Analysis Overview
SHA256
50dc05f3579090555c00dc10578afbba9e4c5317c088b3dcaa908fddcddbbf81
Threat Level: Known bad
The file Payload.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Njrat family
Executes dropped EXE
Resource Forking
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 10:18
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
win7-20240708-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
Files
memory/964-0-0x0000000074871000-0x0000000074872000-memory.dmp
memory/964-1-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/964-2-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/964-3-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/964-4-0x0000000074870000-0x0000000074E1B000-memory.dmp
memory/964-5-0x0000000074870000-0x0000000074E1B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
android-x64-20240624-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
android-x64-arm64-20240624-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
macos-20240711.1-en
Max time kernel
98s
Max time network
150s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Payload.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Payload.exe]
/Users/run/Payload.exe
[/Users/run/Payload.exe]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 35.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 3.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| GB | 104.82.128.95:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | 18-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 44.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 24.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 20-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 27.courier-push-apple.com.akadns.net | udp |
| GB | 17.57.146.13:5223 | 20-courier.push.apple.com | tcp |
| GB | 17.57.146.11:5223 | 20-courier.push.apple.com | tcp |
| GB | 17.57.146.10:5223 | 20-courier.push.apple.com | tcp |
| US | 8.8.8.8:53 | 36.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 21-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 23.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 1.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 6.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 33-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 4-courier.push.apple.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 37.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 46-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 47.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 10-courier.push.apple.com | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
win11-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
Files
memory/844-0-0x0000000074DB1000-0x0000000074DB2000-memory.dmp
memory/844-1-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/844-2-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/844-3-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/844-4-0x0000000074DB0000-0x0000000075361000-memory.dmp
memory/844-5-0x0000000074DB0000-0x0000000075361000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
android-33-x64-arm64-20240624-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.100:443 | udp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 142.250.200.42:443 | udp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.42:443 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
macos-20240711.1-en
Max time kernel
118s
Max time network
152s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck | N/A | N/A |
Processes
/usr/libexec/xpcproxy
[xpcproxy com.oracle.java.Java-Updater]
/usr/libexec/xpcproxy
[xpcproxy com.apple.gkreport]
/usr/libexec/gkreport
[/usr/libexec/gkreport]
/usr/libexec/xpcproxy
[xpcproxy com.apple.DiagnosticReportCleanup.plist]
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemstats.daily]
/usr/libexec/xpcproxy
[xpcproxy com.apple.appleseed.seedusaged]
/usr/libexec/xpcproxy
[xpcproxy com.apple.newsyslog]
/usr/sbin/newsyslog
[/usr/sbin/newsyslog]
/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
[/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Payload.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Payload.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Payload.exe]
/Users/run/Payload.exe
[/Users/run/Payload.exe]
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 35-courier.push.apple.com | udp |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | 7-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 24-courier.push.apple.com | udp |
| GB | 17.57.146.155:5223 | 24-courier.push.apple.com | tcp |
| US | 8.8.8.8:53 | 38.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 11-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| GB | 104.82.128.95:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| GB | 2.18.109.84:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | 1.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 0-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 43.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 16.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 26-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 7.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 14.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 49.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 4.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 21-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 34.courier-push-apple.com.akadns.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 14.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 6-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 48.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | 44.courier-push-apple.com.akadns.net | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
debian12-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Payload.exe
[/tmp/Payload.exe]
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Payload.exe
[/tmp/Payload.exe]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
win10-20240404-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 2820 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 2820 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe |
| PID 2820 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe |
| PID 2820 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1388
C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe
"C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.117.19.2.in-addr.arpa | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/2820-0-0x0000000073F21000-0x0000000073F22000-memory.dmp
memory/2820-1-0x0000000073F20000-0x00000000744D0000-memory.dmp
memory/2820-2-0x0000000073F20000-0x00000000744D0000-memory.dmp
memory/2820-7-0x0000000073F20000-0x00000000744D0000-memory.dmp
memory/2820-8-0x0000000073F20000-0x00000000744D0000-memory.dmp
memory/2820-9-0x0000000073F20000-0x00000000744D0000-memory.dmp
memory/2820-10-0x0000000073F20000-0x00000000744D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cd77c1bc3d9c41b5b6de0ad43f7f7b24.exe
| MD5 | 8cac1595b184f66d7a122af38d5dfe71 |
| SHA1 | e0bc0162472edf77a05134e77b540663ac050ab6 |
| SHA256 | 00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f |
| SHA512 | 88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8 |
memory/1132-16-0x000000001BC80000-0x000000001BD26000-memory.dmp
memory/1132-17-0x000000001C250000-0x000000001C71E000-memory.dmp
memory/1132-18-0x000000001C7C0000-0x000000001C85C000-memory.dmp
memory/1132-19-0x0000000002DF0000-0x0000000002DF8000-memory.dmp
memory/1132-20-0x000000001C960000-0x000000001C9AC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:21
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | le-pencil.gl.at.ply.gg | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.21:6703 | le-pencil.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/4936-0-0x0000000075022000-0x0000000075023000-memory.dmp
memory/4936-1-0x0000000075020000-0x00000000755D1000-memory.dmp
memory/4936-2-0x0000000075020000-0x00000000755D1000-memory.dmp
memory/4936-3-0x0000000075020000-0x00000000755D1000-memory.dmp
memory/4936-4-0x0000000075022000-0x0000000075023000-memory.dmp
memory/4936-5-0x0000000075020000-0x00000000755D1000-memory.dmp
memory/4936-6-0x0000000075020000-0x00000000755D1000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
android-x86-arm-20240624-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
debian12-mipsel-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Payload.exe
[/tmp/Payload.exe]
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Payload.exe
[/tmp/Payload.exe]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
android-x86-arm-20240624-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-26 10:18
Reported
2024-07-26 10:18
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/Payload.exe
[/tmp/Payload.exe]