njrat | 15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05

Analysis

max time kernel
128s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 06:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

joao.exe
Size

89KB
MD5

a88c703f3ec08baf49df569833dde633
SHA1

f5b47b14f247d4eb1fe0131255a43735b53bb366
SHA256

15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05
SHA512

391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307
SSDEEP

384:aRcqbCK0l4h7o9SVyDGvENuh46/gJkOmMSW38mRvR6JZlbw8hqIusZzZ2kgAD1vJ:ay30py6vhxaRpcnunF8u3EMyyCg

Score

10^/10

njrat joao evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

joao

0.tcp.sa.ngrok.io:11168

Mutex

e6a27426758a6eb3f469a160f094bed0

Attributes

reg_key
e6a27426758a6eb3f469a160f094bed0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4712 netsh.exe

pid	process
4712	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

joao.exesvchost.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	joao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6a27426758a6eb3f469a160f094bed0.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e6a27426758a6eb3f469a160f094bed0.exe	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3780 svchost.exe

pid	process
3780	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e6a27426758a6eb3f469a160f094bed0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e6a27426758a6eb3f469a160f094bed0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4056 taskkill.exe

pid	process
4056	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 7 IoCs

Processes:

explorer.execmd.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	explorer.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

svchost.exetaskkill.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe
Token: SeShutdownPrivilege	4720	shutdown.exe
Token: SeRemoteShutdownPrivilege	4720	shutdown.exe
Token: 33	3780	svchost.exe
Token: SeIncBasePriorityPrivilege	3780	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

5084 explorer.exe
5084 explorer.exe

pid	process
5084	explorer.exe
5084	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

joao.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 3780	2604	joao.exe	svchost.exe
PID 2604 wrote to memory of 3780	2604	joao.exe	svchost.exe
PID 2604 wrote to memory of 3780	2604	joao.exe	svchost.exe
PID 3780 wrote to memory of 4712	3780	svchost.exe	netsh.exe
PID 3780 wrote to memory of 4712	3780	svchost.exe	netsh.exe
PID 3780 wrote to memory of 4712	3780	svchost.exe	netsh.exe
PID 3780 wrote to memory of 2016	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2016	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2016	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 5108	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 5108	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 5108	3780	svchost.exe	cmd.exe
PID 5108 wrote to memory of 4056	5108	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 4056	5108	cmd.exe	taskkill.exe
PID 5108 wrote to memory of 4056	5108	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 1496	2016	cmd.exe	WScript.exe
PID 2016 wrote to memory of 1496	2016	cmd.exe	WScript.exe
PID 2016 wrote to memory of 1496	2016	cmd.exe	WScript.exe
PID 3780 wrote to memory of 772	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 772	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 772	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3240	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3240	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3240	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1444	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1444	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1444	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4104	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4104	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4104	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1964	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1964	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1964	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3712	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3712	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 3712	3780	svchost.exe	cmd.exe
PID 1964 wrote to memory of 4136	1964	cmd.exe	explorer.exe
PID 1964 wrote to memory of 4136	1964	cmd.exe	explorer.exe
PID 1964 wrote to memory of 4136	1964	cmd.exe	explorer.exe
PID 3780 wrote to memory of 1424	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1424	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 1424	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4688	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4688	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 4688	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2648	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2648	3780	svchost.exe	cmd.exe
PID 3780 wrote to memory of 2648	3780	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\joao.exe
"C:\Users\Admin\AppData\Local\Temp\joao.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6765.vbs"
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpACE6.tmp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM EXPLORER.EXE
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB505.tmp.bat" "
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB729.tmp.bat" "
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB9CA.tmp.bat" "
3⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD060.tmp.bat" "
3⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE6B.tmp.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies registry class
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE002.tmp.bat" "
3⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE13B.tmp.bat" "
3⤵
PID:1424

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 1
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE63E.tmp.bat" "
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE70A.tmp.bat" "
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE872.tmp.bat" "
3⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8C1.tmp.bat" "
3⤵
PID:980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3980855 /state1:0x41c64e6d
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20117.vbs
Filesize
15B

MD5
1571094ba67aca326126f75e3dc4891c

SHA1
5d910d777fafb73f6f32b49ccbb2d31a610e6a79

SHA256
e2998b6e6ec64c422e94a7af91f7b74916d8165ac4021f76f63f054ff65f10fa

SHA512
06191fd946c052df09bbddf1c30352469579d52bc0aa6038b18f233009961ded6c94d17fc4c874b11a3813390576a620889810b259230e143172cf38c53a3cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6765.vbs
Filesize
15B

MD5
1571094ba67aca326126f75e3dc4891c

SHA1
5d910d777fafb73f6f32b49ccbb2d31a610e6a79

SHA256
e2998b6e6ec64c422e94a7af91f7b74916d8165ac4021f76f63f054ff65f10fa

SHA512
06191fd946c052df09bbddf1c30352469579d52bc0aa6038b18f233009961ded6c94d17fc4c874b11a3813390576a620889810b259230e143172cf38c53a3cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
89KB

MD5
a88c703f3ec08baf49df569833dde633

SHA1
f5b47b14f247d4eb1fe0131255a43735b53bb366

SHA256
15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05

SHA512
391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
89KB

MD5
a88c703f3ec08baf49df569833dde633

SHA1
f5b47b14f247d4eb1fe0131255a43735b53bb366

SHA256
15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05

SHA512
391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
89KB

MD5
a88c703f3ec08baf49df569833dde633

SHA1
f5b47b14f247d4eb1fe0131255a43735b53bb366

SHA256
15b7bac15c90083ef0b56cfdcc9b565ab10c3f5590d7739839ba990ab2cdaa05

SHA512
391d54290d5aef71ead0d4cc5074d79c3b20dbe88bb8f617dd4029fc83d7b17064e58d95e90ecbb9c06716f1a03ff18622078a6d54d4b8d717d8daf9549fb307

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.bat
Filesize
114B

MD5
43e331b0b04228d37be65b4bc35d3eaa

SHA1
9b4c0308492f8e88b61b5ec3bfc5ab343781dbca

SHA256
e96b950444a3775b1f70929527ef85bdb6cb57dbdb13ea5b73ce1f91053238e5

SHA512
7b0239ee379b8f6848d362637b4ffaa18f8b9772f045bb882626f1a0f2dc693e0f5dca75a2bde9786666b3e41e5068e945f6ad6a47e86017d42bbe3510870569

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACE6.tmp.bat
Filesize
55B

MD5
07b4bc97851f8703052e491426e0c7fa

SHA1
49faa15bebefef1bb4657b718dd22112ae6d69ae

SHA256
919e32e4e486eb117c0aa5f5359583e9e0e49062c959e120e126760647f7409c

SHA512
e04c6ec5e44b7d5245fd450ad57f30d16a95895c0dfca42a932fe6663197a6992e636381b3748c52eba665cf44aba1064ef58f8b45172bf9315f6ce07818a642

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB505.tmp.bat
Filesize
62B

MD5
273c2fb624cafc931245c7498e14546e

SHA1
0f0c1a86cde9c13849df8b4283ff8a79dd80ee42

SHA256
c295a1015d4bb45cb3bebe51598240444cf687f63e8aa63f647d6a8a5db54590

SHA512
7cb1908a9dd66c7bea734a657ff840087902ba070b085304cd26f0a47c396d69133cd9c5e2163f809c955f27c3f3a6b4162c6fe4441fe1804ef460f64e42ada3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB729.tmp.bat
Filesize
71B

MD5
37f01d6ccab71305cd64f0f25445e393

SHA1
42905b9b48864f01900cff140fdda47702fd57e2

SHA256
094b4643e5948328cd0d6e4200979df6f9a0c64b6734c35ae7acce4425b03bbb

SHA512
e232c4a64e6531b98ef47e8e6b6956a0251863fe49582d291ebc11646f1c62f2c0345db8f36e40c1d13e86590884ea2c68a77c5ae96ad1cee500e526aa09f389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9CA.tmp.bat
Filesize
39B

MD5
d0d513a2a98a16252656b4b8515bb78a

SHA1
a2dad5ff94bd33a4f7cdded0267e07b4f0153993

SHA256
3dd9157d05ff12cdff7f1838685c88aa936add945346060bb381a943c5f97ffb

SHA512
6975573460f950e1e90702af2083ba6cb7e9b1e089c48fba9432e16aae05812b43668627e2100bb2d97ab4ffc75f1c29201147e2ad0a1d34d4459fc5b4ff686d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD060.tmp.bat
Filesize
62B

MD5
1e5105c6d7b1f47fa320f57c3160a9ca

SHA1
4fe4691dda6d0788ec1c58bd5951b5fde869650b

SHA256
a1b5f7396941a2f9ce6081f13999116198c5f09397b8e94239373a4f2bf68897

SHA512
af17399276e26cd31ad993a142989014bcebf92d9607009d784f8a17237d61e3279cdf7945fed0d69f84b0c67713cec4832a39d8427cfd2bed1e1b37b4c55180

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE6B.tmp.bat
Filesize
76B

MD5
c8577588a762597d30f33883d7127c9c

SHA1
58bcdd75c1635e674d554b1e4ad9f24e839451a1

SHA256
18f33f0b83ced85902480d3635eeb04c43f4f1fd615f951c5232d4867f9fc9d7

SHA512
d11cc940182b4a7c7c8641c0d2d9d7fa7b4ddabf2ba6682121bef3b0c72a2d4ce2ad3c6898673196ec35822c5fb1782f63ad0d7b0d4665de4cbff2e1bea1d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE002.tmp.bat
Filesize
185B

MD5
f0dfe96c58a7a81be2c6938f53e1f982

SHA1
fa31f1755bccdcdf14174f0eb30ba0cf8da41a81

SHA256
2b51af812899dad4305fccec8de8a17df5bc05ccc93c1ebac46acabde148889e

SHA512
91b40013604a84152ef8cf5fe10e5709828860857239a560d7e3a8222dec066716abe71323ddc47994ef41c862ff403a2d7041710af9a30e59f3e4e0201eadeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE63E.tmp.bat
Filesize
36B

MD5
9dda070f0b3c8e1265a3e83086a24330

SHA1
78816bcca6097d6bcb762ccec876cd0039bcc798

SHA256
ca267216bc5de02a35411263b65aa7eac303a24dc365351c2c476b19e50dc91b

SHA512
e617f450d8b058eb2a0f7e72fbf3fd8f288155a3e285dbc5561f5110d973b761f16f4956fc0cf638abe64df46eca9c8ed737cb8b10f34893fb759fdbe2d3f562

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE872.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
memory/2604-133-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads