asyncrat | 8d7e0046922716f97deef518f2d9f05e7a7dc8c3b6065b8d01ed1844c05d1999

Analysis

max time kernel
582s
max time network
592s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder.zip
Size

1.2MB
MD5

622d5994b151cf2d039d32b5cdd83227
SHA1

312e0a45ffdbcf32e26f2699d3d3f7fdefbc020f
SHA256

8d7e0046922716f97deef518f2d9f05e7a7dc8c3b6065b8d01ed1844c05d1999
SHA512

5659576c8303688e320fbe4e3e4c5813a3cae7421fa6ffadc02743c22f24f0ad9c5aae65366fa5e980fa8cc099038054a4d391381deac4b41123cd9db36fe43a
SSDEEP

24576:KR5iks6CqE+i952S3R9JIIy6JknCd6n7MZlTfc+kVKbxTKQDFC:7D6JE552S3lJk86n7ATfc9VKbvC

Score

10^/10

asyncrat darkcomet default test persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

test

127.0.0.1:1604

Mutex

DCMIN_MUTEX-HWSPW2B

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
GwLxsmlWyDzE
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:8808

Mutex

QdNftpHJFSw4

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
628	IMDCSC.exe
2348	IMDCSC.exe
2408	IMDCSC.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1428-6-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/files/0x000900000002346a-11.dat	upx
behavioral1/memory/628-18-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/1428-19-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-20-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-23-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-25-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-28-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2348-31-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2632-32-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-40-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-42-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-48-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/4896-49-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2408-51-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/4896-52-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-59-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-62-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-64-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-65-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-66-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-67-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-69-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/628-73-0x0000000000400000-0x00000000004BB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	test.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1015551233-1106003478-1645743776-1000\{49CADB0A-07E9-4FE0-AC3F-61E019237E3B}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1428	test.exe
Token: SeSecurityPrivilege	1428	test.exe
Token: SeTakeOwnershipPrivilege	1428	test.exe
Token: SeLoadDriverPrivilege	1428	test.exe
Token: SeSystemProfilePrivilege	1428	test.exe
Token: SeSystemtimePrivilege	1428	test.exe
Token: SeProfSingleProcessPrivilege	1428	test.exe
Token: SeIncBasePriorityPrivilege	1428	test.exe
Token: SeCreatePagefilePrivilege	1428	test.exe
Token: SeBackupPrivilege	1428	test.exe
Token: SeRestorePrivilege	1428	test.exe
Token: SeShutdownPrivilege	1428	test.exe
Token: SeDebugPrivilege	1428	test.exe
Token: SeSystemEnvironmentPrivilege	1428	test.exe
Token: SeChangeNotifyPrivilege	1428	test.exe
Token: SeRemoteShutdownPrivilege	1428	test.exe
Token: SeUndockPrivilege	1428	test.exe
Token: SeManageVolumePrivilege	1428	test.exe
Token: SeImpersonatePrivilege	1428	test.exe
Token: SeCreateGlobalPrivilege	1428	test.exe
Token: 33	1428	test.exe
Token: 34	1428	test.exe
Token: 35	1428	test.exe
Token: 36	1428	test.exe
Token: SeIncreaseQuotaPrivilege	628	IMDCSC.exe
Token: SeSecurityPrivilege	628	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	628	IMDCSC.exe
Token: SeLoadDriverPrivilege	628	IMDCSC.exe
Token: SeSystemProfilePrivilege	628	IMDCSC.exe
Token: SeSystemtimePrivilege	628	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	628	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	628	IMDCSC.exe
Token: SeCreatePagefilePrivilege	628	IMDCSC.exe
Token: SeBackupPrivilege	628	IMDCSC.exe
Token: SeRestorePrivilege	628	IMDCSC.exe
Token: SeShutdownPrivilege	628	IMDCSC.exe
Token: SeDebugPrivilege	628	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	628	IMDCSC.exe
Token: SeChangeNotifyPrivilege	628	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	628	IMDCSC.exe
Token: SeUndockPrivilege	628	IMDCSC.exe
Token: SeManageVolumePrivilege	628	IMDCSC.exe
Token: SeImpersonatePrivilege	628	IMDCSC.exe
Token: SeCreateGlobalPrivilege	628	IMDCSC.exe
Token: 33	628	IMDCSC.exe
Token: 34	628	IMDCSC.exe
Token: 35	628	IMDCSC.exe
Token: 36	628	IMDCSC.exe
Token: SeIncreaseQuotaPrivilege	2632	test.exe
Token: SeSecurityPrivilege	2632	test.exe
Token: SeTakeOwnershipPrivilege	2632	test.exe
Token: SeLoadDriverPrivilege	2632	test.exe
Token: SeSystemProfilePrivilege	2632	test.exe
Token: SeSystemtimePrivilege	2632	test.exe
Token: SeProfSingleProcessPrivilege	2632	test.exe
Token: SeIncBasePriorityPrivilege	2632	test.exe
Token: SeCreatePagefilePrivilege	2632	test.exe
Token: SeBackupPrivilege	2632	test.exe
Token: SeRestorePrivilege	2632	test.exe
Token: SeShutdownPrivilege	2632	test.exe
Token: SeDebugPrivilege	2632	test.exe
Token: SeSystemEnvironmentPrivilege	2632	test.exe
Token: SeChangeNotifyPrivilege	2632	test.exe
Token: SeRemoteShutdownPrivilege	2632	test.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
628	IMDCSC.exe
3440	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 628	1428	test.exe	101
PID 1428 wrote to memory of 628	1428	test.exe	101
PID 1428 wrote to memory of 628	1428	test.exe	101
PID 2632 wrote to memory of 2348	2632	test.exe	103
PID 2632 wrote to memory of 2348	2632	test.exe	103
PID 2632 wrote to memory of 2348	2632	test.exe	103
PID 4896 wrote to memory of 2408	4896	test.exe	105
PID 4896 wrote to memory of 2408	4896	test.exe	105
PID 4896 wrote to memory of 2408	4896	test.exe	105
PID 4420 wrote to memory of 1596	4420	purple.exe	109
PID 4420 wrote to memory of 1596	4420	purple.exe	109

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New folder.zip"
1⤵
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2636

C:\Users\Admin\Desktop\New folder\New folder\New folder.exe
"C:\Users\Admin\Desktop\New folder\New folder\New folder.exe"
1⤵
PID:1596

C:\Users\Admin\Desktop\New folder\New folder\test.exe
"C:\Users\Admin\Desktop\New folder\New folder\test.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
  "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:628

C:\Users\Admin\Desktop\New folder\New folder\test.exe
"C:\Users\Admin\Desktop\New folder\New folder\test.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
  "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
  2⤵
  - Executes dropped EXE
  PID:2348

C:\Users\Admin\Desktop\New folder\New folder\test.exe
"C:\Users\Admin\Desktop\New folder\New folder\test.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
  "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
  2⤵
  - Executes dropped EXE
  PID:2408

C:\Users\Admin\Desktop\New folder\New folder\borat.exe
"C:\Users\Admin\Desktop\New folder\New folder\borat.exe"
1⤵
PID:3108

C:\Users\Admin\Desktop\New folder\New folder\AsyncClient.exe
"C:\Users\Admin\Desktop\New folder\New folder\AsyncClient.exe"
1⤵
PID:3912

C:\Users\Admin\Desktop\New folder\New folder\purple.exe
"C:\Users\Admin\Desktop\New folder\New folder\purple.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1596
- C:\Users\Admin\Desktop\New folder\New folder\purple.exe
  "C:\Users\Admin\Desktop\New folder\New folder\purple.exe"
  2⤵
  PID:3452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\purple.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133649057823632201.txt

Filesize
75KB

MD5
5d97e9d907893e6e9034794c366f8411

SHA1
5e303504c9814ac45cf7d49819709be7184b02f8

SHA256
436868315167a58b88b45d49ad8c0ed2ca9074043cac513d6a142412455d12db

SHA512
b2e4f50f9d08f1337d8d8d650387730e8db31a46b2402cca5798f32f1463e7f29441709d803650af373ca4ede1407f268efd36f0597be9954f2bb3f66a868127

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
233KB

MD5
57d7353e387685191721e7853c1c7d42

SHA1
6307ddf86e023de9f3c32d3d6656279247ab1081

SHA256
aaac8b4d948186e3cc4ed5d6ca1b53b98c5e142bc31b1cd12e26d00558ff8ed4

SHA512
971e6ec9e3c6b0b47890825ccda0c2db94f77e1f68c67f3df6efafa233855fa3ddea4bac27dd12d262db42ca5efcce47e20e07ddf6cb6bfaa76d7aa463feab34

Download Submit
memory/628-65-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-48-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-23-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-66-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-28-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-18-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-67-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-40-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-42-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-25-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-20-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-73-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-69-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-59-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-64-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/628-62-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1428-19-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1428-6-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1596-83-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2348-31-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2408-51-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2632-32-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3108-60-0x0000000000850000-0x0000000000864000-memory.dmp

Filesize
80KB

Download
memory/3452-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-70-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/4284-86-0x0000022C9EC00000-0x0000022C9ED00000-memory.dmp

Filesize
1024KB

Download
memory/4284-112-0x0000022C9FFD0000-0x0000022C9FFF0000-memory.dmp

Filesize
128KB

Download
memory/4284-106-0x00000234A1100000-0x00000234A1120000-memory.dmp

Filesize
128KB

Download
memory/4284-90-0x00000234A1140000-0x00000234A1160000-memory.dmp

Filesize
128KB

Download
memory/4284-85-0x0000022C9EC00000-0x0000022C9ED00000-memory.dmp

Filesize
1024KB

Download
memory/4420-76-0x0000000000920000-0x00000000009D6000-memory.dmp

Filesize
728KB

Download
memory/4420-81-0x0000000006B70000-0x0000000006C0C000-memory.dmp

Filesize
624KB

Download
memory/4420-80-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/4420-79-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/4420-78-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4896-49-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4896-52-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads