njrat | ccb682c585e5f867e1cf68c755a35a54dd2a8cbcb8c7caedfcb1ea9463070a97

General

Target

53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe
Size

123KB
MD5

53d01662babe8f44ac554fc2a16eb4d0
SHA1

fcae649e71a691c39ec5ffdf916ba67624e5a4fb
SHA256

ccb682c585e5f867e1cf68c755a35a54dd2a8cbcb8c7caedfcb1ea9463070a97
SHA512

22556eccd4f16e1d23ba60e50f0ce300bd8e12ea5c23bd573741a7f38b3cdff55040270475e6d784ce15b9a2d4ba00dbfe2f33c40d8d4fba4955722c330ad0ff
SSDEEP

3072:5Ps2ipjzChN8IEMj9UpD0ag74Y8aIA0R6O6p4B:3iAhGIRpUpDjlKP0R6w

Score

10^/10

njrat xworm sigma evasion execution persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

sigma

C2

45.145.41.147:7001

Mutex

e46fd589a4d6a6ad61ec2902d937146b

Attributes

reg_key
e46fd589a4d6a6ad61ec2902d937146b
splitter
|'|'|

Extracted

Family

xworm

C2

127.0.0.1:7000

45.145.41.147:7000

Attributes

Install_directory
%AppData%
install_file
WinSec.exe

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XClient.exe	family_xworm
behavioral1/memory/2704-13-0x0000000000810000-0x0000000000828000-memory.dmp	family_xworm
behavioral1/memory/1104-62-0x00000000012F0000-0x0000000001308000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

776 powershell.exe
2508 powershell.exe
2840 powershell.exe
2532 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

536 netsh.exe

pid	process
776	powershell.exe
2508	powershell.exe
2840	powershell.exe
2532	powershell.exe

pid	process
536	netsh.exe

Drops startup file 4 IoCs

Processes:

Winserver.exeXClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e46fd589a4d6a6ad61ec2902d937146b.exe	Winserver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e46fd589a4d6a6ad61ec2902d937146b.exe	Winserver.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSec.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSec.lnk	XClient.exe

Executes dropped EXE 6 IoCs

Processes:

bind to xclient.exeXClient.exeWinserver.exeWinSec.exeWinSec.exeWinSec.exe

pid process

1728 bind to xclient.exe
2704 XClient.exe
1520 Winserver.exe
1104 WinSec.exe
1064 WinSec.exe
2984 WinSec.exe
Loads dropped DLL 1 IoCs

Processes:

bind to xclient.exe

pid process

1728 bind to xclient.exe

pid	process
1728	bind to xclient.exe
2704	XClient.exe
1520	Winserver.exe
1104	WinSec.exe
1064	WinSec.exe
2984	WinSec.exe

pid	process
1728	bind to xclient.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exeWinserver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinSec = "C:\\Users\\Admin\\AppData\\Roaming\\WinSec.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\e46fd589a4d6a6ad61ec2902d937146b = "\"C:\\Users\\Admin\\AppData\\Roaming\\Winserver.exe\" .."	Winserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e46fd589a4d6a6ad61ec2902d937146b = "\"C:\\Users\\Admin\\AppData\\Roaming\\Winserver.exe\" .."	Winserver.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Winserver.exe

description	ioc	process
File opened for modification	C:\autorun.inf	Winserver.exe
File created	D:\autorun.inf	Winserver.exe
File created	F:\autorun.inf	Winserver.exe
File opened for modification	F:\autorun.inf	Winserver.exe
File created	C:\autorun.inf	Winserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1816 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

684 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

XClient.exe

pid process

2704 XClient.exe

pid	process
1816	schtasks.exe

pid	process
684	taskkill.exe

pid	process
2704	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXClient.exeWinserver.exe

pid	process
2840	powershell.exe
2532	powershell.exe
776	powershell.exe
2508	powershell.exe
2704	XClient.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe
1520	Winserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Winserver.exe

pid process

1520 Winserver.exe

pid	process
1520	Winserver.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeWinserver.exetaskkill.exeWinSec.exeWinSec.exeWinSec.exe

description	pid	process
Token: SeDebugPrivilege	2704	XClient.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2704	XClient.exe
Token: SeDebugPrivilege	1520	Winserver.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: SeDebugPrivilege	1104	WinSec.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: SeDebugPrivilege	1064	WinSec.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe
Token: SeDebugPrivilege	2984	WinSec.exe
Token: 33	1520	Winserver.exe
Token: SeIncBasePriorityPrivilege	1520	Winserver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XClient.exe

pid process

2704 XClient.exe

pid	process
2704	XClient.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exeXClient.exebind to xclient.exeWinserver.exetaskeng.exe

description	pid	process	target process
PID 1688 wrote to memory of 1728	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	bind to xclient.exe
PID 1688 wrote to memory of 1728	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	bind to xclient.exe
PID 1688 wrote to memory of 1728	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	bind to xclient.exe
PID 1688 wrote to memory of 1728	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	bind to xclient.exe
PID 1688 wrote to memory of 2704	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	XClient.exe
PID 1688 wrote to memory of 2704	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	XClient.exe
PID 1688 wrote to memory of 2704	1688	53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe	XClient.exe
PID 2704 wrote to memory of 2840	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2840	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2840	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2532	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2532	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2532	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 776	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 776	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 776	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	XClient.exe	powershell.exe
PID 2704 wrote to memory of 2508	2704	XClient.exe	powershell.exe
PID 1728 wrote to memory of 1520	1728	bind to xclient.exe	Winserver.exe
PID 1728 wrote to memory of 1520	1728	bind to xclient.exe	Winserver.exe
PID 1728 wrote to memory of 1520	1728	bind to xclient.exe	Winserver.exe
PID 1728 wrote to memory of 1520	1728	bind to xclient.exe	Winserver.exe
PID 2704 wrote to memory of 1816	2704	XClient.exe	schtasks.exe
PID 2704 wrote to memory of 1816	2704	XClient.exe	schtasks.exe
PID 2704 wrote to memory of 1816	2704	XClient.exe	schtasks.exe
PID 1520 wrote to memory of 536	1520	Winserver.exe	netsh.exe
PID 1520 wrote to memory of 536	1520	Winserver.exe	netsh.exe
PID 1520 wrote to memory of 536	1520	Winserver.exe	netsh.exe
PID 1520 wrote to memory of 536	1520	Winserver.exe	netsh.exe
PID 1520 wrote to memory of 684	1520	Winserver.exe	taskkill.exe
PID 1520 wrote to memory of 684	1520	Winserver.exe	taskkill.exe
PID 1520 wrote to memory of 684	1520	Winserver.exe	taskkill.exe
PID 1520 wrote to memory of 684	1520	Winserver.exe	taskkill.exe
PID 2936 wrote to memory of 1104	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 1104	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 1104	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 1064	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 1064	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 1064	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 2984	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 2984	2936	taskeng.exe	WinSec.exe
PID 2936 wrote to memory of 2984	2936	taskeng.exe	WinSec.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53d01662babe8f44ac554fc2a16eb4d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\bind to xclient.exe
  "C:\Users\Admin\AppData\Local\Temp\bind to xclient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Roaming\Winserver.exe
    "C:\Users\Admin\AppData\Roaming\Winserver.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Winserver.exe" "Winserver.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM Winservice.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:684
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinSec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinSec.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinSec" /tr "C:\Users\Admin\AppData\Roaming\WinSec.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1816

C:\Windows\system32\taskeng.exe
taskeng.exe {7E20A353-D106-43BA-BBE5-8DF4E854D1C5} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Roaming\WinSec.exe
  C:\Users\Admin\AppData\Roaming\WinSec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Users\Admin\AppData\Roaming\WinSec.exe
  C:\Users\Admin\AppData\Roaming\WinSec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Users\Admin\AppData\Roaming\WinSec.exe
  C:\Users\Admin\AppData\Roaming\WinSec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
72KB

MD5
f5539cd914945970157c7600e91486e0

SHA1
e5256cf1320bd60c94d9fff2225692b30ce83d7f

SHA256
d7642e76018073789f2f7b12171f4c345d171c76c976cf3b535f6d6d19d31dea

SHA512
cc7bed8f6adf4b894c4eb06433e3a5f996f41c28dad77c0c2f13ed09d51736e80deda87094488f4aa47ded36ee9ba79a69f200ece6a7772c6c8d74f6e6358807

Download Submit
C:\Users\Admin\AppData\Local\Temp\bind to xclient.exe

Filesize
37KB

MD5
f44858e77b122e0c6e5a102070487209

SHA1
26e62f9025a78c888efc59de0147517d8e995e19

SHA256
9a85281bf4d2866ac2dab26378a183e2ef42961ae3642058c174f4821748707b

SHA512
a2d77fee1d2630dde1db9db419fe624e4e0b3a1ee813a13dfad7502a5f7a4d84d7983b772982e526137ec4f57d22d926f08985ec77baa40a4b279c318316fbff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c8862a9e51d073641027563418d11a17

SHA1
4973908625f8282db790cb0a9de46fc4b0a634e9

SHA256
9ef51361c0420474b851a4bad84d50ba5e55d1b61db5b22231c55b1b708c4e07

SHA512
47e1c6680807eaf7903ed45a502d2562978daaae9cc26443dc1e40e0a29f179bb226442a94bd4227de36cefae3e0b42853731572e7fb9ac32001549d5192289e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1104-62-0x00000000012F0000-0x0000000001308000-memory.dmp

Filesize
96KB

Download
memory/1688-1-0x0000000000AC0000-0x0000000000AE6000-memory.dmp

Filesize
152KB

Download
memory/1688-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2532-26-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2532-27-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2704-14-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-13-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/2704-63-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-20-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2840-19-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads