dcrat | fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056

General

Target

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Size

2.0MB
MD5

96373b1a9080aa751b5a98fc96cfb66c
SHA1

17436af89fdf67d4c60416b7bccda9f6cb3cd490
SHA256

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
SHA512

4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
SSDEEP

24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1860	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\56085415360792		fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
		2708	schtasks.exe
		2672	schtasks.exe
		2308	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe		fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
		2468	schtasks.exe
		2592	schtasks.exe
		3044	schtasks.exe
		2624	schtasks.exe
		3052	schtasks.exe
		2488	schtasks.exe
		2060	schtasks.exe
		2492	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\sppsvc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\", \"C:\\Users\\Default User\\taskhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2676	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2676	schtasks.exe	28

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000D70000-0x0000000000F7C000-memory.dmp	dcrat
behavioral1/files/0x0006000000014ef8-26.dat	dcrat
behavioral1/files/0x0008000000015616-48.dat	dcrat
behavioral1/memory/2364-84-0x0000000000E80000-0x000000000108C000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 4 IoCs

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000D70000-0x0000000000F7C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/files/0x0006000000014ef8-26.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/files/0x0008000000015616-48.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2364-84-0x0000000000E80000-0x000000000108C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral1/memory/2660-5-0x0000000000270000-0x0000000000280000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2660-10-0x00000000004C0000-0x00000000004CC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2660-13-0x0000000000530000-0x000000000053A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
2364	taskhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\sppsvc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\sppsvc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dwm.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\wininit.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sppsvc.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXEB2.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX1339.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sppsvc.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\56085415360792	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\0a1fd5f707cd16	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXEB3.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX133A.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe
2624	schtasks.exe
2492	schtasks.exe
2708	schtasks.exe
2308	schtasks.exe
1860	schtasks.exe
3052	schtasks.exe
2060	schtasks.exe
2468	schtasks.exe
2488	schtasks.exe
2592	schtasks.exe
3044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2660	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
2364	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Token: SeDebugPrivilege	2364	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1868	2660	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe	41
PID 2660 wrote to memory of 1868	2660	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe	41
PID 2660 wrote to memory of 1868	2660	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe	41
PID 1868 wrote to memory of 1556	1868	cmd.exe	43
PID 1868 wrote to memory of 1556	1868	cmd.exe	43
PID 1868 wrote to memory of 1556	1868	cmd.exe	43
PID 1868 wrote to memory of 2364	1868	cmd.exe	44
PID 1868 wrote to memory of 2364	1868	cmd.exe	44
PID 1868 wrote to memory of 2364	1868	cmd.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
"C:\Users\Admin\AppData\Local\Temp\fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1556
- - C:\Users\Default User\taskhost.exe
    "C:\Users\Default User\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat

Filesize
199B

MD5
b6a927125b9bbc279dc58265f98941df

SHA1
7d213f88748ea9084851e74ce3ca159fdf859a18

SHA256
514f0bc67a16b4b218dcb27289927d3275b17299b40e0561d1db9723d6e7646b

SHA512
25f7b34631b76815cb28236863063f194856db66d87e582d8ea4f2ed14bd7a838494620d5a2d410e5e85c593e869b74fd320e770052fef466c2819bd76d7ca8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC9F.tmp

Filesize
2.0MB

MD5
96373b1a9080aa751b5a98fc96cfb66c

SHA1
17436af89fdf67d4c60416b7bccda9f6cb3cd490

SHA256
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056

SHA512
4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79

Download Submit
C:\Users\Default\taskhost.exe

Filesize
2.0MB

MD5
0ae07181dade340fe4ab0ac43da9ded2

SHA1
010a151b009406c00ea5ebf731bbfbadce80fbba

SHA256
cc158358cb60dd1e69e4bb1d66bc30206b91de4337bf297758e99f3fcc677fdc

SHA512
4bd2cbb4fb6491626fa1b576fbe389aa9520cd1ac1dd90f135ffd810489109c18c8e92a583b88279394c2384ab246044e3e091bed500bae517ccdabac3d66f6d

Download Submit
memory/2364-87-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-86-0x000000001AAA0000-0x000000001AB20000-memory.dmp

Filesize
512KB

Download
memory/2364-85-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-84-0x0000000000E80000-0x000000000108C000-memory.dmp

Filesize
2.0MB

Download
memory/2660-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2660-7-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/2660-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2660-10-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2660-11-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2660-12-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2660-13-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2660-8-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2660-6-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/2660-0-0x0000000000D70000-0x0000000000F7C000-memory.dmp

Filesize
2.0MB

Download
memory/2660-81-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2660-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2660-2-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2660-1-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads