njrat | a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47

General

Target

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Size

5.2MB
MD5

cf4a7182c8b3dcdd1f2e8db2e011c700
SHA1

b518086df01053f00e73159ad4b4d6159e608a14
SHA256

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47
SHA512

1cbc47bfe21a07246880893b8024813ad368b5f573a351c637d97759dc6dcfe2a495f3b595db6e9d31846ccc5d6b2b71a73be39730e54980fd507c9cbb63a8b7
SSDEEP

98304:bnsmtk2aW3KI5OVU8/GsW+exVVxHjkxuiCllBHr8wBo:DLQQ+Urt+eHVxHjqui+r8Ao

Score

10^/10

njrat xred hacked backdoor discovery persistence trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

ecutuning.ddns.net:11560

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paylod.exea8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	paylod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

Drops startup file 4 IoCs

Processes:

paylod.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_Synaptics.exepaylod.exeKeygen (2).exesvchost.exe

pid	process
4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
4736	Synaptics.exe
4132	._cache_Synaptics.exe
1796	paylod.exe
528	Keygen (2).exe
4536	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exepaylod.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\svchost.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exe

pid process

4996 ._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
4132 ._cache_Synaptics.exe
Drops file in Windows directory 2 IoCs

Processes:

paylod.exeattrib.exe

description ioc process

File created C:\Windows\svchost.exe paylod.exe
File opened for modification C:\Windows\svchost.exe attrib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	paylod.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exe._cache_Synaptics.exepaylod.exeKeygen (2).exesvchost.exeattrib.exea8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

Modifies registry class 2 IoCs

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exe

pid	process
4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
4132	._cache_Synaptics.exe
4132	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe
Token: 33	4536	svchost.exe
Token: SeIncBasePriorityPrivilege	4536	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exeKeygen (2).exe

pid	process
4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
4132	._cache_Synaptics.exe
528	Keygen (2).exe
528	Keygen (2).exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exepaylod.exe

description	pid	process	target process
PID 572 wrote to memory of 4996	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 572 wrote to memory of 4996	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 572 wrote to memory of 4996	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 572 wrote to memory of 4736	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 572 wrote to memory of 4736	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 572 wrote to memory of 4736	572	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 4736 wrote to memory of 4132	4736	Synaptics.exe	._cache_Synaptics.exe
PID 4736 wrote to memory of 4132	4736	Synaptics.exe	._cache_Synaptics.exe
PID 4736 wrote to memory of 4132	4736	Synaptics.exe	._cache_Synaptics.exe
PID 4996 wrote to memory of 1796	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 4996 wrote to memory of 1796	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 4996 wrote to memory of 1796	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 4996 wrote to memory of 528	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 4996 wrote to memory of 528	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 4996 wrote to memory of 528	4996	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 1796 wrote to memory of 4536	1796	paylod.exe	svchost.exe
PID 1796 wrote to memory of 4536	1796	paylod.exe	svchost.exe
PID 1796 wrote to memory of 4536	1796	paylod.exe	svchost.exe
PID 1796 wrote to memory of 3260	1796	paylod.exe	attrib.exe
PID 1796 wrote to memory of 3260	1796	paylod.exe	attrib.exe
PID 1796 wrote to memory of 3260	1796	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3260 attrib.exe

pid	process
3260	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
"C:\Users\Admin\AppData\Local\Temp\a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\paylod.exe
    "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Windows\svchost.exe"
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3260
- - C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:528
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.2MB

MD5
cf4a7182c8b3dcdd1f2e8db2e011c700

SHA1
b518086df01053f00e73159ad4b4d6159e608a14

SHA256
a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47

SHA512
1cbc47bfe21a07246880893b8024813ad368b5f573a351c637d97759dc6dcfe2a495f3b595db6e9d31846ccc5d6b2b71a73be39730e54980fd507c9cbb63a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

Filesize
4.5MB

MD5
a26afc4b230cde67dec5e341aef0e90f

SHA1
f5a7a08bbd039184c3e89f4ea4ef5eeb392b5fa1

SHA256
567c4101aa7ad812b7bd42d87a5ba7d9c4f82dd7096daa7b079cfa70649dec2e

SHA512
06e71d53d1e0e0436be193f05c05c8896e9184bfc7db1842195452d34a8c9a59f26b38129a4216eb301c96e367babb8db7b1e50b2a258acc5f0d6c981db4621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe

Filesize
1.7MB

MD5
91b154d347d471b16c0662f071828792

SHA1
22ed21e428006595cf0b144492edab06203a7b67

SHA256
83f395011aadf443178dc7fdfb4857a61872ab46f7d2eac68905632965706042

SHA512
73d20d1b0fbb33136570b80c5a8a850bc278682129e8f59d27f4c166796aa8b82c84df7b7b74c8fb22c9fb2e362d766e88cba0b7e4b452eb269ae60e17d3a921

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
e6149ed0cdf7e22aaa3c79dfc7150900

SHA1
d9e1b9e3feff75897030366ba28d2c460374afa2

SHA256
b107529ccc4a4ad32ab1bd60ef6ae6b1cebc5e5252c0a6cd53a0cf6028e346d2

SHA512
f086c90a52981143e79066482b73c5e673c0e72332f204fa8f33b2ff180dbe52f1ee93bb44a1852d513569c3091ce81ba1185e511e00abdbbe1f2182a853f67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
933490161b0b59c49a01b612b65e7911

SHA1
b14f486248cef2a24f2b97a17eb0e41a5eef1b19

SHA256
e762e2c786953a74b5bc9d033dd7079d461878ce5daab7553ef3e9a167c4a616

SHA512
18f70920bac4f24d2a28e3698066e6dd43af8095a56a572426eaf9f3a5d9ec191417ec65ff608fc4e882629a5bc78eb0a25f818d5a7e193e9b304c8ad93ee74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
965e6302945bcceb865364e8b236e877

SHA1
93fa7c16c468a8c51abd8fee2aac5cbd86b4762f

SHA256
f7f347cf948f21b405726e3773883de988de72b41e954943cc9b4c8af53e45b5

SHA512
beddca6ae7c5d09f03de7fa716529d0a349d7b377b2e0a3d8689c07fe2b30335814f7e8d631c61823aec23b4b71be2f73e1589e7fde82818dcb454fe6c845cf6

Download Submit
memory/528-192-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/572-0-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/572-103-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/1796-186-0x0000000005860000-0x00000000058FC000-memory.dmp

Filesize
624KB

Download
memory/1796-185-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/1796-191-0x0000000006610000-0x0000000006BB4000-memory.dmp

Filesize
5.6MB

Download
memory/4132-188-0x0000000000E80000-0x00000000017BA000-memory.dmp

Filesize
9.2MB

Download
memory/4132-164-0x0000000000E80000-0x00000000017BA000-memory.dmp

Filesize
9.2MB

Download
memory/4536-209-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/4536-210-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/4736-193-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/4736-207-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/4736-211-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/4736-234-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/4996-71-0x000000007F4E0000-0x000000007F8B1000-memory.dmp

Filesize
3.8MB

Download
memory/4996-70-0x0000000000640000-0x0000000000F7A000-memory.dmp

Filesize
9.2MB

Download
memory/4996-183-0x0000000000640000-0x0000000000F7A000-memory.dmp

Filesize
9.2MB

Download
memory/4996-184-0x000000007F4E0000-0x000000007F8B1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads