njrat | 6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Size

463KB
MD5

194961e6ef4f3310336d23d78cb7357c
SHA1

2f016cd2b88b716fad0b1352abda350aa567004f
SHA256

6b01e64b3574a313f2f8e1e42ce93b5444a3e99d66138aebddf7c3e3b81c601d
SHA512

517218b0fc5b530a32974f3eb34f78c533b86cade7965739084d2ddec001b0d3dd8e40d23397f471664e43677ac772befc490df10adfb91a231dd3e893f026d5
SSDEEP

6144:AnSbvnbjUwnkx1kcw3llt8ix50Ki1asiBKFABnyYwRXiO73knJxH4:A8DEkL8obnmi0kJ54

Score

10^/10

njrat zgrat agilenet persistence rat trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleChrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe\" .."	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 2056 set thread context of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 4492 set thread context of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3556	schtasks.exe
4236	schtasks.exe
1864	schtasks.exe
2088	schtasks.exe
3696	schtasks.exe
5044	schtasks.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: 33	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 4424 wrote to memory of 3596	4424	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	88
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	90
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	90
PID 3596 wrote to memory of 8	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	90
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	92
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	92
PID 3596 wrote to memory of 4236	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	92
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	94
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	94
PID 3596 wrote to memory of 2472	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	94
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	97
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	97
PID 3596 wrote to memory of 1864	3596	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	97
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 2056 wrote to memory of 1976	2056	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	111
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	117
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	117
PID 1976 wrote to memory of 1520	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	117
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	119
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	119
PID 1976 wrote to memory of 2088	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	119
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	121
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	121
PID 1976 wrote to memory of 3180	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	121
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	123
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	123
PID 1976 wrote to memory of 3696	1976	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	123
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 4492 wrote to memory of 1820	4492	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	132
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	133
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	133
PID 1820 wrote to memory of 512	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	133
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	135
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	135
PID 1820 wrote to memory of 5044	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	135
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	137
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	137
PID 1820 wrote to memory of 664	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	137
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	139
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	139
PID 1820 wrote to memory of 3556	1820	194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe	139

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    PID:8
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
    3⤵
    - Creates scheduled task(s)
    PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:1864

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
    3⤵
    - Creates scheduled task(s)
    PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:3696

C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    PID:512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 5
    3⤵
    - Creates scheduled task(s)
    PID:5044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    PID:664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe" /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\194961e6ef4f3310336d23d78cb7357c_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3596-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-295-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-293-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-13-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-72-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-294-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-52-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-50-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4424-2-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4424-14-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-1-0x0000000000720000-0x0000000000798000-memory.dmp

Filesize
480KB

Download
memory/4424-9-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-8-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4424-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4424-7-0x0000000006350000-0x00000000063EC000-memory.dmp

Filesize
624KB

Download
memory/4424-6-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4424-5-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4424-4-0x0000000005150000-0x0000000005170000-memory.dmp

Filesize
128KB

Download
memory/4424-3-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads