dcrat | 40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62

General

Target

900eb9fef2464a9f9d8f8e6583bcb8a1.exe
Size

1.4MB
MD5

900eb9fef2464a9f9d8f8e6583bcb8a1
SHA1

5941e80798f6aa3ea56bc4891494a27f55bb2c10
SHA256

40fb662761491390c1e86e0e2d7cfc671b2239a5c3109ee0c76c963cf1f1fd62
SHA512

2f3a72d450c35a96ed9ac40bd889cb558d42d15581d1df91857551dee7f7429ebaa4e6d67cfa8b1f56b590f924306d0ac35bbe880c33ff14933e28291aa2416e

Score

10^/10

dcrat infostealer persistence rat spyware stealer suricata

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""		123.exe
		1104	schtasks.exe
		416	schtasks.exe
		384	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""		123.exe
		1792	schtasks.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe		123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""		123.exe
		3252	schtasks.exe
		1148	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\", \"C:\\Windows\\System32\\expand\\fontdrvhost.exe\", \"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\", \"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\", \"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1860	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1860	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1860	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1860	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1860	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1860	schtasks.exe	70

suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata

Executes dropped EXE 2 IoCs

pid	Process
840	123.exe
1308	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\1B8BDD37-6418-48C6-B461-DA156486283D\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\expand\\fontdrvhost.exe\""	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\Sens\\audiodg.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\taskhostw.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\dllhost.exe\""	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\RuntimeBroker.exe\""	123.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
22	ipinfo.io
20	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Sens\audiodg.exe	123.exe
File created	C:\Windows\System32\Sens\42af1c969fbb7b	123.exe
File created	C:\Windows\System32\expand\fontdrvhost.exe	123.exe
File created	C:\Windows\System32\expand\5b884080fd4f94	123.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Media Renderer\ea9f0e6c9e2dcd	123.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe	123.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\5b884080fd4f94	123.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	123.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe	123.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3252	schtasks.exe
1148	schtasks.exe
1792	schtasks.exe
1104	schtasks.exe
416	schtasks.exe
384	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	123.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
840	123.exe
536	powershell.exe
2928	powershell.exe
64	powershell.exe
920	powershell.exe
1636	powershell.exe
1508	powershell.exe
2284	powershell.exe
1636	powershell.exe
1508	powershell.exe
2928	powershell.exe
920	powershell.exe
64	powershell.exe
536	powershell.exe
2284	powershell.exe
64	powershell.exe
536	powershell.exe
920	powershell.exe
1508	powershell.exe
2284	powershell.exe
1636	powershell.exe
2928	powershell.exe
1308	dllhost.exe
1308	dllhost.exe
1308	dllhost.exe
1308	dllhost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	123.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1308	dllhost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 840	3708	900eb9fef2464a9f9d8f8e6583bcb8a1.exe	69
PID 3708 wrote to memory of 840	3708	900eb9fef2464a9f9d8f8e6583bcb8a1.exe	69
PID 840 wrote to memory of 536	840	123.exe	77
PID 840 wrote to memory of 536	840	123.exe	77
PID 840 wrote to memory of 1636	840	123.exe	81
PID 840 wrote to memory of 1636	840	123.exe	81
PID 840 wrote to memory of 1508	840	123.exe	80
PID 840 wrote to memory of 1508	840	123.exe	80
PID 840 wrote to memory of 920	840	123.exe	79
PID 840 wrote to memory of 920	840	123.exe	79
PID 840 wrote to memory of 2928	840	123.exe	82
PID 840 wrote to memory of 2928	840	123.exe	82
PID 840 wrote to memory of 2284	840	123.exe	88
PID 840 wrote to memory of 2284	840	123.exe	88
PID 840 wrote to memory of 64	840	123.exe	87
PID 840 wrote to memory of 64	840	123.exe	87
PID 840 wrote to memory of 1960	840	123.exe	91
PID 840 wrote to memory of 1960	840	123.exe	91
PID 1960 wrote to memory of 1888	1960	cmd.exe	93
PID 1960 wrote to memory of 1888	1960	cmd.exe	93
PID 1960 wrote to memory of 1308	1960	cmd.exe	94
PID 1960 wrote to memory of 1308	1960	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\900eb9fef2464a9f9d8f8e6583bcb8a1.exe
"C:\Users\Admin\AppData\Local\Temp\900eb9fef2464a9f9d8f8e6583bcb8a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Public\Videos\123.exe
  "C:\Users\Public\Videos\123.exe"
  2⤵
  - DcRat
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\123.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\expand\fontdrvhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Sens\audiodg.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kk7CMLuTQW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1888
  - - C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe
      "C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\expand\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\1B8BDD37-6418-48C6-B461-DA156486283D\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\Sens\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-248-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/64-176-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/64-175-0x000001DF19FB0000-0x000001DF1A050000-memory.dmp

Filesize
640KB

Download
memory/536-155-0x0000017D1D530000-0x0000017D1D532000-memory.dmp

Filesize
8KB

Download
memory/536-244-0x0000017D1D536000-0x0000017D1D538000-memory.dmp

Filesize
8KB

Download
memory/536-168-0x0000017D1D533000-0x0000017D1D535000-memory.dmp

Filesize
8KB

Download
memory/536-165-0x0000017D1D4F0000-0x0000017D1D512000-memory.dmp

Filesize
136KB

Download
memory/840-125-0x00000000025E0000-0x00000000025EC000-memory.dmp

Filesize
48KB

Download
memory/840-119-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/840-126-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/840-117-0x0000000000370000-0x00000000004C8000-memory.dmp

Filesize
1.3MB

Download
memory/840-121-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/840-124-0x000000001B8F0000-0x000000001BE16000-memory.dmp

Filesize
5.1MB

Download
memory/840-118-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/840-127-0x0000000002600000-0x000000000260A000-memory.dmp

Filesize
40KB

Download
memory/840-123-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/840-122-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/840-120-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/920-173-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/920-247-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/920-177-0x0000016821710000-0x00000168397F0000-memory.dmp

Filesize
384.9MB

Download
memory/1308-213-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/1308-214-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/1308-249-0x000000001DCD0000-0x000000001DE92000-memory.dmp

Filesize
1.8MB

Download
memory/1508-246-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1508-211-0x00000117E47A0000-0x00000117E4816000-memory.dmp

Filesize
472KB

Download
memory/1508-222-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1508-167-0x00000117CA510000-0x00000117E2650000-memory.dmp

Filesize
385.2MB

Download
memory/1636-212-0x0000021D12330000-0x0000021D2A500000-memory.dmp

Filesize
385.8MB

Download
memory/1636-166-0x0000021D12330000-0x0000021D2A500000-memory.dmp

Filesize
385.8MB

Download
memory/2284-174-0x0000020A49680000-0x0000020A617E0000-memory.dmp

Filesize
385.4MB

Download
memory/2284-201-0x0000020A49680000-0x0000020A617E0000-memory.dmp

Filesize
385.4MB

Download
memory/2928-170-0x000002466F133000-0x000002466F135000-memory.dmp

Filesize
8KB

Download
memory/2928-169-0x000002466F130000-0x000002466F132000-memory.dmp

Filesize
8KB

Download
memory/2928-245-0x000002466F136000-0x000002466F138000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads