dcrat | 0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d

General

Target

0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Size

1.2MB
MD5

3e486391221891462495325b3bbf8b13
SHA1

c65d92a465ec8967a7fba171ac6e62f3aaae2ff0
SHA256

0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d
SHA512

066ebb9cdfe3b45f893ec031237319d49a1d323e1f928a2ffde324e718adef84bb6c397f2cc12814a069ea71106b44996abf538ac2b8bd7e456cfc3ec76138ff
SSDEEP

24576:Zrtb29jyTS6MoaS0BPXM3l9HDesNM1w3HzjM4LjvTCdPILP+4h:jb29j5jf/GB6eZLGo

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4400	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4400	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	4400	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4400	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4400	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4400	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1056-1-0x00000000009F0000-0x0000000000B24000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cba-17.dat	dcrat
behavioral2/files/0x000a000000023ca5-34.dat	dcrat
behavioral2/files/0x0009000000023cad-45.dat	dcrat
behavioral2/files/0x0009000000023cb0-56.dat	dcrat
behavioral2/files/0x0009000000023cb4-65.dat	dcrat
behavioral2/files/0x000a000000023cb6-100.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Executes dropped EXE 1 IoCs

pid	Process
3276	sysmon.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jusched\\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredistUI33C5\\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\LanguageComponentsInstaller\\spoolsv.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\ServiceProfiles\\dwm.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\WMSysPr9\\sysmon.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\LanguageComponentsInstaller\spoolsv.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\System32\LanguageComponentsInstaller\spoolsv.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\System32\LanguageComponentsInstaller\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\System32\LanguageComponentsInstaller\RCXCC9D.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\System32\LanguageComponentsInstaller\RCXCD0B.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WMSysPr9\sysmon.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\WMSysPr9\sysmon.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXCF7E.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\ServiceProfiles\dwm.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\WMSysPr9\RCXD1A3.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\WMSysPr9\RCXD1A2.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\ServiceProfiles\dwm.exe	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\ServiceProfiles\6cb0b6c459d5d3455a3da700e713f2e2529862ff	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File created	C:\Windows\WMSysPr9\121e5b5079f7c0e46d90f99b3864022518bbbda9	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXCF10.tmp	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5000	schtasks.exe
1088	schtasks.exe
2568	schtasks.exe
900	schtasks.exe
3888	schtasks.exe
5052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
3276	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Token: SeDebugPrivilege	3276	sysmon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4084	1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe	89
PID 1056 wrote to memory of 4084	1056	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe	89
PID 4084 wrote to memory of 3476	4084	cmd.exe	91
PID 4084 wrote to memory of 3476	4084	cmd.exe	91
PID 4084 wrote to memory of 3276	4084	cmd.exe	92
PID 4084 wrote to memory of 3276	4084	cmd.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe
"C:\Users\Admin\AppData\Local\Temp\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE9G1IfIwG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3476
- - C:\Windows\WMSysPr9\sysmon.exe
    "C:\Windows\WMSysPr9\sysmon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jusched\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI33C5\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\LanguageComponentsInstaller\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\WMSysPr9\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI33C5\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Filesize
1.2MB

MD5
7725a97f043df4d824b673f636779c04

SHA1
8aa385ea80b498e5b93ed9fc84bcbe7cbcee1eeb

SHA256
6f181a700714886f826221a9450eb0afb691126e2b893fc6fd82894deb6652f3

SHA512
290c0ca137e0729fc07fa1dfef25225e945a2505bc322ca4246c5db7e33fbe738ea182ee3dfa24221a295939cbe523b0924689e783b3e6c504978f686328d5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched\0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d.exe

Filesize
1.2MB

MD5
9b6eb8afe38f9947d0d1b74011b6b2be

SHA1
e14152ae60f5291d2a0c849f221c8d38bba0fb99

SHA256
3d3dd165eacd13dcc86ee412ee358537d1f8390915451ccb338d7e2497ae81b2

SHA512
7158fbbdebf0c0e8066a85c2a7a12e7c3530dab4c4d25d687e4648fe4849e9f5ea048d3d1196efcb841ec40aaee5654bbd5493168ff8af297574a56a4f0de07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nE9G1IfIwG.bat

Filesize
194B

MD5
889cc0ed2d70207af8c98a2794d4b4dc

SHA1
65d0204fe87cf2854578d634cf1a95f24f7d5917

SHA256
4ac0abf3e2a5a5ced66db5045efa63960ecd8c97b03228abfd91f45e3c2456ac

SHA512
ab8d7dc71020634dce7c52b95faec106d4ee92c143904a4d811129f3d33048378056f00cd851716f2c47b772f56498d9eb131c68e6e6e3362c398ef5dd2832d7

Download Submit
C:\Windows\ServiceProfiles\dwm.exe

Filesize
1.2MB

MD5
76698d1cc503ae29a20402f7c9ab9bf2

SHA1
b82e185e23d4e63a886a7446e0d1abb6e6d5e3e4

SHA256
e610c97b8cf806f72f96d10690a061b3e43b1d6154ae59e1b8fba089dd1445d8

SHA512
c7d4dc1b3943b8ab65d7950037642d4d71f98e4b920cc64e4374534f8e752d0e575a1331dc29d23c107b70618b5965242059cb40ff6cf2de3e402c7ec2099848

Download Submit
C:\Windows\System32\LanguageComponentsInstaller\spoolsv.exe

Filesize
1.2MB

MD5
a141e62ccbc760900fd7b9d1090b9053

SHA1
e0199175dc38b276e5434d87ce2d37ae9e1d4e1e

SHA256
e631f7bc33ba00c08afa273585a707e3e9635d97e4c409749a1ff09453e0fecc

SHA512
3366bdff6d6f29b6b36a61259cc7f74d87e71a2ec638b27cc00edc5fd0cccc1c6463b27ce884c536520060d1aa3dbb7ddca92448d48c71ba7885926029fdad14

Download Submit
C:\Windows\WMSysPr9\sysmon.exe

Filesize
1.2MB

MD5
3e486391221891462495325b3bbf8b13

SHA1
c65d92a465ec8967a7fba171ac6e62f3aaae2ff0

SHA256
0ba179fecafc8c823fcd576e0d2f31fff23072e64dbeffb0a2c7d42631cacc0d

SHA512
066ebb9cdfe3b45f893ec031237319d49a1d323e1f928a2ffde324e718adef84bb6c397f2cc12814a069ea71106b44996abf538ac2b8bd7e456cfc3ec76138ff

Download Submit
C:\Windows\WMSysPr9\sysmon.exe

Filesize
1.2MB

MD5
77760d25680549a6e33d813225f15ae0

SHA1
3ba98784170c929615f2a606c1865bbcca860140

SHA256
cfe5bf369e60e17054176b8926c7336e53d0489e1a65815610a794886d1d90d2

SHA512
6e758c1402852a2ee6c669208b491160eefb086c1b5bc52b698d9292ad933e8e71a66413e367b6f6c36f1df841e145b8ee5f06035deceba678a481279ebbcbac

Download Submit
memory/1056-4-0x0000000001400000-0x000000000140C000-memory.dmp

Filesize
48KB

Download
memory/1056-8-0x0000000002CF0000-0x0000000002CFC000-memory.dmp

Filesize
48KB

Download
memory/1056-7-0x00000000013F0000-0x00000000013F8000-memory.dmp

Filesize
32KB

Download
memory/1056-6-0x00000000013E0000-0x00000000013EA000-memory.dmp

Filesize
40KB

Download
memory/1056-5-0x0000000001410000-0x000000000141C000-memory.dmp

Filesize
48KB

Download
memory/1056-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/1056-3-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/1056-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1056-98-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1056-1-0x00000000009F0000-0x0000000000B24000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads