asyncrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

max time kernel
1s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 14:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

1.4.0

Botnet

svhost

151.177.61.79:4782

Mutex

a148a6d8-1253-4e62-bc5f-c0242dd62e69

Attributes

encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
svhost

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Temp

Extracted

Family

lumma

https://crib-endanger.sbs/api

https://faintbl0w.sbs/api

https://300snails.sbs/api

https://bored-light.sbs/api

https://3xc1aimbl0w.sbs/api

https://pull-trucker.sbs/api

https://fleez-inc.sbs/api

https://thicktoys.sbs/api

https://c0al1t1onmatch.cyou/api

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

xworm

Version

5.0

127.0.0.1:8080

Mutex

aVbGJnLt4HRONX59

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Extracted

Family

quasar

Version

1.5.0

Botnet

BruterV3

147.185.221.17:44915

Mutex

3b364ea6-0ab3-4606-8c9e-e2b51e68c3b8

Attributes

encryption_key
E679E56ABD1A0F53D68F323812B24E67488502F6
install_name
Bruter.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows_Host_Process
subdirectory
RealtekAudio

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

38.180.72.54:42814

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000001e730-721.dat	family_xworm
behavioral1/memory/5656-1048-0x0000000000E10000-0x0000000000E1E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0007000000024121-267.dat	family_quasar
behavioral1/memory/3540-275-0x00000000009E0000-0x0000000000A64000-memory.dmp	family_quasar
behavioral1/files/0x000700000001e112-311.dat	family_quasar
behavioral1/memory/1848-331-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/1764-359-0x00000000005D0000-0x00000000008F4000-memory.dmp	family_quasar
behavioral1/memory/5212-1559-0x0000029AAC780000-0x0000029AAC79A000-memory.dmp	family_quasar
behavioral1/files/0x000300000001e735-1561.dat	family_quasar
behavioral1/memory/5212-1478-0x0000029AAC260000-0x0000029AAC3B4000-memory.dmp	family_quasar
behavioral1/files/0x000300000001e734-1319.dat	family_quasar
behavioral1/memory/5964-1569-0x0000000000C20000-0x0000000000F6E000-memory.dmp	family_quasar
behavioral1/files/0x000300000001e72c-402.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001e72f-1676.dat	family_redline
behavioral1/memory/3644-1687-0x00000000006C0000-0x0000000000712000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000001e71a-353.dat	family_asyncrat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6044	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 3 IoCs

pid	Process
2828	._cache_4363463463464363463463463.exe
2052	Synaptics.exe
4244	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
21	raw.githubusercontent.com
31	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5644	1580	WerFault.exe
1648	4344	WerFault.exe	101
1468	464	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
60	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
60	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1900	schtasks.exe
3592	schtasks.exe
5856	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2828	4440	4363463463464363463463463.exe	88
PID 4440 wrote to memory of 2828	4440	4363463463464363463463463.exe	88
PID 4440 wrote to memory of 2828	4440	4363463463464363463463463.exe	88
PID 4440 wrote to memory of 2052	4440	4363463463464363463463463.exe	92
PID 4440 wrote to memory of 2052	4440	4363463463464363463463463.exe	92
PID 4440 wrote to memory of 2052	4440	4363463463464363463463463.exe	92
PID 2508 wrote to memory of 4244	2508	cmd.exe	115
PID 2508 wrote to memory of 4244	2508	cmd.exe	115
PID 2508 wrote to memory of 4244	2508	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
    3⤵
    PID:3540
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1900
  - - C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
      4⤵
      PID:1448
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      4⤵
      PID:3788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat" "
        5⤵
        
        PID:6080
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5764
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:60
- - C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"
    3⤵
    PID:4064
- - C:\Users\Admin\AppData\Local\Temp\Files\built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\built.exe"
    3⤵
    PID:5504
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\built.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5856
- - C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe"
    3⤵
    PID:5320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3884
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe"
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" "NJRat.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:6044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1096
        5⤵
        
        PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\Files\neon.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\neon.exe"
      4⤵
      PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe"
      4⤵
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"
      4⤵
      PID:1580
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 864
        5⤵
        Program crash
        
        PID:5644
  - - C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe"
      4⤵
      PID:4288
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"
      4⤵
      PID:5620
  - - C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe"
      4⤵
      PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe"
      4⤵
      PID:5568
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        5⤵
        
        PID:5496
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        5⤵
        
        PID:5152
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        5⤵
        
        PID:6128
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        5⤵
        
        PID:1344
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        5⤵
        
        PID:1432
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        5⤵
        
        PID:1764
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        5⤵
        
        PID:5960
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        5⤵
        
        PID:5508
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        5⤵
        
        PID:3632
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        5⤵
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
      4⤵
      PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4244
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\Files\5hvzv2sl.exe
      "C:\Windows\System32\Files\5hvzv2sl.exe"
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\Files\5hvzv2sl.exe
        
        "C:\Windows\SysWOW64\Files\5hvzv2sl.exe"
        5⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 268
        5⤵
        Program crash
        
        PID:1648
  - - C:\Windows\SysWOW64\Files\built.exe
      "C:\Windows\System32\Files\built.exe"
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\Files\svhost.exe
      "C:\Windows\System32\Files\svhost.exe"
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\Files\zzzz1.exe
      "C:\Windows\System32\Files\zzzz1.exe"
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\Files\XClient.exe
      "C:\Windows\System32\Files\XClient.exe"
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\Files\Java.exe
      "C:\Windows\System32\Files\Java.exe"
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe
      "C:\Windows\System32\Files\ScreenConnect.ClientSetup_2.exe"
      4⤵
      PID:464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1412
        5⤵
        Program crash
        
        PID:1468
  - - C:\Windows\SysWOW64\Files\new1.exe
      "C:\Windows\System32\Files\new1.exe"
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\Files\SemiconductorNot.exe
      "C:\Windows\System32\Files\SemiconductorNot.exe"
      4⤵
      PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4344 -ip 4344
  2⤵
  PID:4608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1580 -ip 1580
  2⤵
  PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 464 -ip 464
  2⤵
  PID:5180

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..
  2⤵
  PID:1952

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe

Filesize
1.3MB

MD5
db0cc4d2477eb4d4b059fb95f23241de

SHA1
71b57e79039c10a01c5aee3b11c6c9305de82b40

SHA256
2387adbe7709475fee04203bc8209488de4235b222c9683fcf7143001858648b

SHA512
0f6924b07e28264f8cc9454f62cf4a88c909e65fa6e3a2ee119cfb7a5e531e6363fd1e2ce0e61bc6b1fb6fd3eef9d79b0aeba832175105d0dc98560d6facdbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe

Filesize
155KB

MD5
c3555ffa261822a6b1d04314c5370151

SHA1
b497c402641ee805e0e8aeae3e6d0600dc40a91d

SHA256
a8b4fb8e5e17df94c0caa0118382f193ec0fa63703b14d0efc12317f7b80f4ce

SHA512
d1c9471d10e795390347e26de3440ac85f6d9ce82c2dbe451917d9ae3e6d9bc1273b8a2a465df1d9fe678fa586dc4a8864378d1d2dfd85b6bfdcdab5810f65a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe

Filesize
97KB

MD5
1ebef0766160be26918574b1645c1848

SHA1
c30739eeecb96079bcf6d4f40c94e35abb230e34

SHA256
3e664b59ba376749eb9b596b6499bf7edcec5d34382ead80964f9fe92a4c3c83

SHA512
01c42bb22a92543a3408c6f420593443357a53915937341b5eaf8563ee775dbdeba7af38e2df9c9cf249a512a5a42c65c4c4d39d100e8a4143e58fd235b85951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe

Filesize
1.4MB

MD5
03b1ed4c105e5f473357dad1df17cf98

SHA1
faf5046ff19eafd3a59dcf85be30496f90b5b6b1

SHA256
6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba

SHA512
3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
108KB

MD5
ffc2637acde7b6db1823a2b3304a6c6c

SHA1
8eac6fb5415f9338b1b131c42ed15ea70da22096

SHA256
35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef

SHA512
3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe

Filesize
2.1MB

MD5
2a3fbf508bbf6c77fb9138e6bdc0c114

SHA1
8de41763cb3b5011ef1bb611fc258184b24ca258

SHA256
b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f

SHA512
ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\neon.exe

Filesize
3.5MB

MD5
b3fd0e1003b1cd38402b6d32829f6135

SHA1
c9cedd6322fb83457f56b64b4624b07e2786f702

SHA256
e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31

SHA512
04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe

Filesize
213KB

MD5
a284b850e82b0fdaeea4159e23763216

SHA1
bbc1771b39431e8b091a220a07e7767b53e9f49a

SHA256
ff65fa5e209c564630a51be481c4b9950465f675a72ed3d32e66b9d6edac0a33

SHA512
c2a401a2e93694a2c1b2052de0c48a07e56bca2e649fba69de02f0775af5ddc9b5f7afa167234e9af39d373ee2b1102c8ac48a8f50f60b1f11d03b222a378a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

Filesize
502KB

MD5
e3cfe28100238a1001c8cca4af39c574

SHA1
9b80ea180a8f4cec6f787b6b57e51dc10e740f75

SHA256
78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12

SHA512
511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9D98.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3mivo1o.4z5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat

Filesize
212B

MD5
f3983c33931dc4c5373087893287e05f

SHA1
09962696efbe01b6ce16a4d1f57838173fabffe3

SHA256
d8ada4b9c2f5f84aeb9d2d717aca56591f73b2ccdd9740bf95caf9f5fea52677

SHA512
9b8324266a95e3bd5611de99d378562af2e2822c40ed099868e76786b5cb9101e515a8967acfa5f3a8e8b9ef519215fc5d897134297b369a8d107b80aab4bd60

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

Filesize
3.1MB

MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79

SHA1
998a833c28617bf3e215fe7a8c3552972da36851

SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

Download Submit
C:\Windows\SysWOW64\Files\5hvzv2sl.exe

Filesize
730KB

MD5
cc3381bd320d2a249405b46982abe611

SHA1
32a5bc854726c829da2fbaed02ff8d41ea55e432

SHA256
781e958b54a63ef673857bfe9c0a5992eb44b06f15d5499f8e35e44b1e1c868c

SHA512
73c95936748b9edf103c28d558d885bfee070efc18d318581fb1723769a15bb642976bdfb93b36a0b68d869538e0ee3c1936d613240bf29d3ff64dbb3d20e2e4

Download Submit
C:\Windows\SysWOW64\Files\Java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe

Filesize
5.4MB

MD5
657d75be7f740e2dbbd6a6f0d7e9de58

SHA1
c2f3afc9f9eecd893526e945442895643192edbb

SHA256
e118bad38fc36b21633207e9b13a2e777cd4365c421256de69b03b9adf38c57f

SHA512
05d1f167c991eb0d616afef080e603e1b2985c75e3f1a1dcde560e3b6b4c3e22fd7ab56df9ba2041e6a21ab62c3c67072f0b7fa180cc2b9fbf82735a3dab6bd5

Download Submit
C:\Windows\SysWOW64\Files\SemiconductorNot.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Windows\SysWOW64\Files\XClient.exe

Filesize
33KB

MD5
5e667ea0d9c2c150967220e306fb148c

SHA1
772d22ffda2f5ae055cc39f5f3b7f2ce41c9c7c5

SHA256
ec0cef1c54254ab00469ec1d4884765e886f23ebeae6d7d84929e27a47492a00

SHA512
f575199a3ba2667b3872d6a96da29fd68c7026deb12a837c24f2e419f041a4fed0ba01f531403f7191eb12dc69329c279029db31dd738b488ed271410254eebb

Download Submit
C:\Windows\SysWOW64\Files\built.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
C:\Windows\SysWOW64\Files\new1.exe

Filesize
304KB

MD5
b5e07492b13633eacab4b4f57853b439

SHA1
673f25d3b8ca435846dc04eabf6f5b412d9e7ed5

SHA256
d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828

SHA512
cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999

Download Submit
C:\Windows\SysWOW64\Files\zzzz1.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
memory/464-1650-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/464-1657-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/464-1656-0x0000000004E80000-0x000000000502A000-memory.dmp

Filesize
1.7MB

Download
memory/464-1655-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/464-1651-0x0000000005080000-0x0000000005370000-memory.dmp

Filesize
2.9MB

Download
memory/464-1652-0x0000000004CB0000-0x0000000004D3C000-memory.dmp

Filesize
560KB

Download
memory/1580-399-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

Filesize
184KB

Download
memory/1764-359-0x00000000005D0000-0x00000000008F4000-memory.dmp

Filesize
3.1MB

Download
memory/1832-354-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/1848-331-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2052-130-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2052-927-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2828-129-0x000000007301E000-0x000000007301F000-memory.dmp

Filesize
4KB

Download
memory/2828-926-0x000000007301E000-0x000000007301F000-memory.dmp

Filesize
4KB

Download
memory/2828-137-0x0000000004890000-0x000000000492C000-memory.dmp

Filesize
624KB

Download
memory/2828-134-0x0000000000040000-0x0000000000048000-memory.dmp

Filesize
32KB

Download
memory/3272-377-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3272-379-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3428-316-0x0000000000860000-0x0000000000BDC000-memory.dmp

Filesize
3.5MB

Download
memory/3428-341-0x00000000236F0000-0x000000002378E000-memory.dmp

Filesize
632KB

Download
memory/3540-275-0x00000000009E0000-0x0000000000A64000-memory.dmp

Filesize
528KB

Download
memory/3644-1687-0x00000000006C0000-0x0000000000712000-memory.dmp

Filesize
328KB

Download
memory/3644-1689-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/3644-1690-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/3644-1709-0x0000000005C20000-0x0000000005C96000-memory.dmp

Filesize
472KB

Download
memory/3644-1712-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/3788-1596-0x000000001C910000-0x000000001C9C2000-memory.dmp

Filesize
712KB

Download
memory/3788-1595-0x000000001C800000-0x000000001C850000-memory.dmp

Filesize
320KB

Download
memory/4064-391-0x00000227CD500000-0x00000227CD62A000-memory.dmp

Filesize
1.2MB

Download
memory/4064-430-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-389-0x00000227B2DD0000-0x00000227B2F30000-memory.dmp

Filesize
1.4MB

Download
memory/4064-397-0x00000227CD630000-0x00000227CD75C000-memory.dmp

Filesize
1.2MB

Download
memory/4064-1567-0x00000227B4C00000-0x00000227B4C4C000-memory.dmp

Filesize
304KB

Download
memory/4064-1566-0x00000227CD760000-0x00000227CD804000-memory.dmp

Filesize
656KB

Download
memory/4064-466-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-464-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-460-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-458-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-457-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-454-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-450-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-449-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-446-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-444-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-440-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-438-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-435-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-452-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-442-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-433-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-431-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-462-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-426-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-424-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-421-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-418-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-416-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-414-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-410-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-408-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-407-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-469-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-422-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4064-412-0x00000227CD630000-0x00000227CD755000-memory.dmp

Filesize
1.1MB

Download
memory/4244-252-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4440-0-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/4440-128-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4480-294-0x00000000007C0000-0x00000000007E2000-memory.dmp

Filesize
136KB

Download
memory/5212-1559-0x0000029AAC780000-0x0000029AAC79A000-memory.dmp

Filesize
104KB

Download
memory/5212-1478-0x0000029AAC260000-0x0000029AAC3B4000-memory.dmp

Filesize
1.3MB

Download
memory/5568-1671-0x000000001B2F0000-0x000000001B312000-memory.dmp

Filesize
136KB

Download
memory/5568-1639-0x0000000000880000-0x00000000008BA000-memory.dmp

Filesize
232KB

Download
memory/5620-1558-0x00000000008D0000-0x0000000000B13000-memory.dmp

Filesize
2.3MB

Download
memory/5620-929-0x00000000008D0000-0x0000000000B13000-memory.dmp

Filesize
2.3MB

Download
memory/5656-1048-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/5964-1569-0x0000000000C20000-0x0000000000F6E000-memory.dmp

Filesize
3.3MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads