dcrat | 6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0

Analysis

max time kernel
14s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 23:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe
Size

2.7MB
MD5

f601b78e8cbc6c6d9e9809ffecf0f4e7
SHA1

e172fc87fe7fb7545f359b4a952e7aa73c057b7b
SHA256

6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0
SHA512

93dcfec4f3c2e6863a3fb4ee72db7ae8e32283be6e5c5c9f9942c44681a4abc8fc2c86e1beae511eb2bfe3d94dca2cc4039ac01a25e9521ff4fbf91434aa5383
SSDEEP

49152:q509dAf7LzZYFibGstHpR6upyGbj+/BpKnvyIxVV/XDoAfmt:q5F7R7GgHpR6lGfCpKaIxVV/r0

Score

10^/10

dcrat discovery infostealer persistence privilege_escalation rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1872	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1872	schtasks.exe	38

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x001700000001866f-58.dat	dcrat
behavioral1/memory/2652-59-0x0000000000400000-0x00000000004EF000-memory.dmp	dcrat
behavioral1/memory/2684-95-0x0000000000F90000-0x0000000001048000-memory.dmp	dcrat
behavioral1/memory/444-323-0x0000000001370000-0x0000000001428000-memory.dmp	dcrat

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

Processes:

samp.exe2 - 7z.exesamp.exeBPV54WuDSh.exeRjiQ4ZhmYe.exedllhost.exe

pid	Process
2088	samp.exe
2724	2 - 7z.exe
2652	samp.exe
2644	BPV54WuDSh.exe
2684	RjiQ4ZhmYe.exe
444	dllhost.exe

Loads dropped DLL 20 IoCs

Processes:

6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exesamp.exe2 - 7z.exesamp.exeWerFault.exe

pid	Process
2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe
2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe
2088	samp.exe
2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe
2088	samp.exe
2088	samp.exe
2724	2 - 7z.exe
2724	2 - 7z.exe
2088	samp.exe
2652	samp.exe
2652	samp.exe
2652	samp.exe
2852	WerFault.exe
2852	WerFault.exe
2652	samp.exe
2652	samp.exe
2852	WerFault.exe
2724	2 - 7z.exe
2724	2 - 7z.exe
2724	2 - 7z.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

samp.exe

description	pid	Process	procid_target
PID 2088 set thread context of 2652	2088	samp.exe	34

Drops file in Program Files directory 64 IoCs

Processes:

2 - 7z.exeRjiQ4ZhmYe.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	2 - 7z.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\2 - 7z.exe	RjiQ4ZhmYe.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\1c1e15b250d394	RjiQ4ZhmYe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	2 - 7z.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	RjiQ4ZhmYe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	2 - 7z.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.tmp	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2 - 7z.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	RjiQ4ZhmYe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	2 - 7z.exe
File created	C:\Program Files (x86)\Internet Explorer\ee201eac4591f0	RjiQ4ZhmYe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	2 - 7z.exe
File created	C:\Program Files (x86)\Internet Explorer\WerFault.exe	RjiQ4ZhmYe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2 - 7z.exe
File created	C:\Program Files\7-Zip\7-zip.dll	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	2 - 7z.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	2 - 7z.exe

Drops file in Windows directory 2 IoCs

Processes:

RjiQ4ZhmYe.exe

description	ioc	Process
File created	C:\Windows\Help\Corporate\dllhost.exe	RjiQ4ZhmYe.exe
File created	C:\Windows\Help\Corporate\5940a34987c991	RjiQ4ZhmYe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2852	2088	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

samp.exe2 - 7z.exesamp.exe6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	samp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 - 7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	samp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe

Modifies registry class 20 IoCs

Processes:

2 - 7z.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	2 - 7z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	2 - 7z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	2 - 7z.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1660	schtasks.exe
2060	schtasks.exe
2604	schtasks.exe
1840	schtasks.exe
2844	schtasks.exe
2616	schtasks.exe
2924	schtasks.exe
2400	schtasks.exe
2324	schtasks.exe
2912	schtasks.exe
2740	schtasks.exe
2752	schtasks.exe
3068	schtasks.exe
2452	schtasks.exe
540	schtasks.exe
604	schtasks.exe
708	schtasks.exe
1500	schtasks.exe
2728	schtasks.exe
2812	schtasks.exe
2436	schtasks.exe
2640	schtasks.exe
2828	schtasks.exe
2988	schtasks.exe
1636	schtasks.exe
1524	schtasks.exe
2772	schtasks.exe
1604	schtasks.exe
1688	schtasks.exe
2376	schtasks.exe
2144	schtasks.exe
2908	schtasks.exe
2428	schtasks.exe
1952	schtasks.exe
2512	schtasks.exe
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RjiQ4ZhmYe.exedllhost.exe

pid	Process
2684	RjiQ4ZhmYe.exe
2684	RjiQ4ZhmYe.exe
2684	RjiQ4ZhmYe.exe
444	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RjiQ4ZhmYe.exedllhost.exe2 - 7z.exe

description	pid	Process
Token: SeDebugPrivilege	2684	RjiQ4ZhmYe.exe
Token: SeDebugPrivilege	444	dllhost.exe
Token: SeShutdownPrivilege	2724	2 - 7z.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exesamp.exesamp.exeRjiQ4ZhmYe.exe

description	pid	Process	procid_target
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2088	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	31
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2416 wrote to memory of 2724	2416	6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe	33
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2652	2088	samp.exe	34
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2088 wrote to memory of 2852	2088	samp.exe	35
PID 2652 wrote to memory of 2684	2652	samp.exe	37
PID 2652 wrote to memory of 2684	2652	samp.exe	37
PID 2652 wrote to memory of 2684	2652	samp.exe	37
PID 2652 wrote to memory of 2684	2652	samp.exe	37
PID 2684 wrote to memory of 444	2684	RjiQ4ZhmYe.exe	75
PID 2684 wrote to memory of 444	2684	RjiQ4ZhmYe.exe	75
PID 2684 wrote to memory of 444	2684	RjiQ4ZhmYe.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe
"C:\Users\Admin\AppData\Local\Temp\6c209d47e8f22b36b7da51d0c78315673eb3f3b7da11321f399547dc44e561e0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\samp.exe
  "C:\Users\Admin\AppData\Local\Temp\samp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\samp.exe
    "C:\Users\Admin\AppData\Local\Temp\samp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Roaming\BPV54WuDSh.exe
      "C:\Users\Admin\AppData\Roaming\BPV54WuDSh.exe"
      4⤵
      Executes dropped EXE
      PID:2644
  - - C:\Users\Admin\AppData\Roaming\RjiQ4ZhmYe.exe
      "C:\Users\Admin\AppData\Roaming\RjiQ4ZhmYe.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\Help\Corporate\dllhost.exe
        
        "C:\Windows\Help\Corporate\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\2 - 7z.exe
  "C:\Users\Admin\AppData\Local\Temp\2 - 7z.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Corporate\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Corporate\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Users\Default User\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2 - 7z2" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\2 - 7z.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2 - 7z" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\2 - 7z.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2 - 7z2" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\2 - 7z.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2 - 7z.exe

Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Users\Admin\AppData\Roaming\BPV54WuDSh.exe

Filesize
18KB

MD5
f3edff85de5fd002692d54a04bcb1c09

SHA1
4c844c5b0ee7cb230c9c28290d079143e00cb216

SHA256
caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131

SHA512
531d920e2567f58e8169afc786637c1a0f7b9b5c27b27b5f0eddbfc3e00cecd7bea597e34061d836647c5f8c7757f2fe02952a9793344e21b39ddd4bf7985f9d

Download Submit
C:\Users\Admin\AppData\Roaming\RjiQ4ZhmYe.exe

Filesize
711KB

MD5
3770bc535f1d9bc82a785afc58b2264b

SHA1
59086adfb686a8ca50a6eb82c8bc32d0c3588eac

SHA256
d83a1f4c4957587fcbab0a68208b2a528b9f03c736b3b363d0a4aae435191eed

SHA512
6bfd774c5a585300bb791c0788d827254332f8c3abe5b634ed075380bb47486a8d2311f9484bbf76c4c03b7edbfa6da550e48b02948a03582c9b45cd51756846

Download Submit
\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
956d826f03d88c0b5482002bb7a83412

SHA1
560658185c225d1bd274b6a18372fd7de5f336af

SHA256
f9b4944d3a5536a6f8b4d5db17d903988a3518b22fbee6e3f6019aaf44189b3d

SHA512
6503064802101bca6e25b259a2bfe38e2d8b786bf2cf588ab1fb026b755f04a20857ee27e290cf50b2667425c528313b1c02e09b7b50edbcd75a3335439c3647

Download Submit
\Program Files\7-Zip\7zFM.exe

Filesize
935KB

MD5
d36deceeb4c9645aab2ded86608d090b

SHA1
912f4658c4b046fbadd084912f9126cb1ae3737b

SHA256
018d74ff917692124dee0a8a7e6302aecd219d79b049ad95f2f4eedea41b4a45

SHA512
9752a9e57dd2e6cd454ba6c2d041d884369734c2b62c53d3ec4854731c398cd6e25ac75f7a55cda9d4b4c2efb074cb2e6efcbf3080cd8cc7d9bc8c9a25f62ff2

Download Submit
\Users\Admin\AppData\Local\Temp\samp.exe

Filesize
1.2MB

MD5
92c504e1fd71890ea4d77b8cdc93b32f

SHA1
3ecb6dffcc39fbd2c759e75afd7d6e315d485bc2

SHA256
8a926ee7e23023134a69be829e0f037d0b35f034725d4fd5519d322dd29c3be6

SHA512
2931030962c384d8f341c0b1470f198687a329f01290eedbc733ca193eb887d32ac1d731f58556db7d91a6bb7a3518d0bfdb7860ae7aaf8f18f04a2eb7edf9bb

Download Submit
memory/444-323-0x0000000001370000-0x0000000001428000-memory.dmp

Filesize
736KB

Download
memory/2416-19-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/2652-32-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-39-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-37-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-34-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-24-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-28-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-45-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-59-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-26-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-30-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2652-44-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2684-95-0x0000000000F90000-0x0000000001048000-memory.dmp

Filesize
736KB

Download
memory/2684-290-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/2684-292-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2684-291-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2684-289-0x0000000000BA0000-0x0000000000BBC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads