dcrat | 0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e

General

Target

a77873bfea27896f94731478d64541a3.exe
Size

873KB
MD5

a77873bfea27896f94731478d64541a3
SHA1

9d9596b12d51e06dd1c509c3df0cb7432fb60156
SHA256

0c70ff796c9a6c8e20437dcd29e1be3951ac7dae8bc0e75bbbae5b710c6be70e
SHA512

34c94a9e432bb0d4e2154ca80d2a42bb47e4a3ff29a5ecb9d24eb4db235a3dfb7e6c532edb05bcb4a1e299c4b040e39d2c0eeeac8593e7b0babcdaf834e49a0e

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 19 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1524	schtasks.exe
		1684	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""		a77873bfea27896f94731478d64541a3.exe
		876	schtasks.exe
		1076	schtasks.exe
		1084	schtasks.exe
File created	C:\Program Files\Uninstall Information\smss.exe		a77873bfea27896f94731478d64541a3.exe
		1820	schtasks.exe
		1648	schtasks.exe
		2024	schtasks.exe
		1472	schtasks.exe
		572	schtasks.exe
		1112	schtasks.exe
		1500	schtasks.exe
		1616	schtasks.exe
		972	schtasks.exe
		1700	schtasks.exe
		440	schtasks.exe
		1892	schtasks.exe

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1516	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1516	schtasks.exe	29

Executes dropped EXE 1 IoCs

pid	Process
1984	csrss.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\cero\\wininit.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\Idle.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\powermeterprovider\\WMIADAP.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\mssprxy\\csrss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\iprtrmgr\\csrss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\ubpm\\taskhost.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\net1\\csrss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\security\\audit\\wininit.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\KBDINORI\\winlogon.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\csrss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\Windows\\System32\\wuaueng\\schtasks.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProgramData\\Start Menu\\dwm.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\msdfmap\\explorer.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Windows NT\\taskhost.exe\""	a77873bfea27896f94731478d64541a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Documents\\services.exe\""	a77873bfea27896f94731478d64541a3.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\ubpm\taskhost.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\mssprxy\csrss.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\ubpm\b75386f1303e64	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\cero\wininit.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\wbem\powermeterprovider\75a57c1bdf437c	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\mssprxy\886983d96e3d3e	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\iprtrmgr\csrss.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\KBDINORI\winlogon.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\cero\56085415360792	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\net1\886983d96e3d3e	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\iprtrmgr\886983d96e3d3e	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\net1\csrss.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\wuaueng\schtasks.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\wuaueng\3a6fe29a7ceee6	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\System32\KBDINORI\cc11b995f2a76d	a77873bfea27896f94731478d64541a3.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\b75386f1303e64	a77873bfea27896f94731478d64541a3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f	a77873bfea27896f94731478d64541a3.exe
File created	C:\Program Files\Uninstall Information\smss.exe	a77873bfea27896f94731478d64541a3.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	a77873bfea27896f94731478d64541a3.exe
File created	C:\Program Files (x86)\Windows NT\taskhost.exe	a77873bfea27896f94731478d64541a3.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\security\audit\56085415360792	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\msdfmap\explorer.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\msdfmap\7a0fd90576e088	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\Offline Web Pages\csrss.exe	a77873bfea27896f94731478d64541a3.exe
File opened for modification	C:\Windows\Offline Web Pages\csrss.exe	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	a77873bfea27896f94731478d64541a3.exe
File created	C:\Windows\security\audit\wininit.exe	a77873bfea27896f94731478d64541a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
440	schtasks.exe
1892	schtasks.exe
1648	schtasks.exe
2024	schtasks.exe
1700	schtasks.exe
1524	schtasks.exe
1684	schtasks.exe
1616	schtasks.exe
972	schtasks.exe
572	schtasks.exe
1084	schtasks.exe
1472	schtasks.exe
876	schtasks.exe
1820	schtasks.exe
1076	schtasks.exe
1112	schtasks.exe
1500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1616	a77873bfea27896f94731478d64541a3.exe
1896	a77873bfea27896f94731478d64541a3.exe
1620	a77873bfea27896f94731478d64541a3.exe
1620	a77873bfea27896f94731478d64541a3.exe
1620	a77873bfea27896f94731478d64541a3.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe
1984	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	a77873bfea27896f94731478d64541a3.exe
Token: SeDebugPrivilege	1896	a77873bfea27896f94731478d64541a3.exe
Token: SeDebugPrivilege	1620	a77873bfea27896f94731478d64541a3.exe
Token: SeDebugPrivilege	1984	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1532	1616	a77873bfea27896f94731478d64541a3.exe	34
PID 1616 wrote to memory of 1532	1616	a77873bfea27896f94731478d64541a3.exe	34
PID 1616 wrote to memory of 1532	1616	a77873bfea27896f94731478d64541a3.exe	34
PID 1532 wrote to memory of 992	1532	cmd.exe	36
PID 1532 wrote to memory of 992	1532	cmd.exe	36
PID 1532 wrote to memory of 992	1532	cmd.exe	36
PID 1532 wrote to memory of 1896	1532	cmd.exe	37
PID 1532 wrote to memory of 1896	1532	cmd.exe	37
PID 1532 wrote to memory of 1896	1532	cmd.exe	37
PID 1896 wrote to memory of 1620	1896	a77873bfea27896f94731478d64541a3.exe	42
PID 1896 wrote to memory of 1620	1896	a77873bfea27896f94731478d64541a3.exe	42
PID 1896 wrote to memory of 1620	1896	a77873bfea27896f94731478d64541a3.exe	42
PID 1620 wrote to memory of 908	1620	a77873bfea27896f94731478d64541a3.exe	52
PID 1620 wrote to memory of 908	1620	a77873bfea27896f94731478d64541a3.exe	52
PID 1620 wrote to memory of 908	1620	a77873bfea27896f94731478d64541a3.exe	52
PID 908 wrote to memory of 1012	908	cmd.exe	54
PID 908 wrote to memory of 1012	908	cmd.exe	54
PID 908 wrote to memory of 1012	908	cmd.exe	54
PID 908 wrote to memory of 1984	908	cmd.exe	55
PID 908 wrote to memory of 1984	908	cmd.exe	55
PID 908 wrote to memory of 1984	908	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe
"C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26eGvL4Yp3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:992
- - C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe
    "C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe
      "C:\Users\Admin\AppData\Local\Temp\a77873bfea27896f94731478d64541a3.exe"
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fe3bVRSd9I.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1012
      - C:\Windows\Offline Web Pages\csrss.exe
        
        "C:\Windows\Offline Web Pages\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\ubpm\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\msdfmap\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Documents\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\cero\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\net1\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\audit\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\powermeterprovider\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\mssprxy\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\System32\wuaueng\schtasks.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iprtrmgr\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KBDINORI\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-56-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000000B90000-0x0000000000C72000-memory.dmp

Filesize
904KB

Download
memory/1616-54-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/1620-61-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/1620-62-0x000000001AFA0000-0x000000001AFA2000-memory.dmp

Filesize
8KB

Download
memory/1896-59-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

Filesize
4KB

Download
memory/1896-60-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/1896-58-0x0000000000D10000-0x0000000000DF2000-memory.dmp

Filesize
904KB

Download
memory/1984-66-0x00000000001A0000-0x0000000000282000-memory.dmp

Filesize
904KB

Download
memory/1984-68-0x000000001AF30000-0x000000001AF32000-memory.dmp

Filesize
8KB

Download
memory/1984-67-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads