njrat | 515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

General

Target

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
Size

15.8MB
MD5

f192b4e9cf07850041e19ea07cd984e3
SHA1

061a917e9691648e00a7f91ff82ae1c0e8da248b
SHA256

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7
SHA512

19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a
SSDEEP

393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

Score

10^/10

njrat vjw0rm xworm hacked evasion execution persistence rat trojan worm

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes

Install_directory
%AppData%
install_file
XClienamrt.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.1.8:7788

Mutex

66d1b8410b347e24d21ce9ad910a4de7

Attributes

reg_key
66d1b8410b347e24d21ce9ad910a4de7
splitter
|'|'|

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\XClientamor.exe	family_xworm
behavioral1/memory/2152-14-0x0000000000280000-0x00000000002C6000-memory.dmp	family_xworm

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

876 powershell.exe
1936 powershell.exe
488 powershell.exe
2040 powershell.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1664 netsh.exe

pid	process
1664	netsh.exe

Drops startup file 6 IoCs

Processes:

WScript.exewscript.exeXClientamor.exeServer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myronworm.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myronworm.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClienamrt.lnk	XClientamor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66d1b8410b347e24d21ce9ad910a4de7.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66d1b8410b347e24d21ce9ad910a4de7.exe	Server.exe

Executes dropped EXE 4 IoCs

Processes:

Outputbinded.exeXClientamor.exeXworm V5.6.exeServer.exe

pid process

1580 Outputbinded.exe
2152 XClientamor.exe
2552 Xworm V5.6.exe
2872 Server.exe

pid	process
1580	Outputbinded.exe
2152	XClientamor.exe
2552	Xworm V5.6.exe
2872	Server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myronworm = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\myronworm.vbs\""	wscript.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

Server.exe

description	ioc	process
File opened for modification	F:\autorun.inf	Server.exe
File created	C:\autorun.inf	Server.exe
File opened for modification	C:\autorun.inf	Server.exe
File created	D:\autorun.inf	Server.exe
File created	F:\autorun.inf	Server.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeServer.exe

pid	process
876	powershell.exe
1936	powershell.exe
488	powershell.exe
2040	powershell.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe
2872	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

2872 Server.exe

pid	process
2872	Server.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

XClientamor.exepowershell.exepowershell.exepowershell.exepowershell.exeServer.exe

description	pid	process
Token: SeDebugPrivilege	2152	XClientamor.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2152	XClientamor.exe
Token: SeDebugPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe
Token: 33	2872	Server.exe
Token: SeIncBasePriorityPrivilege	2872	Server.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exeOutputbinded.exeWScript.exeXClientamor.exeXworm V5.6.exeServer.exe

description	pid	process	target process
PID 2344 wrote to memory of 1580	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Outputbinded.exe
PID 2344 wrote to memory of 1580	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Outputbinded.exe
PID 2344 wrote to memory of 1580	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Outputbinded.exe
PID 1580 wrote to memory of 2152	1580	Outputbinded.exe	XClientamor.exe
PID 1580 wrote to memory of 2152	1580	Outputbinded.exe	XClientamor.exe
PID 1580 wrote to memory of 2152	1580	Outputbinded.exe	XClientamor.exe
PID 2344 wrote to memory of 2552	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Xworm V5.6.exe
PID 2344 wrote to memory of 2552	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Xworm V5.6.exe
PID 2344 wrote to memory of 2552	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Xworm V5.6.exe
PID 2344 wrote to memory of 2452	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2344 wrote to memory of 2452	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2344 wrote to memory of 2452	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2344 wrote to memory of 2872	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 2344 wrote to memory of 2872	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 2344 wrote to memory of 2872	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 2344 wrote to memory of 2872	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	Server.exe
PID 2344 wrote to memory of 2612	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2344 wrote to memory of 2612	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2344 wrote to memory of 2612	2344	515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe	WScript.exe
PID 2612 wrote to memory of 2808	2612	WScript.exe	wscript.exe
PID 2612 wrote to memory of 2808	2612	WScript.exe	wscript.exe
PID 2612 wrote to memory of 2808	2612	WScript.exe	wscript.exe
PID 2152 wrote to memory of 876	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 876	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 876	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 1936	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 1936	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 1936	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 488	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 488	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 488	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 2040	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 2040	2152	XClientamor.exe	powershell.exe
PID 2152 wrote to memory of 2040	2152	XClientamor.exe	powershell.exe
PID 2552 wrote to memory of 2108	2552	Xworm V5.6.exe	WerFault.exe
PID 2552 wrote to memory of 2108	2552	Xworm V5.6.exe	WerFault.exe
PID 2552 wrote to memory of 2108	2552	Xworm V5.6.exe	WerFault.exe
PID 2872 wrote to memory of 1664	2872	Server.exe	netsh.exe
PID 2872 wrote to memory of 1664	2872	Server.exe	netsh.exe
PID 2872 wrote to memory of 1664	2872	Server.exe	netsh.exe
PID 2872 wrote to memory of 1664	2872	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
"C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Roaming\Outputbinded.exe
  "C:\Users\Admin\AppData\Roaming\Outputbinded.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Roaming\XClientamor.exe
    "C:\Users\Admin\AppData\Roaming\XClientamor.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientamor.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienamrt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
- C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2552 -s 728
    3⤵
    PID:2108
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\amr.js"
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Roaming\Server.exe
  "C:\Users\Admin\AppData\Roaming\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\myronworm.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\myronworm.vbs"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X9EUZ07LJM15L18HIIIP.temp

Filesize
7KB

MD5
c20811784d7a8026a468afaadaff731c

SHA1
0b962583e93e8efd3f25595b16ab520f33c97606

SHA256
a3b1bcd789ab0b3bcb57cf4cb0de2e95f12948e613ee91139caf71697d75445a

SHA512
b960ca29f58f791f562d053ba844291efe599de2cef063a021463b9c156fa1929cb2f7d648437354ae2a9eb2201dbe0147c5baf2d6321c484926f7d134c2a9e3

Download Submit
C:\Users\Admin\AppData\Roaming\Outputbinded.exe

Filesize
686KB

MD5
5d692aa620cbca52d380150edcf51377

SHA1
bfaaf5ea9910324e3d9f3d95c5a8ca4d94924d86

SHA256
65302dc08b26b59a91943d82c7c5b79a017164bd7623576cbefcb9851098bf3c

SHA512
0c3e90f6e169a9876f4095774d6fec1b76bc0e23c00b254610ed58f4238bcd0547c7f8974d171587783659752c415267cb4d2499f1a6ac18ed7760f78103bc67

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
242KB

MD5
2355cb5fc18f1e7a0cffa302d1bfebff

SHA1
3703ec0c5299c2861d05f92b3cf16191b982d38a

SHA256
d4550f31de4c62eb2012f9bb984a00ab0e8d865098322dcd4d5db94b7107b986

SHA512
256700d2605dc4bbdac8b72470b2e24992da10572b564a478553bd7d5bea5e91f488ae46fe5d42320a558d6d9c3b43134c54998c40a4c690e29e5dd73bae3cab

Download Submit
C:\Users\Admin\AppData\Roaming\XClientamor.exe

Filesize
260KB

MD5
9b839a50e55b18129f81629c61f912f7

SHA1
71e1feea8c12bd8b2501bf065d56fef8eae0517c

SHA256
92a21332ad995d61804e80d50abd6571a6faf3932ad574ff23939e84362485ae

SHA512
abcb038106c8c771c39a66f1f79885619a0a031a567d2a84acfb848545c8cd12dc1e64baa14f1151229de2abaf68fc023f6455cb47d6b29ec90832d0f2de9971

Download Submit
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Roaming\amr.js

Filesize
3KB

MD5
e58364ddc8daeac92739f0b2c7547f9c

SHA1
ae2aa6f9cb8f4627d83c6158571689d596294cfe

SHA256
d03047394e431fbc6d68c74d2ac5348801ff1c4d7d3e12b1e3d873474c3cdf30

SHA512
d3e710f1c70883d5576ecdfec705c8edc671c533ebd353048c02d3bc8d9499a18d62c1cee8532d9c9ce325ca4966e53b40322e428cc0b20070971b974f8a673b

Download Submit
C:\Users\Admin\AppData\Roaming\myronworm.vbs

Filesize
9KB

MD5
120aaed75e85209923d8fd9f5718d3d5

SHA1
ea7d8bdceeb399c221743089cb0484863775e31d

SHA256
30c959f6c7c85698d06513048ca92f5615260fb877bb17be0baa24b164575409

SHA512
deed7f6cc041e2df572ee921f6ee31f332ccfc248e365a9f586ac1fb5a9864e68b7917632544f5fb33b48289d1607017d95cac281d0908671f5469fe84b235a8

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/876-47-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/876-48-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1580-7-0x0000000000B70000-0x0000000000C20000-memory.dmp

Filesize
704KB

Download
memory/1580-34-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/1580-36-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1936-54-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1936-55-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2152-14-0x0000000000280000-0x00000000002C6000-memory.dmp

Filesize
280KB

Download
memory/2344-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x00000000009E0000-0x00000000019BE000-memory.dmp

Filesize
15.9MB

Download
memory/2552-33-0x0000000000020000-0x0000000000F08000-memory.dmp

Filesize
14.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads