dcrat | 7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

General

Target

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Size

1.9MB
MD5

3b15c55bae9fefd6585e43490f6bf231
SHA1

3e1815ec0f2fcc83c1aef7173baf749e4547f967
SHA256

7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6
SHA512

43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc
SSDEEP

49152:Mb3eYn9rEj80t2CttDha8bCgXLQHkfX68lSurk9JWBKM:MlnmwWttPbC+R68l89r

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1008	schtasks.exe
1544	schtasks.exe
632	schtasks.exe
1508	schtasks.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cc11b995f2a76d	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1984	schtasks.exe
848	schtasks.exe
1104	schtasks.exe
1876	schtasks.exe
1880	schtasks.exe
868	schtasks.exe
1900	schtasks.exe
720	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\", \"C:\\MSOCache\\All Users\\WmiPrvSE.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2024	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2024	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1672-55-0x0000000001190000-0x0000000001698000-memory.dmp	dcrat
behavioral1/memory/1672-65-0x0000000001190000-0x0000000001698000-memory.dmp	dcrat
behavioral1/memory/1396-66-0x0000000000200000-0x0000000000708000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

WmiPrvSE.exe

pid process

1396 WmiPrvSE.exe
Loads dropped DLL 2 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

pid process

1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1396	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\winlogon.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\taskhost.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\WmiPrvSE.exe\""	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exe

pid	process
1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe

Drops file in Program Files directory 5 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cc11b995f2a76d	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\b75386f1303e64	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
848	schtasks.exe
632	schtasks.exe
1104	schtasks.exe
1900	schtasks.exe
720	schtasks.exe
1508	schtasks.exe
1008	schtasks.exe
868	schtasks.exe
1880	schtasks.exe
1876	schtasks.exe
1984	schtasks.exe
1544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exe

pid	process
1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe
1396	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Token: SeDebugPrivilege 1396 WmiPrvSE.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exeWmiPrvSE.exe

pid process

1672 7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
1396 WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
Token: SeDebugPrivilege	1396	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe

description	pid	process	target process
PID 1672 wrote to memory of 1396	1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	WmiPrvSE.exe
PID 1672 wrote to memory of 1396	1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	WmiPrvSE.exe
PID 1672 wrote to memory of 1396	1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	WmiPrvSE.exe
PID 1672 wrote to memory of 1396	1672	7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe
"C:\Users\Admin\AppData\Local\Temp\7E649C9E6325C46601A81FD6C0DBF36EE6C85D0EE108C.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe
"C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
\??\c:\recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wmiprvse.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\WmiPrvSE.exe
Filesize
1.9MB

MD5
3b15c55bae9fefd6585e43490f6bf231

SHA1
3e1815ec0f2fcc83c1aef7173baf749e4547f967

SHA256
7e649c9e6325c46601a81fd6c0dbf36ee6c85d0ee108c333b283140f96b842f6

SHA512
43b870f7feaf9b1290acd23f17d0b22ea678ef93f52b5d89e11f85dc87c6306e3fd45e151784001f502d2261f153737a82578a31cfdf1edd93f8b31d6a86b4bc

Download Submit
memory/1396-61-0x0000000000000000-mapping.dmp

Download
memory/1396-66-0x0000000000200000-0x0000000000708000-memory.dmp

Filesize
5.0MB

Download
memory/1672-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000001190000-0x0000000001698000-memory.dmp

Filesize
5.0MB

Download
memory/1672-56-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1672-57-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/1672-58-0x0000000000A10000-0x0000000000A66000-memory.dmp

Filesize
344KB

Download
memory/1672-65-0x0000000001190000-0x0000000001698000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads