parallax | fc97b364bebaf6b1b4baa16e906b4b9f9f8604034f0b9df1f7deb0418f3d229e

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2023 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dot.exe
Size

3.4MB
MD5

ac88204b208f187a908c6a1148b7aee8
SHA1

74b895683f51a69f1bce838ac174c019a796cb1a
SHA256

fc97b364bebaf6b1b4baa16e906b4b9f9f8604034f0b9df1f7deb0418f3d229e
SHA512

2f5e6fff1f98403e987dd6a6a50df757604c8abe474d88143f04c6df6c8bfb4e62652f8f29f19acd834fd865998feaec4f03e2d9a48434ecb8c2cfad5e8e5e27
SSDEEP

24576:7cqJge1JYGhCP3dbTb2XShCFVshuhBcomEl+11s3jYx9pcualicf2IZ:kyXALoh+eQEualt7Z

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/5092-137-0x0000000000400000-0x0000000000778000-memory.dmp	parallax_rat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dot.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Search64.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	dot.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
5092	dot.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2132	Explorer.EXE
Token: SeCreatePagefilePrivilege	2132	Explorer.EXE
Token: SeShutdownPrivilege	2132	Explorer.EXE
Token: SeCreatePagefilePrivilege	2132	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe
3672	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3672	5092	dot.exe	80
PID 5092 wrote to memory of 3672	5092	dot.exe	80
PID 5092 wrote to memory of 3672	5092	dot.exe	80
PID 5092 wrote to memory of 2132	5092	dot.exe	38
PID 3672 wrote to memory of 4952	3672	AcroRd32.exe	81
PID 3672 wrote to memory of 4952	3672	AcroRd32.exe	81
PID 3672 wrote to memory of 4952	3672	AcroRd32.exe	81
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 4272	4952	RdrCEF.exe	84
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85
PID 4952 wrote to memory of 1520	4952	RdrCEF.exe	85

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
- C:\Users\Admin\AppData\Local\Temp\dot.exe
  "C:\Users\Admin\AppData\Local\Temp\dot.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XfHQb.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F644D0E9EF462A7BE7EFB5FE223B20B0 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4272
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=894981826B57EDEFD265FE243CC827BE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=894981826B57EDEFD265FE243CC827BE --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1520
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7C41B0B9F5352A6B67464F7371352575 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7C41B0B9F5352A6B67464F7371352575 --renderer-client-id=4 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:220
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B05E18743DC0761BC325CCC0EF7E62C2 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4412
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F435865141C261A65AEC9CCC71D6E1D9 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1244
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=016B6C6E7BF0ED066793047B1F64AFE0 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XfHQb.pdf

Filesize
33KB

MD5
30180336f09f66d50a46a31b0e67e580

SHA1
172af56223f37d7bec8ebc0ed3584bddbe167f88

SHA256
f361d01c7a799b937b182ebc961538b0609aa469651da1d7879605ec41b15c41

SHA512
d42cf1827accef0e73915d12b53c0cefeaad5a1fcf30dd9ca86187d5b234be81b6065394cc40a58d38bc6c841c21f732613db98fa1a69c1b7352932ff2fc1772

Download Submit
memory/5092-132-0x0000000000400000-0x0000000000778000-memory.dmp

Filesize
3.5MB

Download
memory/5092-137-0x0000000000400000-0x0000000000778000-memory.dmp

Filesize
3.5MB

Download
memory/5092-135-0x0000000002700000-0x00000000028A3000-memory.dmp

Filesize
1.6MB

Download
memory/5092-133-0x0000000002680000-0x00000000026FB000-memory.dmp

Filesize
492KB

Download
memory/5092-161-0x0000000002680000-0x00000000026FB000-memory.dmp

Filesize
492KB

Download