dcrat | 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

General

Target

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Size

1.6MB
MD5

844679e76d8254bedd67c98610f7d7ac
SHA1

4222ebbb055830096b829f072783423dbe255932
SHA256

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512

fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05
SSDEEP

24576:2ztKoZmCJ4YrujnaOBDEzKt3pJqc7BnA8js2TvgAts0qB0FjbpcKSzQy8v1:O995MUzKNac7BnbbTvgCFTYQy+

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1376	schtasks.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Drops file in Program Files directory 4 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\29c1c3cc0f7685	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files\Windows Photo Viewer\upfc.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files\Windows Photo Viewer\ea1d8f6d871115	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
File created	C:\Program Files\VideoLAN\VLC\unsecapp.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5004	schtasks.exe
4360	schtasks.exe
4952	schtasks.exe
2772	schtasks.exe
3540	schtasks.exe
3316	schtasks.exe
4876	schtasks.exe
208	schtasks.exe
2884	schtasks.exe
3520	schtasks.exe
2736	schtasks.exe
3936	schtasks.exe
4432	schtasks.exe
2328	schtasks.exe
3028	schtasks.exe
1320	schtasks.exe
4052	schtasks.exe
3648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

pid	process
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

description	pid	process
Token: SeDebugPrivilege	5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
Token: SeDebugPrivilege	4636	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.execmd.exe

description	pid	process	target process
PID 5088 wrote to memory of 2536	5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe	cmd.exe
PID 5088 wrote to memory of 2536	5088	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe	cmd.exe
PID 2536 wrote to memory of 2848	2536	cmd.exe	chcp.com
PID 2536 wrote to memory of 2848	2536	cmd.exe	chcp.com
PID 2536 wrote to memory of 60	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 60	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 4636	2536	cmd.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
PID 2536 wrote to memory of 4636	2536	cmd.exe	9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r99M4pvs6D.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2848
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:60
- - C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
    "C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\r99M4pvs6D.bat

Filesize
278B

MD5
f0edce6eba6ed7d68b5319f912fcf147

SHA1
254b05605a3008d065318d8be4a89446b404b48f

SHA256
19b10ee309a78816842515f708d885c15f4081ad18c91c23271d4618d0b27043

SHA512
3cfbc28f4c1df4eb0f5bb337fd0d26379176804bf071967ce926af364125a7f5af6aa3150ebbffe8286d8f7f8e4f229225b91ee659fc05a0d7293b8d25279a89

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\winlogon.exe

Filesize
1.6MB

MD5
844679e76d8254bedd67c98610f7d7ac

SHA1
4222ebbb055830096b829f072783423dbe255932

SHA256
9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

SHA512
fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

Download Submit
memory/4636-32-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/5088-20-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-6-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/5088-7-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-8-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/5088-3-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-21-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-22-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-2-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-29-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/5088-1-0x0000000000120000-0x00000000002C2000-memory.dmp

Filesize
1.6MB

Download
memory/5088-4-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads