njrat | 63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

General

Target

ad24b1319a3a895d8b83a0deae7eac57.exe
Size

78KB
MD5

ad24b1319a3a895d8b83a0deae7eac57
SHA1

81f2908cbb43a41fac8208a9805c06521331f512
SHA256

63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d
SHA512

b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Score

10^/10

njrat lime suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

daudas.ddns.net:7075

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
12345

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata: ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin
suricata
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

680 Client.exe

pid	process
680	Client.exe

Drops startup file 2 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1004 schtasks.exe
1868 schtasks.exe
4008 schtasks.exe
668 schtasks.exe

pid	process
1004	schtasks.exe
1868	schtasks.exe
4008	schtasks.exe
668	schtasks.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid	process
1284	TASKKILL.exe
2320	TASKKILL.exe
2316	TASKKILL.exe
1188	TASKKILL.exe
504	TASKKILL.exe
2560	TASKKILL.exe
1308	TASKKILL.exe
1028	TASKKILL.exe
1192	TASKKILL.exe
2400	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeClient.exead24b1319a3a895d8b83a0deae7eac57.exead24b1319a3a895d8b83a0deae7eac57.exe

pid	process
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
3716	ad24b1319a3a895d8b83a0deae7eac57.exe
680	Client.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
680	Client.exe
680	Client.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
680	Client.exe
680	Client.exe
680	Client.exe
680	Client.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
680	Client.exe
680	Client.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
680	Client.exe
680	Client.exe
680	Client.exe
680	Client.exe
680	Client.exe
680	Client.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
1204	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe
400	ad24b1319a3a895d8b83a0deae7eac57.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exead24b1319a3a895d8b83a0deae7eac57.exeTASKKILL.exeTASKKILL.exead24b1319a3a895d8b83a0deae7eac57.exeTASKKILL.exeTASKKILL.exead24b1319a3a895d8b83a0deae7eac57.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	3716	ad24b1319a3a895d8b83a0deae7eac57.exe
Token: SeDebugPrivilege	504	TASKKILL.exe
Token: SeDebugPrivilege	1284	TASKKILL.exe
Token: SeDebugPrivilege	680	Client.exe
Token: SeDebugPrivilege	2560	TASKKILL.exe
Token: SeDebugPrivilege	1308	TASKKILL.exe
Token: SeDebugPrivilege	1204	ad24b1319a3a895d8b83a0deae7eac57.exe
Token: SeDebugPrivilege	2320	TASKKILL.exe
Token: SeDebugPrivilege	2316	TASKKILL.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: SeDebugPrivilege	400	ad24b1319a3a895d8b83a0deae7eac57.exe
Token: SeDebugPrivilege	1188	TASKKILL.exe
Token: SeDebugPrivilege	1028	TASKKILL.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe
Token: SeDebugPrivilege	1248	ad24b1319a3a895d8b83a0deae7eac57.exe
Token: SeDebugPrivilege	2400	TASKKILL.exe
Token: SeDebugPrivilege	1192	TASKKILL.exe
Token: 33	680	Client.exe
Token: SeIncBasePriorityPrivilege	680	Client.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeClient.exead24b1319a3a895d8b83a0deae7eac57.exead24b1319a3a895d8b83a0deae7eac57.exead24b1319a3a895d8b83a0deae7eac57.exe

description	pid	process	target process
PID 3716 wrote to memory of 504	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 504	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 504	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 1284	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 1284	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 1284	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 3716 wrote to memory of 1368	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 1368	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 1368	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 1004	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 1004	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 1004	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 3716 wrote to memory of 680	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 3716 wrote to memory of 680	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 3716 wrote to memory of 680	3716	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 680 wrote to memory of 2560	680	Client.exe	TASKKILL.exe
PID 680 wrote to memory of 2560	680	Client.exe	TASKKILL.exe
PID 680 wrote to memory of 2560	680	Client.exe	TASKKILL.exe
PID 680 wrote to memory of 1308	680	Client.exe	TASKKILL.exe
PID 680 wrote to memory of 1308	680	Client.exe	TASKKILL.exe
PID 680 wrote to memory of 1308	680	Client.exe	TASKKILL.exe
PID 1204 wrote to memory of 2320	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1204 wrote to memory of 2320	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1204 wrote to memory of 2320	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1204 wrote to memory of 2316	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1204 wrote to memory of 2316	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1204 wrote to memory of 2316	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 680 wrote to memory of 3500	680	Client.exe	schtasks.exe
PID 680 wrote to memory of 3500	680	Client.exe	schtasks.exe
PID 680 wrote to memory of 3500	680	Client.exe	schtasks.exe
PID 680 wrote to memory of 1868	680	Client.exe	schtasks.exe
PID 680 wrote to memory of 1868	680	Client.exe	schtasks.exe
PID 680 wrote to memory of 1868	680	Client.exe	schtasks.exe
PID 1204 wrote to memory of 2472	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1204 wrote to memory of 2472	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1204 wrote to memory of 2472	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1204 wrote to memory of 4008	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1204 wrote to memory of 4008	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1204 wrote to memory of 4008	1204	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 1028	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1028	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1028	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1188	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1188	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1188	400	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 400 wrote to memory of 1724	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 1724	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 1724	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 668	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 668	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 400 wrote to memory of 668	400	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1248 wrote to memory of 1192	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1248 wrote to memory of 1192	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1248 wrote to memory of 1192	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1248 wrote to memory of 2400	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1248 wrote to memory of 2400	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1248 wrote to memory of 2400	1248	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe

C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
"C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1004

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:2472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:4008

C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:668

C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ad24b1319a3a895d8b83a0deae7eac57.exe.log

MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
memory/400-138-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/504-117-0x0000000000000000-mapping.dmp

Download
memory/668-140-0x0000000000000000-mapping.dmp

Download
memory/680-122-0x0000000000000000-mapping.dmp

Download
memory/680-127-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1004-121-0x0000000000000000-mapping.dmp

Download
memory/1028-136-0x0000000000000000-mapping.dmp

Download
memory/1188-137-0x0000000000000000-mapping.dmp

Download
memory/1192-141-0x0000000000000000-mapping.dmp

Download
memory/1204-131-0x0000000000650000-0x00000000006FE000-memory.dmp

Filesize
696KB

Download
memory/1248-143-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1284-118-0x0000000000000000-mapping.dmp

Download
memory/1308-126-0x0000000000000000-mapping.dmp

Download
memory/1368-120-0x0000000000000000-mapping.dmp

Download
memory/1724-139-0x0000000000000000-mapping.dmp

Download
memory/1868-133-0x0000000000000000-mapping.dmp

Download
memory/2316-130-0x0000000000000000-mapping.dmp

Download
memory/2320-129-0x0000000000000000-mapping.dmp

Download
memory/2400-142-0x0000000000000000-mapping.dmp

Download
memory/2472-134-0x0000000000000000-mapping.dmp

Download
memory/2560-125-0x0000000000000000-mapping.dmp

Download
memory/3500-132-0x0000000000000000-mapping.dmp

Download
memory/3716-119-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4008-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads