njrat | e4a5cdf0d2253a2aa6ee40543ad9f7b3fcc90b45cfe3c4061e5d7b981a6de9c8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaab30336a8cb56d2e1be9284ade4f6a.exe
Size

1.2MB
MD5

aaab30336a8cb56d2e1be9284ade4f6a
SHA1

9e8579aecbd4f4c1a7c350b62700579158ff9f9d
SHA256

e4a5cdf0d2253a2aa6ee40543ad9f7b3fcc90b45cfe3c4061e5d7b981a6de9c8
SHA512

6ad7e0ca071ce595a3426779bca22bba705ce61ad7f5d414b00297b7623a218adf89973e0ab31a4b880350024a4333f8430ef19765612e9a4dcf6217ab33a84b
SSDEEP

24576:qDWHSb4N0pEoGKT+CbyGbtxtKFZ2XmaHvLkpqzKIsI:584+pE2SCbVCFDyvLkoOIsI

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

172.111.136.100:5000

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	merged211.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	merged21.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	merged2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	paylod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	aaab30336a8cb56d2e1be9284ade4f6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	merged3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	merged2111.sfx.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 8 IoCs

pid	Process
5052	merged3.exe
3972	merged2111.sfx.exe
2932	merged211.exe
2008	merged21.sfx.exe
5024	merged2.exe
4672	paylod.exe
4392	merged.exe
740	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	paylod.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe
Token: 33	740	Payload.exe
Token: SeIncBasePriorityPrivilege	740	Payload.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 5052	4376	aaab30336a8cb56d2e1be9284ade4f6a.exe	90
PID 4376 wrote to memory of 5052	4376	aaab30336a8cb56d2e1be9284ade4f6a.exe	90
PID 4376 wrote to memory of 5052	4376	aaab30336a8cb56d2e1be9284ade4f6a.exe	90
PID 5052 wrote to memory of 3972	5052	merged3.exe	92
PID 5052 wrote to memory of 3972	5052	merged3.exe	92
PID 5052 wrote to memory of 3972	5052	merged3.exe	92
PID 3972 wrote to memory of 2932	3972	merged2111.sfx.exe	93
PID 3972 wrote to memory of 2932	3972	merged2111.sfx.exe	93
PID 3972 wrote to memory of 2932	3972	merged2111.sfx.exe	93
PID 2932 wrote to memory of 2008	2932	merged211.exe	94
PID 2932 wrote to memory of 2008	2932	merged211.exe	94
PID 2932 wrote to memory of 2008	2932	merged211.exe	94
PID 2008 wrote to memory of 5024	2008	merged21.sfx.exe	95
PID 2008 wrote to memory of 5024	2008	merged21.sfx.exe	95
PID 2008 wrote to memory of 5024	2008	merged21.sfx.exe	95
PID 5024 wrote to memory of 4672	5024	merged2.exe	96
PID 5024 wrote to memory of 4672	5024	merged2.exe	96
PID 5024 wrote to memory of 4672	5024	merged2.exe	96
PID 5024 wrote to memory of 4392	5024	merged2.exe	97
PID 5024 wrote to memory of 4392	5024	merged2.exe	97
PID 5024 wrote to memory of 4392	5024	merged2.exe	97
PID 4672 wrote to memory of 740	4672	paylod.exe	102
PID 4672 wrote to memory of 740	4672	paylod.exe	102
PID 4672 wrote to memory of 740	4672	paylod.exe	102
PID 4672 wrote to memory of 4476	4672	paylod.exe	101
PID 4672 wrote to memory of 4476	4672	paylod.exe	101
PID 4672 wrote to memory of 4476	4672	paylod.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aaab30336a8cb56d2e1be9284ade4f6a.exe
"C:\Users\Admin\AppData\Local\Temp\aaab30336a8cb56d2e1be9284ade4f6a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2111.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2111.sfx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged211.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged211.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged21.sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged21.sfx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\paylod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
        7⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        8⤵
        Views/modifies file attributes
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Payload.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\merged.exe
        
        "C:\Users\Admin\AppData\Local\Temp\merged.exe"
        7⤵
        Executes dropped EXE
        
        PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2.exe

Filesize
9KB

MD5
4d5a5887921f03ba96134c9d2091b2cf

SHA1
012255e50b5be488dc918787da75166c530850df

SHA256
672639ea50ed38018de6a7414f54b45bd47f40f6143fbf844bc54e97fceb8ee3

SHA512
bd10de867a6414005db5a5fa895e15178fcfca9cfddf3ab7881dd5dd67a3689326a6150debc73c6636993d1dd6747e1f7b288addcbece37cc8bc8010c825bc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2.exe

Filesize
12KB

MD5
14e72bb89e59c5a6b0539c532a1ce655

SHA1
3d06ed9bd0e5398e11d0d9ab85e1ead2d33f07e0

SHA256
04dcf96e15aa16cd62a0b9b76e813377d9f87e0651d9845f2a12265e676beaf5

SHA512
5f8b71e0978e5625711b5148010bdb72a1d19e54f2154b8bfe727625b69999ba6af9eede2627f436f7dec3448cde3ae84610761104f39dceb7fa77b6edef92b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2.exe

Filesize
44KB

MD5
ff162f7e9daa2b2fb61f55de88fb2de9

SHA1
e978a7ac22e29d1a00b9626e00913878dad5aa4f

SHA256
fb285d7622d9127b0d2d86926734d5e7418f6da90c9ccf77d99b1d6b0174f2ef

SHA512
d1e2ae9f93a739262cb6183441fb2f2c1211e75118a462f1e8dd3693c96f764a32f17072174f40a7bf1af6202dcf20468f0353a5e6daec97c980607abd006842

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged21.sfx.exe

Filesize
49KB

MD5
89c3dd6b2d325ed103f9e0fdf855728f

SHA1
4b19cd527e57b362c205cc250d8a1c055dc6891c

SHA256
ddb36bfcd402d4bd8dc068243b9913caebb6568bd331136bdc95967193a7af8b

SHA512
a825d0a5bc8dec027f5b194b1a2605b1d27c2c4b4259a0537ccfcc1d84b3516b5c9f833f8b23972959f39c9d19a04ae88c76bc57480e07aeb084b21c3d5f9624

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged21.sfx.exe

Filesize
5KB

MD5
c785b5309cc2a927650f1e1e1c29e830

SHA1
83df34d5885916420c594194fa23f5587a983975

SHA256
9e0bab60d99621e2d2f72c711fc9189855b3c340bcc6f5321f9de917618e949f

SHA512
2b97b1758ae82653113804a1af60da8724a3b0e5362c1b31ee94c34749729d89d875817710f5df9c3d555980c42bb89844016d978225b65d622f32dfb0e266f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged211.exe

Filesize
121KB

MD5
664518af1355358bb0274e7d4287d9ca

SHA1
6f3f5bc6599055d1b465aa805a99985998dd4a8c

SHA256
4dbc16f39589fb4b4d4453d7c097b271c13d522dc0d831a539630aaae3ba58eb

SHA512
df6127c0b16bd3fd763c13eb1315a093567cabc4dbeeabc970109f0394fbc5de63c9d45c3fd3dfada7aa8cd539d2e1c7f39e1b8b3bb83edfaee5f6838d8de2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged211.exe

Filesize
84KB

MD5
a5cacf788b91b8b7041a16e9743be8db

SHA1
0bf0ab0245fb912e96c4e056ef8d6319a2c168d3

SHA256
6455976e275ad733bcd2fd67c09d4645cd915aa1d242e72e0cbf7e56650d1002

SHA512
39cee89256bdedd1e08bd4e78323305d5f1c05629d44133423facd53a8957145ebc9d78dc5168578bb33f92191b0dc202d0b906ed80b0b4d898c87de026fd6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2111.sfx.exe

Filesize
78KB

MD5
8f48c17521e8980eac07f9bf65008baf

SHA1
a7ded5ad27d49607155aa0ff11c9edd3d72926d7

SHA256
3a57312c9f13053b36ce507d04eabf43e51727eefec7c409c05358fc1c0a0dcf

SHA512
5534742b2924a0e2ca26d8ddfa84d42154edd269be164f41c860054d9cd5eb258abb6b43b301668e38cfb891c2c06afd470b898822c6032939e569a59a7a9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged2111.sfx.exe

Filesize
140KB

MD5
5b7eb60357a6622645d50542d20bafa0

SHA1
bdae324819686731ac91564ff4deea334fa9b20d

SHA256
48f2d7b2b8e2bdd30af99b7a0817385a195e0e24bff380be955ee196ba23264a

SHA512
80e19be1c9288c6399033c9abfe0435c04c1aed4217d7258bf35e28df0046b4ba29597ca7e4f7a678fb5e232ee8e76926d21f24ef6e1019825c317b0e0a79666

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged3.exe

Filesize
990KB

MD5
9f45055bc0720ec3905574804d1a6460

SHA1
c72da5436e5eda884d91850e1d1452555430c34c

SHA256
6b7f835748a62f165536b3995a273585feb74410e152590a1333954746d25c6a

SHA512
8a781e621d0ae69e20684de0a9dcdbd56d5f1ca70de95fd999d9e3eda2b0c9f149a5df3715710acc7994bbd847ce8b552d37df1ec3bf5716c2b49188f0b56e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged3.exe

Filesize
409KB

MD5
d7af86e97276cfec8ddf489174993083

SHA1
e1db7125bac15625de9fcde2bc4a654a40d19907

SHA256
9d21d09a5e8bd9f256c04c667debedd27c2d1b4c71d28ee7977e0163c16c5a29

SHA512
6e1b153950cb8532e005887da5518df12ff447e0a69267516cd37ab97be938b05a0739d4b34360459e3152fb032f9d7c1e4c30f377818f85af1f1148c8b59269

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\merged3.exe

Filesize
246KB

MD5
fcab10b195790fdcc84a8ef5831bc3fb

SHA1
d8043827a50c574b6d3ec2a1f362b998bc4c0d27

SHA256
4db34b8e3ba50dbf47386bcf93d1d6f3ea0e847c3a53f001320d6b7adfd5d681

SHA512
510cd569857d39ee6515fe2e077619a3811d459dc0bd7c2b8bd26c6000c2500a89a1b9ae977406a46612149e70146828a9f6cfac06d0cb2257a9851d3588f195

Download Submit
C:\Users\Admin\AppData\Local\Temp\merged.exe

Filesize
103KB

MD5
f2dfc2dd7a7d3faa10ae1b31c0340e9a

SHA1
eee208af8e908397523375c94e39ff656fa879d0

SHA256
c186cfc29d5e50ad68b510833d1bf7dd421cdb5d8c31bb112b2e673d24827984

SHA512
1f51eb9849cc635114ae69f0af8591a5c37fea4f4835a898cd7cdfa8d4fc13995c917e7bd81605f81f442bbdac4f53e5f1bff615257c000fb0deb77fff78b2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\merged.exe

Filesize
85KB

MD5
ed6b2191ce5e6dbadbd41c62f2fbe0e2

SHA1
88ce4c47d41c7d671f73b58030552cb8d401d1b1

SHA256
fdb6036b17c416850fd401b8155ce8e04a9c0b0dd6c832a367b296e960d7dc47

SHA512
0dbced82b1d2a912df336175cdd9b146c676159dc167079b8fc81d91369c1a17a2584f5c44c5be2a2954ced64d8b054c974323caa9ba5a030cefadf3f6f88fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
12KB

MD5
c0ea0a0d5f8a83ec228d6a9b8712d8c3

SHA1
4d5fbf700e29dc5a604d7bb88a183c6c202ae83b

SHA256
6939966937c1a39616a3e6718b619ae425fafa094b1b4cc3f06f9c3e9556f4f4

SHA512
c6300f2f274c791978dc140a174a6b7f42b66a15c8ed9d715b580d510c6d271c7b2bda31345766d333e8529b892376a3ce6955e910c70d43eb67da643482e943

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
73b6437e46d5507ea1ed5aa924020333

SHA1
7cbfcf2c84ff5a5fbc5b5cb88331377d017b66a2

SHA256
ccbb451358e0cb1423460f5e017fcb0119608d2942d227cb2e25146d6d22d344

SHA512
9b06a3b7f9e00e8376521e27c04a929f45f0e8f48c2e033ce28a878c82de63cbf5abaef56a111ff4c8bc95c1749760d715a63297c0781026cedc752f7292a3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
22cb0526d259a32938e991b4d90f8c40

SHA1
743a47e1b9f4941c4c7450bf650e2c2c62b10fd9

SHA256
454087eae3ab0ef4cbe2389aa85dfee562a0cb92e7fd3ed4f35a5c8089b9e295

SHA512
c7dd4c17565bce130750b1a44a88edaeba193a95edac1f3dc25f9e5e24643a15867b91cce549f08d41ecb6d969a6fa843b593d1f88b481b79beb64eb155be511

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
ea09e68527bab5fd3c199172a8e34245

SHA1
28fdeb23907f350133827d84b2af791e6eb1776c

SHA256
070dd70f232d0f6af8db13d0653be8102617dd0233d8fb4d3b5bc15d78e8f751

SHA512
ab13c8807319a660bbe8efa91b413a5f7ec8b36cc7e1d18a374622f09671a2f612acc0bafa51b6df7bbd067451adaafdef0d489d2f67162606a720b04ec063cd

Download Submit
memory/740-91-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/740-98-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/740-92-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/740-97-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/740-89-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/4392-78-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/4392-79-0x00000000018E0000-0x00000000018F0000-memory.dmp

Filesize
64KB

Download
memory/4672-73-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/4672-75-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/4672-90-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/4672-71-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/5024-72-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/5024-48-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/5024-50-0x00000000729B0000-0x0000000072F61000-memory.dmp

Filesize
5.7MB

Download
memory/5024-49-0x0000000001A50000-0x0000000001A60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads