dcrat | 5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

General

Target

000c25f85640678f636a31909dbf94e7.exe
Size

1.7MB
MD5

000c25f85640678f636a31909dbf94e7
SHA1

55b1fca413b176d243caf796af4358a510ad931a
SHA256

5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6
SHA512

93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5
SSDEEP

12288:y+CW3EFxVkNFuwoUDInV/kg0d0lx743tIm2atsbWvL50R0cf9AQyIpHnMuDaP41:yg3BNloUDi4LFueIyR+w7V33Vd

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	3660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3660	schtasks.exe	87

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3844-4-0x0000000000400000-0x0000000000456000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	000c25f85640678f636a31909dbf94e7.exe

Executes dropped EXE 4 IoCs

pid	Process
2492	RuntimeBroker.exe
4136	RuntimeBroker.exe
1816	RuntimeBroker.exe
4656	RuntimeBroker.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 2492 set thread context of 4656	2492	RuntimeBroker.exe	114

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\OfficeClickToRun.exe	000c25f85640678f636a31909dbf94e7.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\6203df4a6bafc7	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\smss.exe	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\69ddcba757bf72	000c25f85640678f636a31909dbf94e7.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\e6c9b481da804f	000c25f85640678f636a31909dbf94e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4840	schtasks.exe
1532	schtasks.exe
1384	schtasks.exe
3076	schtasks.exe
3480	schtasks.exe
4752	schtasks.exe
2920	schtasks.exe
3688	schtasks.exe
2436	schtasks.exe
5068	schtasks.exe
2360	schtasks.exe
3828	schtasks.exe
3376	schtasks.exe
4016	schtasks.exe
4804	schtasks.exe
3544	schtasks.exe
4988	schtasks.exe
3740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
3844	000c25f85640678f636a31909dbf94e7.exe
2492	RuntimeBroker.exe
2492	RuntimeBroker.exe
2492	RuntimeBroker.exe
2492	RuntimeBroker.exe
4656	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	000c25f85640678f636a31909dbf94e7.exe
Token: SeDebugPrivilege	2492	RuntimeBroker.exe
Token: SeDebugPrivilege	4656	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 1508 wrote to memory of 3844	1508	000c25f85640678f636a31909dbf94e7.exe	82
PID 3844 wrote to memory of 2492	3844	000c25f85640678f636a31909dbf94e7.exe	109
PID 3844 wrote to memory of 2492	3844	000c25f85640678f636a31909dbf94e7.exe	109
PID 3844 wrote to memory of 2492	3844	000c25f85640678f636a31909dbf94e7.exe	109
PID 2492 wrote to memory of 4136	2492	RuntimeBroker.exe	110
PID 2492 wrote to memory of 4136	2492	RuntimeBroker.exe	110
PID 2492 wrote to memory of 4136	2492	RuntimeBroker.exe	110
PID 2492 wrote to memory of 1816	2492	RuntimeBroker.exe	112
PID 2492 wrote to memory of 1816	2492	RuntimeBroker.exe	112
PID 2492 wrote to memory of 1816	2492	RuntimeBroker.exe	112
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114
PID 2492 wrote to memory of 4656	2492	RuntimeBroker.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\000c25f85640678f636a31909dbf94e7.exe
"C:\Users\Admin\AppData\Local\Temp\000c25f85640678f636a31909dbf94e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\000c25f85640678f636a31909dbf94e7.exe
  "C:\Users\Admin\AppData\Local\Temp\000c25f85640678f636a31909dbf94e7.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\odt\RuntimeBroker.exe
    "C:\odt\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\odt\RuntimeBroker.exe
      "C:\odt\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      PID:4136
  - - C:\odt\RuntimeBroker.exe
      "C:\odt\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      PID:1816
  - - C:\odt\RuntimeBroker.exe
      "C:\odt\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\OfficeClickToRun.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\000c25f85640678f636a31909dbf94e7.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
1.7MB

MD5
000c25f85640678f636a31909dbf94e7

SHA1
55b1fca413b176d243caf796af4358a510ad931a

SHA256
5a41a105b733d97acc93315066ac39f50c2d2923df02d86c5b0b143fc3e82ff6

SHA512
93ea97e0334d94269ca888b347c24bc8215ac5b579be9816b5328c8439287048484b08bd9a41c4465aaeebbc9e2d8b9bd953c52d74f987206e8ceff1a5adf5d5

Download Submit
memory/1508-1-0x00000000003D0000-0x0000000000582000-memory.dmp

Filesize
1.7MB

Download
memory/1508-3-0x0000000002930000-0x000000000293A000-memory.dmp

Filesize
40KB

Download
memory/1508-0-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1508-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/1508-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2492-34-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2492-41-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3844-9-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/3844-7-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3844-33-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3844-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3844-12-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/4656-42-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-43-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-44-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads