dcrat | 90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

General

Target

05301399.exe
Size

828KB
MD5

ece82b00b9400f1d09a763853964e291
SHA1

b1b36fcd10ff7833f9bb430ea371df5d295498af
SHA256

90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57
SHA512

52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519
SSDEEP

12288:NaKyDgt9n5S56ZJ2dUWmBXcKOLUJMgAGuhLbLwN:NyDgt9n4iJ2dUbXwRgAGuLbLwN

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	472	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	472	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1396-54-0x0000000000FE0000-0x00000000010B6000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe	dcrat
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe	dcrat
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe	dcrat
behavioral1/memory/628-84-0x0000000000140000-0x0000000000216000-memory.dmp	dcrat
behavioral1/memory/628-85-0x000000001B160000-0x000000001B1E0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

628 winlogon.exe

pid	process
628	winlogon.exe

Drops file in Program Files directory 11 IoCs

Processes:

05301399.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\6ccacd8608530f	05301399.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wininit.exe	05301399.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe	05301399.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\24dbde2999530e	05301399.exe
File created	C:\Program Files\Microsoft Games\Solitaire\lsass.exe	05301399.exe
File created	C:\Program Files\Microsoft Games\Solitaire\6203df4a6bafc7	05301399.exe
File created	C:\Program Files\Windows Sidebar\Idle.exe	05301399.exe
File created	C:\Program Files\Windows Media Player\it-IT\wininit.exe	05301399.exe
File created	C:\Program Files\Windows Media Player\it-IT\56085415360792	05301399.exe
File created	C:\Program Files (x86)\Windows Sidebar\dwm.exe	05301399.exe
File created	C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3	05301399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
316	schtasks.exe
636	schtasks.exe
524	schtasks.exe
1852	schtasks.exe
1596	schtasks.exe
320	schtasks.exe
1688	schtasks.exe
1716	schtasks.exe
1356	schtasks.exe
568	schtasks.exe
112	schtasks.exe
584	schtasks.exe
396	schtasks.exe
656	schtasks.exe
844	schtasks.exe
1724	schtasks.exe
1976	schtasks.exe
1768	schtasks.exe
920	schtasks.exe
1344	schtasks.exe
892	schtasks.exe
1576	schtasks.exe
804	schtasks.exe
1632	schtasks.exe
556	schtasks.exe
1612	schtasks.exe
1608	schtasks.exe
1552	schtasks.exe
1500	schtasks.exe
1056	schtasks.exe
1648	schtasks.exe
1640	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

05301399.exe

pid process

1396 05301399.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05301399.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 1396 05301399.exe
Token: SeDebugPrivilege 628 winlogon.exe

pid	process
1396	05301399.exe

description	pid	process
Token: SeDebugPrivilege	1396	05301399.exe
Token: SeDebugPrivilege	628	winlogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

05301399.exe

description	pid	process	target process
PID 1396 wrote to memory of 628	1396	05301399.exe	winlogon.exe
PID 1396 wrote to memory of 628	1396	05301399.exe	winlogon.exe
PID 1396 wrote to memory of 628	1396	05301399.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05301399.exe
"C:\Users\Admin\AppData\Local\Temp\05301399.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Solitaire\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "053013990" /sc MINUTE /mo 12 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\05301399.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "05301399" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\05301399.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "053013990" /sc MINUTE /mo 11 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\05301399.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\winlogon.exe
Filesize
828KB

MD5
ece82b00b9400f1d09a763853964e291

SHA1
b1b36fcd10ff7833f9bb430ea371df5d295498af

SHA256
90daa21921c8ca1eabcbb3e6c957d912c80809050537e688530b202bd81bfc57

SHA512
52896f2e27d37356a1c7fa1c37c058d5a4a19164645253ac57f34d4f1a0644c9e08f9e651d1ce4b9968a97a95a76c8299592e19883ae461aa7bc88e4d6f46519

Download Submit
memory/628-84-0x0000000000140000-0x0000000000216000-memory.dmp

Filesize
856KB

Download
memory/628-85-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/1396-54-0x0000000000FE0000-0x00000000010B6000-memory.dmp

Filesize
856KB

Download
memory/1396-55-0x000000001AC60000-0x000000001ACE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads