dcrat | 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

General

Target

5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Size

2.4MB
MD5

526153cbd86009228ad53cd262a9c6b3
SHA1

6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256

5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512

9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665
SSDEEP

49152:TF42UxdKzPsUdtK7iOgwNwjlYrdnXJc9Qn3z4:TC2UxdYZhOIeBXJcu3

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat 24 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2612	schtasks.exe
		2328	schtasks.exe
		2284	schtasks.exe
		2540	schtasks.exe
File created	C:\Windows\Resources\7a0fd90576e088		5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
		2356	schtasks.exe
		1488	schtasks.exe
		1932	schtasks.exe
		956	schtasks.exe
		2152	schtasks.exe
		1252	schtasks.exe
		2184	schtasks.exe
		2032	schtasks.exe
		1936	schtasks.exe
		2020	schtasks.exe
		1540	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe		5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
		2696	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\101b941d020240		5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
		2516	schtasks.exe
		1664	schtasks.exe
		860	schtasks.exe
		2136	schtasks.exe
		2396	schtasks.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2868	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2868	schtasks.exe	28

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2756-1-0x0000000000FC0000-0x0000000001236000-memory.dmp	dcrat
behavioral1/files/0x0006000000016c10-27.dat	dcrat
behavioral1/memory/1772-39-0x00000000002B0000-0x0000000000526000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 1 IoCs

resource	yara_rule
behavioral1/memory/2756-10-0x0000000000F70000-0x0000000000F7A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

pid	Process
1772	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\101b941d020240	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\explorer.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\Resources\7a0fd90576e088	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1664	schtasks.exe
2284	schtasks.exe
2540	schtasks.exe
2152	schtasks.exe
1252	schtasks.exe
1932	schtasks.exe
2020	schtasks.exe
2612	schtasks.exe
2356	schtasks.exe
2328	schtasks.exe
1488	schtasks.exe
2032	schtasks.exe
2696	schtasks.exe
1540	schtasks.exe
2396	schtasks.exe
860	schtasks.exe
2136	schtasks.exe
956	schtasks.exe
2516	schtasks.exe
2184	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2756	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1052	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe
1772	Idle.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1772	Idle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Token: SeDebugPrivilege	1052	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Token: SeDebugPrivilege	1772	Idle.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2188	2756	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	38
PID 2756 wrote to memory of 2188	2756	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	38
PID 2756 wrote to memory of 2188	2756	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	38
PID 2188 wrote to memory of 680	2188	cmd.exe	40
PID 2188 wrote to memory of 680	2188	cmd.exe	40
PID 2188 wrote to memory of 680	2188	cmd.exe	40
PID 2188 wrote to memory of 1052	2188	cmd.exe	41
PID 2188 wrote to memory of 1052	2188	cmd.exe	41
PID 2188 wrote to memory of 1052	2188	cmd.exe	41
PID 1052 wrote to memory of 1772	1052	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	54
PID 1052 wrote to memory of 1772	1052	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	54
PID 1052 wrote to memory of 1772	1052	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	54
PID 1772 wrote to memory of 2708	1772	Idle.exe	55
PID 1772 wrote to memory of 2708	1772	Idle.exe	55
PID 1772 wrote to memory of 2708	1772	Idle.exe	55
PID 1772 wrote to memory of 436	1772	Idle.exe	56
PID 1772 wrote to memory of 436	1772	Idle.exe	56
PID 1772 wrote to memory of 436	1772	Idle.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
"C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iR4PpyYAmz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:680
- - C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
    "C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe
      "C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1942ee7-a0a8-4457-a087-b51e40570a83.vbs"
        5⤵
        
        PID:2708
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fbff078-5fe0-4283-9ea3-7ab318677d0d.vbs"
        5⤵
        
        PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe

Filesize
2.4MB

MD5
526153cbd86009228ad53cd262a9c6b3

SHA1
6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2

SHA256
5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

SHA512
9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fbff078-5fe0-4283-9ea3-7ab318677d0d.vbs

Filesize
509B

MD5
23b537cf8094fcbb6ff9a3fd56445d80

SHA1
d1e0b5152fb17bd873e615b9066cc5298d62b975

SHA256
d40bc4babb8fe46e83d6a0e7ca074d09c8d6f931c2985f1931c9e9d96ea7309c

SHA512
e3c056bd9918cd6ce0129c67461229e77e5de19a9939b0278407a2b16566315507ecca969cba03482887fa64dfc00982589ed98b8f640335d3dd8e8b55098b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1942ee7-a0a8-4457-a087-b51e40570a83.vbs

Filesize
733B

MD5
796fff4052ddf748fa052a12b91c4252

SHA1
ee102b8b12c6127f807e5fbea7f92885b04dcbda

SHA256
18e298dcd26ad0e9e29ac8b5a00614748e2154e86c4a6dd9e72e7920d0744063

SHA512
495d4382a8ab9e465010c23892661e502b1d6c6299b1c30a5c2bb806c7047467cfa63098a3f599e58868514f10dfaec60517a33a1c8a08aec37e5963eb5de2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iR4PpyYAmz.bat

Filesize
267B

MD5
396ecdcd588876860b656c39e7b43478

SHA1
aaaab3391b167b2c1b999fdd63ddb90cd535c8fa

SHA256
a3f242f8596386f8860ca95203bac5b5e3cdc7f58d7c964cfd37a18a3c5164f4

SHA512
1e94bb8c19fe994572d950d94e8da44486624dbbcfd412f14a85109bf66724ad0348791bcbe44f73b35b70d890c318ee4fd541a9da8a73cf61cec123aa26656f

Download Submit
memory/1772-40-0x0000000000750000-0x00000000007A6000-memory.dmp

Filesize
344KB

Download
memory/1772-39-0x00000000002B0000-0x0000000000526000-memory.dmp

Filesize
2.5MB

Download
memory/2756-5-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/2756-6-0x0000000000AD0000-0x0000000000B26000-memory.dmp

Filesize
344KB

Download
memory/2756-8-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2756-9-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2756-10-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/2756-11-0x0000000000F80000-0x0000000000F8E000-memory.dmp

Filesize
56KB

Download
memory/2756-12-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/2756-7-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2756-24-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-0-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

Filesize
4KB

Download
memory/2756-4-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2756-3-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2756-2-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-1-0x0000000000FC0000-0x0000000001236000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads