dcrat | 8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

General

Target

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Size

2.1MB
MD5

f26bb4f3cc67c00580554bea3dac5e4a
SHA1

14c7857a8edc29dce1a27379f60f0d9443303627
SHA256

8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19
SHA512

32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010
SSDEEP

49152:tmyDQOI0/F/LopeanZ6QNo1y80nfLSx9ZEQCUn/ty374FM5YLCbtYY2Zy:kyDRZFTopJhTfe3ZtVy3x1btJv

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1212	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1212	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/980-54-0x0000000000240000-0x000000000046A000-memory.dmp	dcrat
C:\Windows\Resources\csrss.exe	dcrat
C:\Windows\Resources\csrss.exe	dcrat
behavioral1/memory/988-65-0x00000000011C0000-0x00000000013EA000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

988 csrss.exe

pid	process
988	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\ja-JP\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Common Files\System\ja-JP\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\WmiPrvSE.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\24dbde2999530e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Windows directory 4 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Windows\Resources\csrss.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Resources\886983d96e3d3e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Vss\Writers\Idle.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Vss\Writers\6ccacd8608530f	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1964	schtasks.exe
1712	schtasks.exe
1644	schtasks.exe
1520	schtasks.exe
868	schtasks.exe
1092	schtasks.exe
472	schtasks.exe
1672	schtasks.exe
1992	schtasks.exe
588	schtasks.exe
1240	schtasks.exe
1668	schtasks.exe
1900	schtasks.exe
1496	schtasks.exe
1208	schtasks.exe
1940	schtasks.exe
880	schtasks.exe
1008	schtasks.exe
1288	schtasks.exe
1064	schtasks.exe
1080	schtasks.exe
864	schtasks.exe
1480	schtasks.exe
1400	schtasks.exe
1824	schtasks.exe
1764	schtasks.exe
940	schtasks.exe
1616	schtasks.exe
1132	schtasks.exe
1420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.execsrss.exe

pid process

980 8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
988 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.execsrss.exe

description pid process

Token: SeDebugPrivilege 980 8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege 988 csrss.exe

pid	process
980	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
988	csrss.exe

description	pid	process
Token: SeDebugPrivilege	980	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege	988	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 2016	980	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	cmd.exe
PID 980 wrote to memory of 2016	980	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	cmd.exe
PID 980 wrote to memory of 2016	980	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	cmd.exe
PID 2016 wrote to memory of 1504	2016	cmd.exe	w32tm.exe
PID 2016 wrote to memory of 1504	2016	cmd.exe	w32tm.exe
PID 2016 wrote to memory of 1504	2016	cmd.exe	w32tm.exe
PID 2016 wrote to memory of 988	2016	cmd.exe	csrss.exe
PID 2016 wrote to memory of 988	2016	cmd.exe	csrss.exe
PID 2016 wrote to memory of 988	2016	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
"C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sF2vndZKwy.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1504

C:\Windows\Resources\csrss.exe
"C:\Windows\Resources\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sF2vndZKwy.bat
Filesize
195B

MD5
75edf10e4b389fee2341172e3d22dcd0

SHA1
fd1408f172d6978fe61734374577b6aa676ccf99

SHA256
fb6e69432a8e578b817aa725a8a28e3f44d87982e4cf66b9f3d5990c6ace1d8d

SHA512
39feb5ff564d9aa1e369a8238b020600d963f3835b7e3b589c38fc9c49c828927559722fd2e2fb0ec3501195904a35bab673b5f69053ede1995b520c979de91f

Download Submit
C:\Windows\Resources\csrss.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
C:\Windows\Resources\csrss.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
memory/980-57-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/980-58-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/980-54-0x0000000000240000-0x000000000046A000-memory.dmp

Filesize
2.2MB

Download
memory/980-56-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/980-55-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/988-63-0x0000000000000000-mapping.dmp

Download
memory/988-65-0x00000000011C0000-0x00000000013EA000-memory.dmp

Filesize
2.2MB

Download
memory/988-66-0x0000000000580000-0x00000000005D6000-memory.dmp

Filesize
344KB

Download
memory/988-67-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1504-61-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads