dcrat | f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da

General

Target

f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Size

2.7MB
MD5

7c935427ecd47e8deb5ce641226d8980
SHA1

963be2aa84776697aabe1e77d9b0596ba3ff0020
SHA256

f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da
SHA512

1afb5e8f858b71fa3efdf0acfd38855d735b928388866e19396b86a874b69b45b00ebbdde233f4fddce2c04eb14acb137acf511e335d327aeb7f98f6d9ac27b2
SSDEEP

49152:5H3ow5/6oEcY2I6DxCP2vAWJ6ZsSVnJTXretG/Q1Hciyc5nIudabGm:5j/NDB9m2v9JqVJ7OG/Q18irfdabGm

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2192	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2192	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1268-1-0x00000000002A0000-0x0000000000552000-memory.dmp	dcrat
behavioral1/files/0x000500000001926b-27.dat	dcrat
behavioral1/files/0x0008000000017403-69.dat	dcrat
behavioral1/files/0x0006000000019627-80.dat	dcrat
behavioral1/memory/944-124-0x0000000000E70000-0x0000000001122000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
944	services.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\services.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD341.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD342.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\c5b4cb5e9653cc	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXD0CF.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXD13D.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\services.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1624	schtasks.exe
2720	schtasks.exe
988	schtasks.exe
1916	schtasks.exe
2844	schtasks.exe
1652	schtasks.exe
2596	schtasks.exe
2740	schtasks.exe
3060	schtasks.exe
2356	schtasks.exe
1932	schtasks.exe
2952	schtasks.exe
2848	schtasks.exe
2860	schtasks.exe
2116	schtasks.exe
1640	schtasks.exe
1712	schtasks.exe
2804	schtasks.exe
2832	schtasks.exe
2604	schtasks.exe
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
944	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Token: SeDebugPrivilege	944	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 944	1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe	53
PID 1268 wrote to memory of 944	1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe	53
PID 1268 wrote to memory of 944	1268	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe	53

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
"C:\Users\Admin\AppData\Local\Temp\f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1268
- C:\Program Files\Windows NT\Accessories\en-US\services.exe
  "C:\Program Files\Windows NT\Accessories\en-US\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCXCE5E.tmp

Filesize
2.7MB

MD5
1ce681229ff644abf2c792561b058666

SHA1
55140db67570849cde8ba13168c881e62eef202f

SHA256
2cda94141b8d0f06b5c4a0c1200c65aa95a5f4135c5f400a854278cba916375c

SHA512
756e546a2abae27905297ee536e6e1f76557e6033461a2326f26a383c28e66c3b7dfd5ca185a915a034ca7eb92486f4941acdbc23a517bd4e50e612c66fbbbb6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe

Filesize
2.7MB

MD5
7c935427ecd47e8deb5ce641226d8980

SHA1
963be2aa84776697aabe1e77d9b0596ba3ff0020

SHA256
f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da

SHA512
1afb5e8f858b71fa3efdf0acfd38855d735b928388866e19396b86a874b69b45b00ebbdde233f4fddce2c04eb14acb137acf511e335d327aeb7f98f6d9ac27b2

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\services.exe

Filesize
2.7MB

MD5
4f348bdf16c46ea3eb2dfc150fcc311e

SHA1
738f61e159842b59e70b6edef1cb98f692fc1cea

SHA256
e2c51b5d0818aed37c4e325561651517d91d21a8c7c8ad296ee1fd7abe41c214

SHA512
3773959aaf7d9c22b6188030b29bb6df2204c64d9b75c49992a887a16229d38d15640e8dc27256fcfc6c5df85080d943be225714ef0a22ea2634f257d251c51c

Download Submit
memory/944-126-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/944-124-0x0000000000E70000-0x0000000001122000-memory.dmp

Filesize
2.7MB

Download
memory/1268-12-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1268-14-0x0000000002550000-0x000000000255C000-memory.dmp

Filesize
48KB

Download
memory/1268-7-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/1268-8-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/1268-9-0x0000000002220000-0x000000000222A000-memory.dmp

Filesize
40KB

Download
memory/1268-10-0x0000000002230000-0x0000000002286000-memory.dmp

Filesize
344KB

Download
memory/1268-11-0x0000000002210000-0x0000000002222000-memory.dmp

Filesize
72KB

Download
memory/1268-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/1268-13-0x0000000002540000-0x0000000002548000-memory.dmp

Filesize
32KB

Download
memory/1268-6-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/1268-15-0x0000000002560000-0x000000000256E000-memory.dmp

Filesize
56KB

Download
memory/1268-16-0x0000000002570000-0x000000000257C000-memory.dmp

Filesize
48KB

Download
memory/1268-17-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1268-18-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/1268-5-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/1268-4-0x0000000000980000-0x000000000099C000-memory.dmp

Filesize
112KB

Download
memory/1268-3-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/1268-2-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-125-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-1-0x00000000002A0000-0x0000000000552000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads