dcrat | 1624432ef21c3f80e457d520420c001b415eb8fecff45bbd7cb8960bd6b995c9

General

Target

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Size

598KB
MD5

7533ed2a304c4822335ace29d3fbfd08
SHA1

870ad473904ed8466d2d53642ed42f8bad1afc76
SHA256

1624432ef21c3f80e457d520420c001b415eb8fecff45bbd7cb8960bd6b995c9
SHA512

6172d9811c054d881134911bb46d1c3c8d5b736b2a52d963c328806f65ea67bd449b3618ea6bda41e91dcb3d9de7f7946ac58756066351fb60b0f0c2570e139f
SSDEEP

12288:HP+l1iJUOtVAzoHnNIHMiViofc5lWRxDkpa1KeJa+7H1QnfO9W:voiaAKkKHMiV45lWfkpar1

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1556	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1556	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4928-6-0x0000000000400000-0x00000000004FA000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

sysmon.exesysmon.exe

pid process

1652 sysmon.exe
892 sysmon.exe

pid	process
1652	sysmon.exe
892	sysmon.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\sysmon.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\cdp\\backgroundTaskHost.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule\\OfficeClickToRun.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DictationManager\\RuntimeBroker.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\pcl\\RuntimeBroker.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wevtutil\\dwm.exe\""	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

Drops file in System32 directory 10 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cdp\backgroundTaskHost.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DictationManager\RuntimeBroker.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DictationManager\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcl\RuntimeBroker.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cdp\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cdp\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcl\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil\dwm.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil\6cb0b6c459d5d3455a3da700e713f2e2529862ff	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cdp\backgroundTaskHost.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exesysmon.exe

description	pid	process	target process
PID 3576 set thread context of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 1652 set thread context of 892	1652	sysmon.exe	sysmon.exe

Drops file in Program Files directory 5 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\121e5b5079f7c0e46d90f99b3864022518bbbda9	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule\OfficeClickToRun.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule\e6c9b481da804f07baff8eff543b0a1441069b5d	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3012 3576 WerFault.exe 7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
3736 1652 WerFault.exe sysmon.exe

pid	pid_target	process	target process
3012	3576	WerFault.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
3736	1652	WerFault.exe	sysmon.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sysmon.exesysmon.exe7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3420 schtasks.exe
2868 schtasks.exe
4652 schtasks.exe
3032 schtasks.exe
3668 schtasks.exe
1312 schtasks.exe
4432 schtasks.exe
2032 schtasks.exe

pid	process
3420	schtasks.exe
2868	schtasks.exe
4652	schtasks.exe
3032	schtasks.exe
3668	schtasks.exe
1312	schtasks.exe
4432	schtasks.exe
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exesysmon.exe

pid	process
4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
892	sysmon.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exesysmon.exesysmon.exe

description	pid	process
Token: SeDebugPrivilege	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Token: SeDebugPrivilege	4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
Token: SeDebugPrivilege	1652	sysmon.exe
Token: SeDebugPrivilege	892	sysmon.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exesysmon.exe

description	pid	process	target process
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 3576 wrote to memory of 4928	3576	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
PID 4928 wrote to memory of 1652	4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	sysmon.exe
PID 4928 wrote to memory of 1652	4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	sysmon.exe
PID 4928 wrote to memory of 1652	4928	7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe
PID 1652 wrote to memory of 892	1652	sysmon.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7533ed2a304c4822335ace29d3fbfd08_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 916
4⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 916
2⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
1⤵
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\cdp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DictationManager\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\pcl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wevtutil\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\cdp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1652 -ip 1652
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pcl\RuntimeBroker.exe

Filesize
598KB

MD5
7533ed2a304c4822335ace29d3fbfd08

SHA1
870ad473904ed8466d2d53642ed42f8bad1afc76

SHA256
1624432ef21c3f80e457d520420c001b415eb8fecff45bbd7cb8960bd6b995c9

SHA512
6172d9811c054d881134911bb46d1c3c8d5b736b2a52d963c328806f65ea67bd449b3618ea6bda41e91dcb3d9de7f7946ac58756066351fb60b0f0c2570e139f

Download Submit
memory/892-46-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/892-45-0x0000000005410000-0x000000000541C000-memory.dmp

Filesize
48KB

Download
memory/892-44-0x00000000053C0000-0x00000000053C8000-memory.dmp

Filesize
32KB

Download
memory/3576-5-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-4-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/3576-7-0x00000000016B0000-0x00000000016B8000-memory.dmp

Filesize
32KB

Download
memory/3576-11-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/3576-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/3576-3-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/3576-2-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/3576-1-0x0000000000BF0000-0x0000000000C8A000-memory.dmp

Filesize
616KB

Download
memory/4928-6-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/4928-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-10-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-14-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/4928-40-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads