dcrat | c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af

General

Target

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Size

8.4MB
MD5

23e7c44b93cb1b729d816de6e2800888
SHA1

aa0d6d3655991fcc2bee30f2e4002150c3c08c7f
SHA256

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af
SHA512

78671a96f54348695f839199340cd4fa5f9816c0ab740c8492f877deba6bed3191407e3096f3bd107cde7e65cd12a15140222656c2f53f8d7ece6881ec456fb9
SSDEEP

24576:L+O4Gq8ijgGfy8vWYT0Z3VTaLMo6e7h4su+A3uFDIU2lklx2yDUZFyn7ftR0K1ww:6hJgGfys0DTi7hhcGWn1ZBfY4KGrM

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WSDApi\\winlogon.exe\", \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Users\\Default User\\audiodg.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WSDApi\\winlogon.exe\", \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Windows\\System32\\KBDCR\\smss.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WSDApi\\winlogon.exe\", \"C:\\Documents and Settings\\winlogon.exe\", \"C:\\Users\\Default User\\audiodg.exe\", \"C:\\Windows\\System32\\KBDCR\\smss.exe\", \"C:\\Windows\\System32\\fdWCN\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WSDApi\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\WSDApi\\winlogon.exe\", \"C:\\Documents and Settings\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2876	schtasks.exe

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2724 winlogon.exe

pid	process
2724	winlogon.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Documents and Settings\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\fdWCN\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\WSDApi\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\WSDApi\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\KBDCR\\smss.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\fdWCN\\winlogon.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default User\\audiodg.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\KBDCR\\smss.exe\""	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

Drops file in System32 directory 7 IoCs

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

description	ioc	process
File created	C:\Windows\System32\KBDCR\smss.exe	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File created	C:\Windows\System32\KBDCR\69ddcba757bf72f7d36c464c71f42baab150b2b9	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File created	C:\Windows\System32\fdWCN\winlogon.exe	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File created	C:\Windows\System32\fdWCN\cc11b995f2a76da408ea6a601e682e64743153ad	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File created	C:\Windows\System32\WSDApi\winlogon.exe	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File opened for modification	C:\Windows\System32\WSDApi\winlogon.exe	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
File created	C:\Windows\System32\WSDApi\cc11b995f2a76da408ea6a601e682e64743153ad	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	winlogon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2252 schtasks.exe
2256 schtasks.exe
2716 schtasks.exe
2996 schtasks.exe
2580 schtasks.exe

pid	process
2252	schtasks.exe
2256	schtasks.exe
2716	schtasks.exe
2996	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exewinlogon.exe

pid	process
2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe
2724	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exewinlogon.exe

description	pid	process
Token: SeDebugPrivilege	2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
Token: SeDebugPrivilege	2724	winlogon.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.execmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 2804	2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe	cmd.exe
PID 2548 wrote to memory of 2804	2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe	cmd.exe
PID 2548 wrote to memory of 2804	2548	c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe	cmd.exe
PID 2804 wrote to memory of 2348	2804	cmd.exe	w32tm.exe
PID 2804 wrote to memory of 2348	2804	cmd.exe	w32tm.exe
PID 2804 wrote to memory of 2348	2804	cmd.exe	w32tm.exe
PID 2804 wrote to memory of 2724	2804	cmd.exe	winlogon.exe
PID 2804 wrote to memory of 2724	2804	cmd.exe	winlogon.exe
PID 2804 wrote to memory of 2724	2804	cmd.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe
"C:\Users\Admin\AppData\Local\Temp\c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIadAFpkN1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2348
- - C:\Documents and Settings\winlogon.exe
    "C:\Documents and Settings\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\WSDApi\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\KBDCR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\fdWCN\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FIadAFpkN1.bat

Filesize
202B

MD5
06b5258b0661898a63d22ca5f747820f

SHA1
62cdead0a2ac5de93898fbf4c8708403629ebd6b

SHA256
37b155a5a723638b968f9695c37485763a31f7a14546bf0c4262b9b02e0b86db

SHA512
73c18bc656f4949881316fe58180da8441972e104de11cb096a1f3fc561cb2c9b4c2e015bee0cd95ff60c64cfaffb9133b5918f9c45cd0dcf3c07ebb393b3516

Download Submit
C:\Windows\System32\fdWCN\winlogon.exe

Filesize
8.4MB

MD5
23e7c44b93cb1b729d816de6e2800888

SHA1
aa0d6d3655991fcc2bee30f2e4002150c3c08c7f

SHA256
c53519ff0006a7b1a806fb8cac04e13fb6afa8ef4555a5e3079ac2b200d112af

SHA512
78671a96f54348695f839199340cd4fa5f9816c0ab740c8492f877deba6bed3191407e3096f3bd107cde7e65cd12a15140222656c2f53f8d7ece6881ec456fb9

Download Submit
memory/2548-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x00000000009C0000-0x0000000001234000-memory.dmp

Filesize
8.5MB

Download
memory/2548-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-18-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-21-0x0000000001370000-0x0000000001BE4000-memory.dmp

Filesize
8.5MB

Download
memory/2724-23-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2724-22-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2724-24-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2724-25-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2724-26-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads