asyncrat | 4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

General

Target

4661d321d22ead59aa1dcf7805b9680e.exe
Size

156KB
MD5

4661d321d22ead59aa1dcf7805b9680e
SHA1

0e87ec191765cbb62e9103e4cebc754314002e7d
SHA256

4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1
SHA512

33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832
SSDEEP

3072:O6HomkMh4smo4GvX9m7+VBe16y71T+w/2FbM44:3+obvtIZIy7Wl

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

xxxprofxxx.dnsdojo.com:5126

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/948-59-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral1/memory/948-60-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral1/memory/948-61-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral1/memory/948-62-0x000000000040FDEE-mapping.dmp	asyncrat
behavioral1/memory/948-64-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral1/memory/948-66-0x0000000000400000-0x0000000000414000-memory.dmp	asyncrat
behavioral1/memory/112-83-0x000000000040FDEE-mapping.dmp	asyncrat
behavioral1/memory/112-86-0x0000000000080000-0x0000000000094000-memory.dmp	asyncrat
behavioral1/memory/112-90-0x0000000000080000-0x0000000000094000-memory.dmp	asyncrat
behavioral1/memory/112-93-0x0000000000080000-0x0000000000094000-memory.dmp	asyncrat
behavioral1/memory/1020-108-0x000000000040FDEE-mapping.dmp	asyncrat
behavioral1/memory/1772-129-0x000000000040FDEE-mapping.dmp	asyncrat

Executes dropped EXE 6 IoCs

Processes:

EregData.exeEregData.exeEregData.exeEregData.exeEregData.exeEregData.exe

pid process

1772 EregData.exe
112 EregData.exe
1108 EregData.exe
1020 EregData.exe
596 EregData.exe
1772 EregData.exe

pid	process
1772	EregData.exe
112	EregData.exe
1108	EregData.exe
1020	EregData.exe
596	EregData.exe
1772	EregData.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4661d321d22ead59aa1dcf7805b9680e.exeEregData.exeEregData.exeEregData.exe

description	pid	process	target process
PID 1640 set thread context of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1772 set thread context of 112	1772	EregData.exe	EregData.exe
PID 1108 set thread context of 1020	1108	EregData.exe	EregData.exe
PID 596 set thread context of 1772	596	EregData.exe	EregData.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1336 schtasks.exe
1564 schtasks.exe
1368 schtasks.exe
1624 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4661d321d22ead59aa1dcf7805b9680e.exe

pid process

948 4661d321d22ead59aa1dcf7805b9680e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4661d321d22ead59aa1dcf7805b9680e.exe

description pid process

Token: SeDebugPrivilege 948 4661d321d22ead59aa1dcf7805b9680e.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4661d321d22ead59aa1dcf7805b9680e.exe

pid process

948 4661d321d22ead59aa1dcf7805b9680e.exe

pid	process
1336	schtasks.exe
1564	schtasks.exe
1368	schtasks.exe
1624	schtasks.exe

pid	process
948	4661d321d22ead59aa1dcf7805b9680e.exe

description	pid	process
Token: SeDebugPrivilege	948	4661d321d22ead59aa1dcf7805b9680e.exe

pid	process
948	4661d321d22ead59aa1dcf7805b9680e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4661d321d22ead59aa1dcf7805b9680e.execmd.exetaskeng.exeEregData.execmd.exeEregData.exe

description	pid	process	target process
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 948	1640	4661d321d22ead59aa1dcf7805b9680e.exe	4661d321d22ead59aa1dcf7805b9680e.exe
PID 1640 wrote to memory of 556	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 556	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 556	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 556	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 1408	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 1408	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 1408	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 1408	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 600	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 600	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 600	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1640 wrote to memory of 600	1640	4661d321d22ead59aa1dcf7805b9680e.exe	cmd.exe
PID 1408 wrote to memory of 1336	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1336	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1336	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1336	1408	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 1772	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1772	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1772	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1772	1968	taskeng.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 112	1772	EregData.exe	EregData.exe
PID 1772 wrote to memory of 1192	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1192	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1192	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1192	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1892	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1892	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1892	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1892	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1840	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1840	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1840	1772	EregData.exe	cmd.exe
PID 1772 wrote to memory of 1840	1772	EregData.exe	cmd.exe
PID 1892 wrote to memory of 1564	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1564	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1564	1892	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 1564	1892	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 1108	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1108	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1108	1968	taskeng.exe	EregData.exe
PID 1968 wrote to memory of 1108	1968	taskeng.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe
PID 1108 wrote to memory of 1020	1108	EregData.exe	EregData.exe

C:\Users\Admin\AppData\Local\Temp\4661d321d22ead59aa1dcf7805b9680e.exe
"C:\Users\Admin\AppData\Local\Temp\4661d321d22ead59aa1dcf7805b9680e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\4661d321d22ead59aa1dcf7805b9680e.exe
"C:\Users\Admin\AppData\Local\Temp\4661d321d22ead59aa1dcf7805b9680e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\EregData"
2⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1336

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\4661d321d22ead59aa1dcf7805b9680e.exe" "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
2⤵
PID:600

C:\Windows\system32\taskeng.exe
taskeng.exe {B9E6F589-E38A-4A9E-8386-661D630AF1FE} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
"C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\EregData"
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe" "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
PID:1840

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
"C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\EregData"
3⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
3⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe" "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
PID:1976

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:596

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
"C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\EregData"
3⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
3⤵
PID:992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\EregData\EregData.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe" "C:\Users\Admin\AppData\Roaming\EregData\EregData.exe"
3⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
C:\Users\Admin\AppData\Roaming\EregData\EregData.exe
Filesize
156KB

MD5
4661d321d22ead59aa1dcf7805b9680e

SHA1
0e87ec191765cbb62e9103e4cebc754314002e7d

SHA256
4ecdc9f6ebd035e8738d54d42686d571b2723c3c07b431e9cd551cfe1d09b8d1

SHA512
33d35b16524a010dbb08155708a9a6ed217d677ad4121e84131a1e1c59cd5fc0baa1f9dc1289bcc57e63be7dbc271d82008080a9acc8a30ba9fee10a4f511832

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-90-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/112-93-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/112-86-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/112-83-0x000000000040FDEE-mapping.dmp

Download
memory/556-67-0x0000000000000000-mapping.dmp

Download
memory/596-121-0x0000000000170000-0x000000000019E000-memory.dmp

Filesize
184KB

Download
memory/596-119-0x0000000000000000-mapping.dmp

Download
memory/600-69-0x0000000000000000-mapping.dmp

Download
memory/760-109-0x0000000000000000-mapping.dmp

Download
memory/948-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-62-0x000000000040FDEE-mapping.dmp

Download
memory/948-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/992-136-0x0000000000000000-mapping.dmp

Download
memory/1020-108-0x000000000040FDEE-mapping.dmp

Download
memory/1108-99-0x0000000000000000-mapping.dmp

Download
memory/1192-94-0x0000000000000000-mapping.dmp

Download
memory/1336-70-0x0000000000000000-mapping.dmp

Download
memory/1368-117-0x0000000000000000-mapping.dmp

Download
memory/1408-68-0x0000000000000000-mapping.dmp

Download
memory/1564-97-0x0000000000000000-mapping.dmp

Download
memory/1616-138-0x0000000000000000-mapping.dmp

Download
memory/1624-137-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1640-54-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/1724-135-0x0000000000000000-mapping.dmp

Download
memory/1728-112-0x0000000000000000-mapping.dmp

Download
memory/1772-129-0x000000000040FDEE-mapping.dmp

Download
memory/1772-73-0x0000000000000000-mapping.dmp

Download
memory/1772-75-0x0000000001220000-0x000000000124E000-memory.dmp

Filesize
184KB

Download
memory/1840-96-0x0000000000000000-mapping.dmp

Download
memory/1892-95-0x0000000000000000-mapping.dmp

Download
memory/1976-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads