dcrat | 58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3

General

Target

58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Size

783KB
MD5

6803b89c021d6dc7a6cb6be7e46e6008
SHA1

f1af0021522118f4391eb0e94ccc6b312e44d824
SHA256

58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3
SHA512

af36b72347016c8a13dbac1a41775ba96a20b10116bb9bbb026cd5ee444077295a3c6f48cc13872b578254dcfdd603a1fe2c1ce78dc265398c194a04d34aa65a
SSDEEP

12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:m+OQbpbgsFdAyQvzSqaq8q

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	692	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	692	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	692	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	692	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	692	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/960-1-0x0000000000260000-0x000000000032A000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b9a-33.dat	dcrat
behavioral2/files/0x000b000000023b91-57.dat	dcrat
behavioral2/files/0x000b000000023b9f-79.dat	dcrat
behavioral2/memory/2900-81-0x0000000000090000-0x000000000015A000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	dllhost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\WindowsInternal.Shell.CompUiActivation\\backgroundTaskHost.exe\""	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\""	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\""	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\explorer.exe\""	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\VhfUm\\fontdrvhost.exe\""	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\WindowsInternal.Shell.CompUiActivation\backgroundTaskHost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Windows\System32\WindowsInternal.Shell.CompUiActivation\backgroundTaskHost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File created	C:\Windows\System32\WindowsInternal.Shell.CompUiActivation\eddb19405b7ce1152b3e19997f2b467f0b72b3d3	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File created	C:\Windows\System32\VhfUm\fontdrvhost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File created	C:\Windows\System32\VhfUm\5b884080fd4f94e2695da25c503f9e33b9605b83	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Windows\System32\WindowsInternal.Shell.CompUiActivation\RCX8677.tmp	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Windows\System32\VhfUm\RCX8F74.tmp	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Windows\System32\VhfUm\fontdrvhost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c99120d96dace90a3f93f329dcad63	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX887B.tmp	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1102129660\RuntimeBroker.exe	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4108	schtasks.exe
4956	schtasks.exe
3936	schtasks.exe
2560	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
2900	dllhost.exe
2900	dllhost.exe
2900	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Token: SeDebugPrivilege	2900	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 740	960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe	89
PID 960 wrote to memory of 740	960	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe	89
PID 740 wrote to memory of 3344	740	cmd.exe	91
PID 740 wrote to memory of 3344	740	cmd.exe	91
PID 740 wrote to memory of 2900	740	cmd.exe	98
PID 740 wrote to memory of 2900	740	cmd.exe	98

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe
"C:\Users\Admin\AppData\Local\Temp\58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MOAVtM1gf8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3344
- - C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\WindowsInternal.Shell.CompUiActivation\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\VhfUm\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\csrss.exe

Filesize
783KB

MD5
daab5fb14b8ea182c7251ff7c66a53a9

SHA1
bc23cbc04f9b6c07716be980bf79d17d26c6d991

SHA256
1cf13ec774f4e750255f46d27147259385f3c79dcaf085ada1c4430d2f4d6d78

SHA512
e414c41d8b542e7c3d508efb0bec920bccf4a2a0c9acae0e49eddaa92ca8b07d9b107ee7304764ed1387923ee03354acdfb32754a56882b3eda176382f1bb23c

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe

Filesize
783KB

MD5
6191f2805af53d77fb31db663819737f

SHA1
ac8acb03a18f0b4594c0bfd6eb8828e5d5a4e674

SHA256
5bddcb7d67212bba1b1a3df0d9c2c232c48f7f7419efd183ac0720330e56cf92

SHA512
eac25c11f353f2ba28f59dee63709c4204ac56cecb49724ef215eb4655c3495f3225014d4960fbcd2de74232698fb25c264b9ee6350805619a225d3b7d1db30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MOAVtM1gf8.bat

Filesize
226B

MD5
4d0cf8ad64a1253ed5924f0d39195a83

SHA1
ac0a5c29b7c48d8562e6ac83279547fe5190c1e5

SHA256
1ca81abaf7ecdae4dfe681671838e148d6e28a88dcf99b1efb78b641fde29959

SHA512
bfe442ef8047fa07b0c7abbb136bb3c3b537b0b86a7214fddafa2617e277aa9cabe02a5ea117e265dc80243140b0722b8a899c1236cac26c37d0ed5d6259ca29

Download Submit
C:\Windows\System32\VhfUm\fontdrvhost.exe

Filesize
783KB

MD5
6803b89c021d6dc7a6cb6be7e46e6008

SHA1
f1af0021522118f4391eb0e94ccc6b312e44d824

SHA256
58b9de28af1f31614bcf0a6f96f6e20a86295a23e411dd4f1f2b0e7a604b32f3

SHA512
af36b72347016c8a13dbac1a41775ba96a20b10116bb9bbb026cd5ee444077295a3c6f48cc13872b578254dcfdd603a1fe2c1ce78dc265398c194a04d34aa65a

Download Submit
memory/960-17-0x000000001AE50000-0x000000001AE58000-memory.dmp

Filesize
32KB

Download
memory/960-18-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

Filesize
32KB

Download
memory/960-7-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/960-6-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/960-8-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/960-10-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/960-9-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/960-11-0x000000001AE10000-0x000000001AE18000-memory.dmp

Filesize
32KB

Download
memory/960-12-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/960-13-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/960-14-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/960-15-0x000000001AE30000-0x000000001AE38000-memory.dmp

Filesize
32KB

Download
memory/960-0-0x00007FF99DBC3000-0x00007FF99DBC5000-memory.dmp

Filesize
8KB

Download
memory/960-5-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/960-22-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/960-21-0x000000001AE80000-0x000000001AE8C000-memory.dmp

Filesize
48KB

Download
memory/960-20-0x000000001AE70000-0x000000001AE78000-memory.dmp

Filesize
32KB

Download
memory/960-19-0x000000001AE60000-0x000000001AE68000-memory.dmp

Filesize
32KB

Download
memory/960-16-0x000000001AE40000-0x000000001AE48000-memory.dmp

Filesize
32KB

Download
memory/960-25-0x00007FF99DBC0000-0x00007FF99E681000-memory.dmp

Filesize
10.8MB

Download
memory/960-26-0x00007FF99DBC0000-0x00007FF99E681000-memory.dmp

Filesize
10.8MB

Download
memory/960-4-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/960-38-0x00007FF99DBC0000-0x00007FF99E681000-memory.dmp

Filesize
10.8MB

Download
memory/960-3-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/960-2-0x00007FF99DBC0000-0x00007FF99E681000-memory.dmp

Filesize
10.8MB

Download
memory/960-77-0x00007FF99DBC0000-0x00007FF99E681000-memory.dmp

Filesize
10.8MB

Download
memory/960-1-0x0000000000260000-0x000000000032A000-memory.dmp

Filesize
808KB

Download
memory/2900-81-0x0000000000090000-0x000000000015A000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads