-0x0000000000000000-mapping.dmp

Download
memory/1276-137-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/1280-252-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1280-149-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1280-72-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1280-182-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1280-141-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1280-77-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1280-67-0x0000000000000000-mapping.dmp

Download
memory/1308-166-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1308-241-0x0000000001FAB000-0x0000000001FCA000-memory.dmp

Filesize
124KB

Download
memory/1308-80-0x0000000000000000-mapping.dmp

Download
memory/1308-151-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/1308-218-0x0000000001FAB000-0x0000000001FCA000-memory.dmp

Filesize
124KB

Download
memory/1308-126-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1308-239-0x0000000001FA4000-0x0000000001FA7000-memory.dmp

Filesize
12KB

Download
memory/1308-176-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1392-250-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1392-195-0x0000000000000000-mapping.dmp

Download
memory/1420-76-0x0000000000000000-mapping.dmp

Download
memory/1420-110-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1420-186-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1420-205-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1420-198-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1420-153-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1420-169-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1440-254-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1440-193-0x0000000000000000-mapping.dmp

Download
memory/1584-71-0x0000000000000000-mapping.dmp

Download
memory/1584-167-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1584-111-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1584-210-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1584-145-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1584-211-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1604-183-0x000000001B950000-0x000000001BC4F000-memory.dmp

Filesize
3.0MB

Download
memory/1604-154-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1604-174-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1604-226-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/1604-87-0x0000000000000000-mapping.dmp

Download
memory/1604-135-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1604-240-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/1604-242-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/1620-101-0x0000000000000000-mapping.dmp

Download
memory/1716-191-0x0000000000000000-mapping.dmp

Download
memory/1744-78-0x0000000000000000-mapping.dmp

Download
memory/1744-152-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1744-225-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1744-228-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1744-120-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1744-164-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1928-244-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1928-73-0x0000000000000000-mapping.dmp

Download
memory/1928-171-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/1928-109-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1928-146-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1928-180-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2020-58-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2020-64-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/2020-65-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2020-57-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2020-63-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/2020-62-0x0000000000770000-0x000000000077E000-memory.dmp

Filesize
56KB

Download
memory/2020-59-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2020-56-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2020-55-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2020-54-0x0000000000CD0000-0x0000000000E12000-memory.dmp

Filesize
1.3MB

Download
memory/2020-61-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2020-60-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2044-147-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2044-184-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2044-238-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download
memory/2044-237-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2044-170-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2044-108-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2044-230-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/2076-199-0x0000000000000000-mapping.dmp

Download
memory/2100-104-0x0000000000000000-mapping.dmp

Download
memory/2124-107-0x00000000010B0000-0x00000000011F2000-memory.dmp

Filesize
1.3MB

Download
memory/2124-106-0x0000000000000000-mapping.dmp

Download
memory/2284-114-0x0000000000000000-mapping.dmp

Download
memory/2300-140-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2300-115-0x0000000000000000-mapping.dmp

Download
memory/2300-156-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2300-173-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2320-116-0x0000000000000000-mapping.dmp

Download
memory/2320-143-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2320-246-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/2320-158-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2320-161-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2328-206-0x0000000000000000-mapping.dmp

Download
memory/2328-222-0x0000000000D60000-0x0000000000EA2000-memory.dmp

Filesize
1.3MB

Download
memory/2344-200-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2344-162-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2344-159-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2344-196-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2344-181-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2344-117-0x0000000000000000-mapping.dmp

Download
memory/2344-138-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2368-172-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2368-118-0x0000000000000000-mapping.dmp

Download
memory/2368-155-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2368-139-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2368-247-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2392-157-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2392-168-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/2392-119-0x0000000000000000-mapping.dmp

Download
memory/2392-142-0x000007FEEB1B0000-0x000007FEEBBD3000-memory.dmp

Filesize
10.1MB

Download
memory/2392-175-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2392-194-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2392-197-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2424-245-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2424-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads