dcrat | 88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d

General

Target

terminal.exe
Size

2.9MB
MD5

200451026a7f2be02adb274026dc827a
SHA1

655f5cff899d319975dfd43b1902e6318a0944f6
SHA256

88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d
SHA512

1054e3b258fab5f496cea9e156b0b17b9e5b1f4f5b049a4308df1b200d89534c88ec1ff11e6612a2b0961842984fe31d7d38b8077c14fd9bb388a03e7d0c3ac8
SSDEEP

49152:1bA3PlN3nP+YscRfII1f8CReMT1Um7GWw/N0TOu09gqpBuuDqtmAP:1buN3nrsc5fdRfTr7GWw/ayl9RIuDqtZ

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2544	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2544	schtasks.exe	34

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018b50-9.dat	dcrat
behavioral1/memory/568-13-0x00000000003A0000-0x0000000000654000-memory.dmp	dcrat
behavioral1/memory/2360-50-0x00000000011C0000-0x0000000001474000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
568	portdrivernet.exe
2360	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\taskhost.exe	portdrivernet.exe
File created	C:\Program Files (x86)\Windows Mail\b75386f1303e64	portdrivernet.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe	portdrivernet.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe	portdrivernet.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\f3b6ecef712a24	portdrivernet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe	portdrivernet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\886983d96e3d3e	portdrivernet.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\Maintenance\it-IT\csrss.exe	portdrivernet.exe
File created	C:\Windows\fr-FR\audiodg.exe	portdrivernet.exe
File created	C:\Windows\fr-FR\42af1c969fbb7b	portdrivernet.exe
File created	C:\Windows\Setup\State\csrss.exe	portdrivernet.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	portdrivernet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	terminal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe
2368	schtasks.exe
1044	schtasks.exe
1856	schtasks.exe
1564	schtasks.exe
3068	schtasks.exe
2416	schtasks.exe
2448	schtasks.exe
1712	schtasks.exe
284	schtasks.exe
2380	schtasks.exe
1388	schtasks.exe
1652	schtasks.exe
2276	schtasks.exe
368	schtasks.exe
1720	schtasks.exe
1352	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
568	portdrivernet.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	portdrivernet.exe
Token: SeDebugPrivilege	2360	csrss.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1288	2524	terminal.exe	30
PID 2524 wrote to memory of 1288	2524	terminal.exe	30
PID 2524 wrote to memory of 1288	2524	terminal.exe	30
PID 2524 wrote to memory of 1288	2524	terminal.exe	30
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 1288 wrote to memory of 2876	1288	WScript.exe	31
PID 2876 wrote to memory of 568	2876	cmd.exe	33
PID 2876 wrote to memory of 568	2876	cmd.exe	33
PID 2876 wrote to memory of 568	2876	cmd.exe	33
PID 2876 wrote to memory of 568	2876	cmd.exe	33
PID 568 wrote to memory of 2504	568	portdrivernet.exe	53
PID 568 wrote to memory of 2504	568	portdrivernet.exe	53
PID 568 wrote to memory of 2504	568	portdrivernet.exe	53
PID 2504 wrote to memory of 1260	2504	cmd.exe	55
PID 2504 wrote to memory of 1260	2504	cmd.exe	55
PID 2504 wrote to memory of 1260	2504	cmd.exe	55
PID 2504 wrote to memory of 2360	2504	cmd.exe	56
PID 2504 wrote to memory of 2360	2504	cmd.exe	56
PID 2504 wrote to memory of 2360	2504	cmd.exe	56

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\terminal.exe
"C:\Users\Admin\AppData\Local\Temp\terminal.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\containercomponentfontruntime\XmZE9.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\containercomponentfontruntime\portdrivernet.exe
      "C:\containercomponentfontruntime\portdrivernet.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:568
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DEoeECt7ly.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1260
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEoeECt7ly.bat

Filesize
227B

MD5
048c649d4034210610cefdbd9227290a

SHA1
bb9010273db2c7e45c16a3d6ccd94435dd83967c

SHA256
6350e2c6a10d5e8b3820b2f62bcfff6e655791e3f0844e5d36e4aa0c9533151e

SHA512
628c65573b4c6dbdf83c65e05df9e16fc358a2ab1d8e8d7531dc051758177b8efe70bbdaee7f19b91e3a786639d31a26176c1979ab2a15df1f7c2b293e3368b4

Download Submit
C:\containercomponentfontruntime\XmZE9.bat

Filesize
52B

MD5
7f19dde92420e1112fb9ef25b0c56e38

SHA1
9da19ead2fccc172a39171f026eed2623229d2b7

SHA256
697ad5724417463eb1e37c6e173bc24ca4416b3c064036b06b5c05bc6c33742a

SHA512
6a184f7e5fb90e302fbdc92eff043b84cab803e741abea94a7a06e1c3f502babd60b95e75b705ae8cd27430dc0bf3873d4ff9b719ea28648f50e080ebef79268

Download Submit
C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe

Filesize
211B

MD5
8ac77355599fe3bfb19415a591c62148

SHA1
ca5b38c7525b454144d6dfb681a7d5b7c8afd807

SHA256
993cc8867a308e64cb94b89206c6632cc1e160a5de372e29686b86a7eb9b318b

SHA512
38c7bce3490a171bda26f482e1ef50cdd5cbe8f59f9ce5bafbc452fb8f3b878b9e72a3358489765e8b30ca19e8dba9cb9ffed92f24267a7ba0aab5311416b2b6

Download Submit
\containercomponentfontruntime\portdrivernet.exe

Filesize
2.7MB

MD5
718e0805d80d7e040a20b5aeda4f877d

SHA1
c83f6d2c1ec158e20af2bf54f4d7aeb465cbe58e

SHA256
cb1189a7b059346d31cca7596357609eb52e9e518ef59a7659a0e061602f7c0b

SHA512
d3854ad4a29732f802a5087c320ca8b85cf46a818f5d283ab612254e9b495e4019c58cc1c8fe7d9f369e070a025d367d6226cf92343b1cafdc8f4aab9fb38cc9

Download Submit
memory/568-22-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/568-23-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/568-16-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/568-17-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/568-18-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/568-19-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/568-20-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/568-21-0x00000000007A0000-0x00000000007F6000-memory.dmp

Filesize
344KB

Download
memory/568-14-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/568-15-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/568-24-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/568-25-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/568-26-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/568-27-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/568-28-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/568-29-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/568-30-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/568-13-0x00000000003A0000-0x0000000000654000-memory.dmp

Filesize
2.7MB

Download
memory/2360-50-0x00000000011C0000-0x0000000001474000-memory.dmp

Filesize
2.7MB

Download
memory/2360-51-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads