dcrat | 195b2055f09486e3708bc421dc84316e8bfc1f1c85e223a04f1fe046e15ba197

General

Target

IY8XD9Em5aR57Lxnxdzxehs8.exe
Size

1.2MB
MD5

32c8eec5e81fede3724b82fd282f1cff
SHA1

539dbe8acf63ceb62b5af8b567f4eb7c70beec1d
SHA256

195b2055f09486e3708bc421dc84316e8bfc1f1c85e223a04f1fe046e15ba197
SHA512

6eb87b91990f7a3e7e4bdd6883f98ee1ebc25509dae84c358fb72a5420bdc0dff1343192e07617981b823517dd79b41abde3a9a3c5e7a8a1bcaf1630651e4718
SSDEEP

12288:RpxNE5GIgNQAnBHRLyd51fRpOfpUi1i/jIEtk7VqMIE4/A7CrVuqTMMP1QYyXR3a:RpxNJFpHR+7OCGdpaEeueCYSnnty

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	780	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	780	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/840-54-0x0000000001150000-0x000000000127E000-memory.dmp	dcrat
C:\Windows\Branding\Basebrd\en-US\sppsvc.exe	dcrat
behavioral1/memory/1972-88-0x00000000012C0000-0x00000000013EE000-memory.dmp	dcrat
C:\Windows\Branding\Basebrd\en-US\sppsvc.exe	dcrat
behavioral1/memory/1644-107-0x0000000002280000-0x0000000002300000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

sppsvc.exe

pid process

1972 sppsvc.exe

pid	process
1972	sppsvc.exe

Drops file in Program Files directory 5 IoCs

Processes:

IY8XD9Em5aR57Lxnxdzxehs8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	IY8XD9Em5aR57Lxnxdzxehs8.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	IY8XD9Em5aR57Lxnxdzxehs8.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	IY8XD9Em5aR57Lxnxdzxehs8.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX213C.tmp	IY8XD9Em5aR57Lxnxdzxehs8.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX23EB.tmp	IY8XD9Em5aR57Lxnxdzxehs8.exe

Drops file in Windows directory 5 IoCs

Processes:

IY8XD9Em5aR57Lxnxdzxehs8.exe

description	ioc	process
File opened for modification	C:\Windows\Branding\Basebrd\en-US\sppsvc.exe	IY8XD9Em5aR57Lxnxdzxehs8.exe
File created	C:\Windows\Branding\Basebrd\en-US\sppsvc.exe	IY8XD9Em5aR57Lxnxdzxehs8.exe
File created	C:\Windows\Branding\Basebrd\en-US\0a1fd5f707cd16	IY8XD9Em5aR57Lxnxdzxehs8.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX3E24.tmp	IY8XD9Em5aR57Lxnxdzxehs8.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX40D4.tmp	IY8XD9Em5aR57Lxnxdzxehs8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1748	schtasks.exe
1516	schtasks.exe
1092	schtasks.exe
1888	schtasks.exe
1992	schtasks.exe
668	schtasks.exe
1156	schtasks.exe
1988	schtasks.exe
1972	schtasks.exe
1664	schtasks.exe
1108	schtasks.exe
1952	schtasks.exe
876	schtasks.exe
768	schtasks.exe
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

IY8XD9Em5aR57Lxnxdzxehs8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

840 IY8XD9Em5aR57Lxnxdzxehs8.exe
872 powershell.exe
272 powershell.exe
1764 powershell.exe
908 powershell.exe
1644 powershell.exe
1132 powershell.exe

pid	process
840	IY8XD9Em5aR57Lxnxdzxehs8.exe
872	powershell.exe
272	powershell.exe
1764	powershell.exe
908	powershell.exe
1644	powershell.exe
1132	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

IY8XD9Em5aR57Lxnxdzxehs8.exesppsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	840	IY8XD9Em5aR57Lxnxdzxehs8.exe
Token: SeDebugPrivilege	1972	sppsvc.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

IY8XD9Em5aR57Lxnxdzxehs8.exe

description	pid	process	target process
PID 840 wrote to memory of 908	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 908	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 908	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 272	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 272	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 272	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1764	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1764	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1764	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1644	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1644	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1644	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1132	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1132	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1132	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 872	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 872	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 872	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	powershell.exe
PID 840 wrote to memory of 1972	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	sppsvc.exe
PID 840 wrote to memory of 1972	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	sppsvc.exe
PID 840 wrote to memory of 1972	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	sppsvc.exe
PID 840 wrote to memory of 1972	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	sppsvc.exe
PID 840 wrote to memory of 1972	840	IY8XD9Em5aR57Lxnxdzxehs8.exe	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\IY8XD9Em5aR57Lxnxdzxehs8.exe
"C:\Users\Admin\AppData\Local\Temp\IY8XD9Em5aR57Lxnxdzxehs8.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IY8XD9Em5aR57Lxnxdzxehs8.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\en-US\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\Branding\Basebrd\en-US\sppsvc.exe
"C:\Windows\Branding\Basebrd\en-US\sppsvc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7312e46f724bde30d93070c00e55ac98

SHA1
fea858484d955404c455db5611e1a7fdfbeddee5

SHA256
3cae1c51a7df62a8e0fa8cd3557d74c13a7e599a217b5892b45a6f061f967467

SHA512
56df86dfa166dba3f1560d1567aa35538d090678acd1e71ab5008701a5c46bab35a03b99ab050b2952210aa241b38d62095b7e0771accef55c58be35be965d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7312e46f724bde30d93070c00e55ac98

SHA1
fea858484d955404c455db5611e1a7fdfbeddee5

SHA256
3cae1c51a7df62a8e0fa8cd3557d74c13a7e599a217b5892b45a6f061f967467

SHA512
56df86dfa166dba3f1560d1567aa35538d090678acd1e71ab5008701a5c46bab35a03b99ab050b2952210aa241b38d62095b7e0771accef55c58be35be965d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7312e46f724bde30d93070c00e55ac98

SHA1
fea858484d955404c455db5611e1a7fdfbeddee5

SHA256
3cae1c51a7df62a8e0fa8cd3557d74c13a7e599a217b5892b45a6f061f967467

SHA512
56df86dfa166dba3f1560d1567aa35538d090678acd1e71ab5008701a5c46bab35a03b99ab050b2952210aa241b38d62095b7e0771accef55c58be35be965d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7312e46f724bde30d93070c00e55ac98

SHA1
fea858484d955404c455db5611e1a7fdfbeddee5

SHA256
3cae1c51a7df62a8e0fa8cd3557d74c13a7e599a217b5892b45a6f061f967467

SHA512
56df86dfa166dba3f1560d1567aa35538d090678acd1e71ab5008701a5c46bab35a03b99ab050b2952210aa241b38d62095b7e0771accef55c58be35be965d50

Download Submit
C:\Windows\Branding\Basebrd\en-US\sppsvc.exe
Filesize
1.2MB

MD5
9396a88b392b307fe08e2b863bee691f

SHA1
46bf2c744b81346f61339ad0d466536fb9d65ee7

SHA256
93394b92599be3ce1ad177bfe037b3e1a225decc4debfa6912c945a7aef8ab3b

SHA512
388f31b3a198be7e5fdd70bcefec8626c303650752e9cccd3ca71be3fc73869c5e64b8562907cac869032e92ada17124f7caf7313f4ccf1e9009010554a1b8eb

Download Submit
C:\Windows\Branding\Basebrd\en-US\sppsvc.exe
Filesize
1.2MB

MD5
9396a88b392b307fe08e2b863bee691f

SHA1
46bf2c744b81346f61339ad0d466536fb9d65ee7

SHA256
93394b92599be3ce1ad177bfe037b3e1a225decc4debfa6912c945a7aef8ab3b

SHA512
388f31b3a198be7e5fdd70bcefec8626c303650752e9cccd3ca71be3fc73869c5e64b8562907cac869032e92ada17124f7caf7313f4ccf1e9009010554a1b8eb

Download Submit
memory/272-79-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/272-121-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/272-96-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/272-106-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/272-110-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/272-72-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/272-103-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/272-67-0x0000000000000000-mapping.dmp

Download
memory/272-124-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/840-58-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/840-56-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/840-62-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/840-65-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/840-60-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/840-59-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/840-63-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/840-57-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/840-64-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/840-61-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/840-54-0x0000000001150000-0x000000000127E000-memory.dmp

Filesize
1.2MB

Download
memory/840-55-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/872-90-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/872-116-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/872-117-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/872-99-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/872-105-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/872-108-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/872-94-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/872-71-0x0000000000000000-mapping.dmp

Download
memory/908-119-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/908-112-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/908-82-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/908-98-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/908-101-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/908-104-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/908-118-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/908-66-0x0000000000000000-mapping.dmp

Download
memory/1132-109-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1132-95-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1132-114-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1132-102-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/1132-125-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/1132-123-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1132-70-0x0000000000000000-mapping.dmp

Download
memory/1132-89-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/1644-93-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/1644-92-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/1644-69-0x0000000000000000-mapping.dmp

Download
memory/1644-91-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/1644-107-0x0000000002280000-0x0000000002300000-memory.dmp

Filesize
512KB

Download
memory/1644-115-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1764-111-0x0000000001F84000-0x0000000001F87000-memory.dmp

Filesize
12KB

Download
memory/1764-81-0x000007FEEB6E0000-0x000007FEEC103000-memory.dmp

Filesize
10.1MB

Download
memory/1764-113-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1764-120-0x0000000001F84000-0x0000000001F87000-memory.dmp

Filesize
12KB

Download
memory/1764-97-0x0000000001F84000-0x0000000001F87000-memory.dmp

Filesize
12KB

Download
memory/1764-122-0x0000000001F8B000-0x0000000001FAA000-memory.dmp

Filesize
124KB

Download
memory/1764-100-0x000007FEEDE00000-0x000007FEEE95D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-68-0x0000000000000000-mapping.dmp

Download
memory/1972-88-0x00000000012C0000-0x00000000013EE000-memory.dmp

Filesize
1.2MB

Download
memory/1972-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads