dcrat | e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f

General

Target

bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Size

1.1MB
MD5

bb2016d496611fe8cae1421d73f1756a
SHA1

691fd0a996e5a8d7f725f65cc3d847f00f452140
SHA256

e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f
SHA512

e6e153865af8954ad91d8d30e70aaad5a2ac4eb9c1976427a2414dca5a6a30ac2f59bba5d56a1e109805b4a0b6e17024f016c6577d247bf131b95b0a1ce9290a
SSDEEP

12288:p9F7wFaFs+9bwsvIi4XqWtgir99ELM9dqugUbSbv8yNRTHHh+XLRSecvv+Kzj11Z:pn7w8X9bweZS9KCg0Gz9NloMHFzj/1

Score

10^/10

dcrat infostealer persistence rat vmprotect

Malware Config

Signatures

DcRat 15 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1600	schtasks.exe
		3532	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sppsvc.exe\""		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
		4476	schtasks.exe
		2876	schtasks.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
		1716	schtasks.exe
		4048	schtasks.exe
		1056	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\NetHood\\RuntimeBroker.exe\""		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
		4856	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
		4148	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\RemoveDeviceContextHandler\\dllhost.exe\""		bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3112	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3112	schtasks.exe	83

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	TextInputHost.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4980-1-0x0000000000DC0000-0x0000000000FA4000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023c9e-15.dat	vmprotect

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sppsvc.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ja\\winlogon.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wlidsvc\\dllhost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\NetHood\\RuntimeBroker.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\RemoveDeviceContextHandler\\dllhost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Documents and Settings\\backgroundTaskHost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\usocoreworker\\spoolsv.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\wlidsvc\dllhost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\wlidsvc\5940a34987c99120d96dace90a3f93f329dcad63	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\RemoveDeviceContextHandler\dllhost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\RemoveDeviceContextHandler\5940a34987c99120d96dace90a3f93f329dcad63	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\usocoreworker\spoolsv.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\usocoreworker\spoolsv.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\usocoreworker\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\sppsvc.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\cc11b995f2a76da408ea6a601e682e64743153ad	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653fe07efe8f1ecc32d3d195abd16	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c30fed3795ee41d259ec72bb351c	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4856	schtasks.exe
4048	schtasks.exe
4148	schtasks.exe
4476	schtasks.exe
2876	schtasks.exe
1716	schtasks.exe
1056	schtasks.exe
1600	schtasks.exe
3532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4980	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
2340	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Token: SeDebugPrivilege	5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Token: SeDebugPrivilege	2340	TextInputHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 528	4980	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	89
PID 4980 wrote to memory of 528	4980	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	89
PID 528 wrote to memory of 3364	528	cmd.exe	91
PID 528 wrote to memory of 3364	528	cmd.exe	91
PID 528 wrote to memory of 1360	528	cmd.exe	92
PID 528 wrote to memory of 1360	528	cmd.exe	92
PID 528 wrote to memory of 5040	528	cmd.exe	94
PID 528 wrote to memory of 5040	528	cmd.exe	94
PID 5040 wrote to memory of 2340	5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	100
PID 5040 wrote to memory of 2340	5040	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sCgqolWoVH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\RemoveDeviceContextHandler\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Documents and Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\usocoreworker\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wlidsvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Media Renderer\sppsvc.exe

Filesize
1.1MB

MD5
bb2016d496611fe8cae1421d73f1756a

SHA1
691fd0a996e5a8d7f725f65cc3d847f00f452140

SHA256
e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f

SHA512
e6e153865af8954ad91d8d30e70aaad5a2ac4eb9c1976427a2414dca5a6a30ac2f59bba5d56a1e109805b4a0b6e17024f016c6577d247bf131b95b0a1ce9290a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe.log

Filesize
2KB

MD5
f88ca59ed326d0c694e63960cf01775e

SHA1
55880f601bcd9bbe68ddbeaeb1cc32549b711fd0

SHA256
897121c0ed0231dd1ac79e61cc9d63ad6d17a9d326b62a87cccf548a5469f8ff

SHA512
29bae90036782015cac998e9fb70da7fa1d68068a89422a55b3dfa0af00386a5c59ccc86ddced4e66fa2ece5152d2ff0ea4cd8e6412d401d49e997ed0f7f8c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCgqolWoVH.bat

Filesize
260B

MD5
97b0e09327531d0cd5a3b050ae6eeea8

SHA1
7f03eb7c74bf2bd6a72f6a30a0c60c8b491fd1db

SHA256
bab6cded2c9325d542482146d1c93c992cceccb3d11ed91fc70b5cc1ee2fa2ec

SHA512
e75ef9387305b7a9f8bb832bbcd407b9a426ebc1e303421aef4a6f955b314535ac45da9e331696a4476fdb1886a108cc1495e5732498f6402e85ede2793ba469

Download Submit
memory/2340-48-0x00000000013A0000-0x00000000013AA000-memory.dmp

Filesize
40KB

Download
memory/2340-46-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/2340-47-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/2340-45-0x0000000001380000-0x0000000001388000-memory.dmp

Filesize
32KB

Download
memory/2340-44-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/2340-43-0x00000000012F0000-0x00000000012FC000-memory.dmp

Filesize
48KB

Download
memory/4980-4-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4980-23-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4980-6-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4980-5-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

Filesize
10.8MB

Download
memory/4980-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

Filesize
8KB

Download
memory/4980-3-0x00000000030C0000-0x0000000003110000-memory.dmp

Filesize
320KB

Download
memory/4980-2-0x000000001BC70000-0x000000001BD1A000-memory.dmp

Filesize
680KB

Download
memory/4980-1-0x0000000000DC0000-0x0000000000FA4000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads