dcrat | cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2

General

Target

cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Size

1.2MB
MD5

77760d25680549a6e33d813225f15ae0
SHA1

3ba98784170c929615f2a606c1865bbcca860140
SHA256

cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2
SHA512

6e758c1402852a2ee6c669208b491160eefb086c1b5bc52b698d9292ad933e8e71a66413e367b6f6c36f1df841e145b8ee5f06035deceba678a481279ebbcbac
SSDEEP

24576:Zrtb29jyTS6MoaS0BPXM3l9HDesNM1w3HzjM4LjvTCdPILP+4:jb29j5jf/GB6eZLG

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1840	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1272-1-0x0000000000BD0000-0x0000000000D04000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cc3-17.dat	dcrat
behavioral2/files/0x000f000000023cac-80.dat	dcrat
behavioral2/memory/224-105-0x0000000000F40000-0x0000000001074000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Executes dropped EXE 1 IoCs

pid	Process
224	sysmon.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SchCache\\winlogon.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\L2Schemas\\csrss.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\WpcRefreshTask\\fontdrvhost.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\gptext\\sihost.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\twain_32\\sysmon.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\notepad\\sysmon.exe\""	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\gptext\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\WpcRefreshTask\RCX9AFD.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\WpcRefreshTask\fontdrvhost.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\gptext\RCX9D7E.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\gptext\sihost.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\System32\gptext\sihost.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\System32\WpcRefreshTask\5b884080fd4f94e2695da25c503f9e33b9605b83	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\WpcRefreshTask\RCX9AFC.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\System32\gptext\RCX9D7F.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\System32\WpcRefreshTask\fontdrvhost.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SchCache\RCXA41D.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\SchCache\winlogon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\notepad\sysmon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\twain_32\RCX9F85.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\SchCache\winlogon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\SchCache\cc11b995f2a76da408ea6a601e682e64743153ad	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\L2Schemas\RCX9879.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\L2Schemas\RCX987A.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\twain_32\sysmon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\L2Schemas\csrss.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e31032c679b2d4ea91b6c05afef	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\notepad\121e5b5079f7c0e46d90f99b3864022518bbbda9	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\twain_32\RCX9F84.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\notepad\RCXA18A.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\notepad\RCXA1F8.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\notepad\sysmon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\twain_32\sysmon.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File created	C:\Windows\twain_32\121e5b5079f7c0e46d90f99b3864022518bbbda9	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
File opened for modification	C:\Windows\SchCache\RCXA41C.tmp	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe
4728	schtasks.exe
3296	schtasks.exe
1576	schtasks.exe
4568	schtasks.exe
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
224	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Token: SeDebugPrivilege	224	sysmon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4312	1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe	89
PID 1272 wrote to memory of 4312	1272	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe	89
PID 4312 wrote to memory of 4644	4312	cmd.exe	91
PID 4312 wrote to memory of 4644	4312	cmd.exe	91
PID 4312 wrote to memory of 224	4312	cmd.exe	92
PID 4312 wrote to memory of 224	4312	cmd.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe
"C:\Users\Admin\AppData\Local\Temp\cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paWlWqEOOw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4644
- - C:\Windows\notepad\sysmon.exe
    "C:\Windows\notepad\sysmon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\WpcRefreshTask\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\gptext\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\twain_32\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\notepad\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\paWlWqEOOw.bat

Filesize
193B

MD5
b69e49ff5d11fe6698068257642a49e2

SHA1
b391a7c8f5065c497b9036a19c935bcba81a1d9d

SHA256
910ea5273e2f3705424e0f020be449fce0ac15e1ed939520aaf076450ccf00b8

SHA512
441a001f02d2f36230bea6e5fdcb1eec53844d880844ecdd18c508ed36874ecba398bd3dd7ae8e3a64dbb14aa6b24f305e9089860e40524b34130b129e5e5cc7

Download Submit
C:\Windows\notepad\sysmon.exe

Filesize
1.2MB

MD5
77760d25680549a6e33d813225f15ae0

SHA1
3ba98784170c929615f2a606c1865bbcca860140

SHA256
cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2

SHA512
6e758c1402852a2ee6c669208b491160eefb086c1b5bc52b698d9292ad933e8e71a66413e367b6f6c36f1df841e145b8ee5f06035deceba678a481279ebbcbac

Download Submit
C:\Windows\notepad\sysmon.exe

Filesize
1.2MB

MD5
27e94e42d7e229f5bbe4bee9ef991bd6

SHA1
4ff1cd1b578525ec078413c4e108e8188203306e

SHA256
f19e3b3a8b90e92d417b7ff025f24e4d4c81740d0fbf302c22bd18eff7f0f9d9

SHA512
5ae946bbeac6b0cdd9084dde8644918e7203398faf7e3e2eee925d9f417030600998ec2a1fd14d11bf7fe9c5c6b8962534597511d1c89b724b11c00030c2a4de

Download Submit
memory/224-105-0x0000000000F40000-0x0000000001074000-memory.dmp

Filesize
1.2MB

Download
memory/1272-3-0x00000000015C0000-0x00000000015D0000-memory.dmp

Filesize
64KB

Download
memory/1272-5-0x0000000001600000-0x000000000160C000-memory.dmp

Filesize
48KB

Download
memory/1272-6-0x00000000015D0000-0x00000000015DA000-memory.dmp

Filesize
40KB

Download
memory/1272-7-0x00000000015E0000-0x00000000015E8000-memory.dmp

Filesize
32KB

Download
memory/1272-8-0x0000000001620000-0x000000000162C000-memory.dmp

Filesize
48KB

Download
memory/1272-4-0x00000000015F0000-0x00000000015FC000-memory.dmp

Filesize
48KB

Download
memory/1272-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/1272-2-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1272-101-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1272-1-0x0000000000BD0000-0x0000000000D04000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads