dcrat | bceca4720a9dfb62bf4f5130f9443e6fe40f24fb440df17a51b29340575805c0

General

Target

00009e23a8bcbb7323c15448165dc6cc.exe
Size

2.3MB
MD5

00009e23a8bcbb7323c15448165dc6cc
SHA1

2b5050619a50c63d487ed07651be88d1a8ab92d6
SHA256

bceca4720a9dfb62bf4f5130f9443e6fe40f24fb440df17a51b29340575805c0
SHA512

e5f88177c022f80bef16a225679211484f8b12a6f7fdf41c9b94a7a6604578ab413d8a9020231bb55f54a4233c912a7d10837207fce69ce157f4da8717878a41
SSDEEP

49152:oEAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:LADWgmNqGAKKBli

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1224	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1224	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/704-54-0x0000000000FC0000-0x0000000001214000-memory.dmp	dcrat

Drops file in Program Files directory 10 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX814C.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\6203df4a6bafc7	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX71DF.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Idle.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX7559.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX7DD2.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\Idle.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\6ccacd8608530f	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	00009e23a8bcbb7323c15448165dc6cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
968	schtasks.exe
1040	schtasks.exe
1960	schtasks.exe
1104	schtasks.exe
832	schtasks.exe
1640	schtasks.exe
1752	schtasks.exe
1496	schtasks.exe
1352	schtasks.exe
1776	schtasks.exe
552	schtasks.exe
1480	schtasks.exe
1924	schtasks.exe
1692	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
704	00009e23a8bcbb7323c15448165dc6cc.exe
704	00009e23a8bcbb7323c15448165dc6cc.exe
704	00009e23a8bcbb7323c15448165dc6cc.exe
704	00009e23a8bcbb7323c15448165dc6cc.exe
704	00009e23a8bcbb7323c15448165dc6cc.exe
896	powershell.exe
1624	powershell.exe
1876	powershell.exe
1132	powershell.exe
1788	powershell.exe
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	704	00009e23a8bcbb7323c15448165dc6cc.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exe

description	pid	process	target process
PID 704 wrote to memory of 1132	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1132	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1132	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1152	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1152	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1152	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 896	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 896	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 896	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1876	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1876	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1876	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1788	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1788	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1788	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1624	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1624	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1624	704	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 704 wrote to memory of 1480	704	00009e23a8bcbb7323c15448165dc6cc.exe	cmd.exe
PID 704 wrote to memory of 1480	704	00009e23a8bcbb7323c15448165dc6cc.exe	cmd.exe
PID 704 wrote to memory of 1480	704	00009e23a8bcbb7323c15448165dc6cc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe
"C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2LbMAw3De.bat"
2⤵
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
aadbcd4682e4e568a2b891e5a9d57808

SHA1
432ce9a93dc149f1e4b67df2e6af06aa0646f038

SHA256
846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2

SHA512
e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
aadbcd4682e4e568a2b891e5a9d57808

SHA1
432ce9a93dc149f1e4b67df2e6af06aa0646f038

SHA256
846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2

SHA512
e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
aadbcd4682e4e568a2b891e5a9d57808

SHA1
432ce9a93dc149f1e4b67df2e6af06aa0646f038

SHA256
846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2

SHA512
e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
aadbcd4682e4e568a2b891e5a9d57808

SHA1
432ce9a93dc149f1e4b67df2e6af06aa0646f038

SHA256
846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2

SHA512
e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
aadbcd4682e4e568a2b891e5a9d57808

SHA1
432ce9a93dc149f1e4b67df2e6af06aa0646f038

SHA256
846be7b95d4dbfd0292ea3e0116356638d3279f54fc6914a12ef39a256025ea2

SHA512
e4abfc07934db9a0e4453fbc471790ebe84777aee33a210c1297f4c8f69ef3a3bba141e30dcfce98a0259c5fc366b085f0fcb0936273002910b3776b545aae80

Download Submit
memory/704-54-0x0000000000FC0000-0x0000000001214000-memory.dmp

Filesize
2.3MB

Download
memory/704-59-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/704-61-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/704-62-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/704-55-0x0000000000890000-0x00000000008AC000-memory.dmp

Filesize
112KB

Download
memory/704-60-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/704-56-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/704-57-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/704-58-0x0000000000970000-0x00000000009C6000-memory.dmp

Filesize
344KB

Download
memory/896-115-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/896-81-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/896-120-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/896-97-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/896-107-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/896-91-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/896-65-0x0000000000000000-mapping.dmp

Download
memory/896-99-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/896-121-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1132-73-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/1132-93-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1132-63-0x0000000000000000-mapping.dmp

Download
memory/1132-100-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1132-110-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1132-125-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1132-95-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/1132-116-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/1132-124-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/1152-104-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1152-64-0x0000000000000000-mapping.dmp

Download
memory/1152-69-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1152-86-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/1152-105-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1152-87-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/1152-89-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1152-102-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1480-84-0x0000000000000000-mapping.dmp

Download
memory/1624-103-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1624-85-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/1624-88-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/1624-122-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1624-68-0x0000000000000000-mapping.dmp

Download
memory/1624-90-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1624-114-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/1624-123-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/1624-108-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1788-94-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1788-79-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/1788-106-0x000000001BA20000-0x000000001BD1F000-memory.dmp

Filesize
3.0MB

Download
memory/1788-67-0x0000000000000000-mapping.dmp

Download
memory/1788-111-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1788-119-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1788-98-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/1788-118-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1788-117-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1876-112-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1876-109-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1876-96-0x000007FEEABB0000-0x000007FEEB70D000-memory.dmp

Filesize
11.4MB

Download
memory/1876-92-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1876-101-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1876-80-0x000007FEEB710000-0x000007FEEC133000-memory.dmp

Filesize
10.1MB

Download
memory/1876-113-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1876-66-0x0000000000000000-mapping.dmp

Download
memory/1876-126-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads