njrat | efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6

General

Target

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
Size

179KB
MD5

a019524e37f4d720d524b115b5d83f0c
SHA1

d6966cb69cea2c3b8eec893210a1efd80cfc3179
SHA256

efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6
SHA512

375e5b58e99695b69c93b456ef0c13f7efd9e2bab79228136d0350b4fd137b6fd449469fc10265a019f75897a9f70f6c8a6509135b3cd95ff70f34b203697a33
SSDEEP

3072:IzlnaCPE9mf6TLSsEhWD9OP7vN4GHJFV6SFBE48giTzBG4LA0w6zH0vvEdvuB91z:IzFaEEAfaSsU8ODBJX6SFozBA0w6zUnZ

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

anonymouskillerbr1.duckdns.org:8080

Mutex

061718407ec7ca758146cb8944a62980

Attributes

reg_key
061718407ec7ca758146cb8944a62980
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

800 netsh.exe

pid	process
800	netsh.exe

Drops startup file 2 IoCs

Processes:

Teste.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061718407ec7ca758146cb8944a62980.exe	Teste.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\061718407ec7ca758146cb8944a62980.exe	Teste.exe

Executes dropped EXE 4 IoCs

Processes:

Teste.exeTeste.exeTeste.exeTeste.exe

pid process

2728 Teste.exe
2872 Teste.exe
2000 Teste.exe
2252 Teste.exe
Loads dropped DLL 2 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

pid process

2556 a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
2556 a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

pid	process
2728	Teste.exe
2872	Teste.exe
2000	Teste.exe
2252	Teste.exe

pid	process
2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Teste.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\061718407ec7ca758146cb8944a62980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teste.exe\" .."	Teste.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\061718407ec7ca758146cb8944a62980 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teste.exe\" .."	Teste.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exeTeste.exeTeste.exe

description	pid	process	target process
PID 2040 set thread context of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 set thread context of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 set thread context of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2728 set thread context of 2872	2728	Teste.exe	Teste.exe
PID 2872 set thread context of 2000	2872	Teste.exe	Teste.exe
PID 2000 set thread context of 2252	2000	Teste.exe	Teste.exe

Drops file in Windows directory 4 IoCs

Processes:

Teste.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	Teste.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	Teste.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2356 schtasks.exe
2280 schtasks.exe

pid	process
2356	schtasks.exe
2280	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Teste.exe

description	pid	process
Token: SeDebugPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe
Token: 33	2252	Teste.exe
Token: SeIncBasePriorityPrivilege	2252	Teste.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exea019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exeTeste.exeTeste.exeTeste.exe

description	pid	process	target process
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2040 wrote to memory of 2528	2040	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2528 wrote to memory of 2664	2528	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2356	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 2664 wrote to memory of 2356	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 2664 wrote to memory of 2356	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 2664 wrote to memory of 2356	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	schtasks.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2664 wrote to memory of 2556	2664	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
PID 2556 wrote to memory of 2728	2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 2556 wrote to memory of 2728	2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 2556 wrote to memory of 2728	2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 2556 wrote to memory of 2728	2556	a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2728 wrote to memory of 2872	2728	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2872 wrote to memory of 2000	2872	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2280	2000	Teste.exe	schtasks.exe
PID 2000 wrote to memory of 2280	2000	Teste.exe	schtasks.exe
PID 2000 wrote to memory of 2280	2000	Teste.exe	schtasks.exe
PID 2000 wrote to memory of 2280	2000	Teste.exe	schtasks.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe
PID 2000 wrote to memory of 2252	2000	Teste.exe	Teste.exe

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\HwgugQ" /XML "C:\Users\Admin\AppData\Local\Temp\azzzzz.xml"
4⤵
- Creates scheduled task(s)
PID:2356

C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a019524e37f4d720d524b115b5d83f0c_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\HwgugQ" /XML "C:\Users\Admin\AppData\Local\Temp\auuuuu.xml"
8⤵
- Creates scheduled task(s)
PID:2280

C:\Users\Admin\AppData\Roaming\Teste.exe
"C:\Users\Admin\AppData\Roaming\Teste.exe"
8⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Teste.exe" "Teste.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\azzzzz.xml
Filesize
1KB

MD5
a830b6fe593c831fbe84235a4ff5cc75

SHA1
a01d2bcb4fae209158b916bdddfdbd254efc2cc0

SHA256
d27ff3650e12eb02a1152899c1a821c0ac6f87a1a6d62006c787cc015dd419a8

SHA512
d4983bbe0d052e0cc6fcc02c7ec659c64e5f9439ed21a12cf3142e3f3619292ada71fc033c1b6b50fc24589bf96f2aff66d1bf0271e0bfea39a8978ba504749e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Filesize
390B

MD5
5c24cd0ec59097cf5cf281dc876f2b59

SHA1
7274d75bf6039b45d56e45ad7cdb2d424c5e27da

SHA256
b8578c97075b09493ce3e85f851102281b3be140088f19c2feda4948e542bc89

SHA512
a534967f6c64b22b5177a17fb813d9ddc78aa2ae11d2894490e5500cfc5e348b156b0b627bd64f5677fd3e01459da5dce2d96cfc79613fbfee8eadacd45859c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
820B

MD5
53b6d6a85d7cec5ee06d227f2b36ca88

SHA1
9da6f8c805051a1d6f1dc89e130a76758b80ed5e

SHA256
e532d560c57608b7f1834671bf422f8bbede0f33fbafaab75daa589c18f32e52

SHA512
6609e385c7d633195fc68ba8978abcd7406d12449dc93269ff6c54c8061b2c17e64ef623ff436b3753d8659de9ae16f5959563796bd037f8f2b00ed2f1e14d4f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
478B

MD5
1c12dc830b1b4c8163f4587a2594e936

SHA1
65030f857c3451580e0f2bccb16ce67ce403b100

SHA256
ec9d93266039dca333940e213e6acc4616adb8c0eed47b5bd4e7e12afbbe7c49

SHA512
75cc2116ef5fcbc72ab5ca41b8873a240e1a95b7e6e66b4fe6676b7de957378faabd3cc7f82c18d2ff4cce918f905997a63896c56f2f6601b62a6ed88ee32113

Download Submit
\Users\Admin\AppData\Roaming\Teste.exe
Filesize
179KB

MD5
a019524e37f4d720d524b115b5d83f0c

SHA1
d6966cb69cea2c3b8eec893210a1efd80cfc3179

SHA256
efa52eaf124f191c42b55e40d719ca1382d9953280741debb07a32aba87d45a6

SHA512
375e5b58e99695b69c93b456ef0c13f7efd9e2bab79228136d0350b4fd137b6fd449469fc10265a019f75897a9f70f6c8a6509135b3cd95ff70f34b203697a33

Download Submit
memory/2000-146-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/2000-145-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-147-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-165-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-2-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-1-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2040-28-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-0-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-172-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-169-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-173-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2252-170-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/2528-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-30-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2528-25-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-44-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2528-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2528-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2528-32-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2556-74-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-75-0x0000000002010000-0x0000000002050000-memory.dmp

Filesize
256KB

Download
memory/2556-76-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-87-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2664-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-45-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-39-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-36-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-47-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-52-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/2664-70-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-53-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-51-0x00000000741A0000-0x000000007474B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-88-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-117-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-90-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-89-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2872-135-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-120-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-118-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads