Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 02:44

General

  • Target

    bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe

  • Size

    8.7MB

  • MD5

    3292f4433d934714a3a5632f9b884607

  • SHA1

    0609a6f36ceb4c0bedd2b2066d35d11f02338eb2

  • SHA256

    bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa

  • SHA512

    67f4a1049a134a77c002319c493cdd682e3395d2409bd73e8accd2528fff842e5da27a0513ff41bca12c46d64b3e7cb7c6e3d594513c9de6dc91035169b6c371

  • SSDEEP

    196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbx:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGml

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe
    "C:\Users\Admin\AppData\Local\Temp\bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe"
    1⤵
    • Adds Run key to start application
    • Subvert Trust Controls: Mark-of-the-Web Bypass
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\BF36EF~1.TXT
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4860
    • C:\ProgramData\winmgr107.exe
      C:\ProgramData\winmgr107.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1392
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2336
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3900
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4444
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2060
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3648
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1200
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4328
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:5084
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1868
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4484
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1284
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4120
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4004
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2896
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3600
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2248
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2516
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2080
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3036
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2968
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2084
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3976
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1000
      • C:\Windows\SysWOW64\schtasks.exe
        C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3884

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    100.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    100.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    105.208.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.208.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
  • flag-us
    DNS
    youri.mooo.com
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    youri.mooo.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    100.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    100.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    105.208.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    105.208.201.84.in-addr.arpa

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

  • 8.8.8.8:53
    youri.mooo.com
    dns
    RegAsm.exe
    60 B
    119 B
    1
    1

    DNS Request

    youri.mooo.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe.txt

    Filesize

    992B

    MD5

    c8cf7247d4cfc99a7582a42d13df4c08

    SHA1

    317f5588af0b3b6374c436fb00084c522fd78a83

    SHA256

    78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

    SHA512

    5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

  • C:\ProgramData\winmgr107.exe

    Filesize

    8.7MB

    MD5

    73444c664abf6c2dcf3f6270ca658490

    SHA1

    bbe3743c34240c403031653489922521aa2177a3

    SHA256

    321762bbb7b7e1b0df21bb3c44bfa6a54e1b764630b889cc7103b08772fc6071

    SHA512

    c7331e66da00eb577763dce5aacafe99c3c588ac211a45e426c469a4271756f5b36ef03af6e2a9f50143b3c28822e336e9b216c9e15fc7201eaaaf8ed5dbd036

  • C:\Users\Admin\AppData\Local\Temp\bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa.exe

    Filesize

    8.7MB

    MD5

    3292f4433d934714a3a5632f9b884607

    SHA1

    0609a6f36ceb4c0bedd2b2066d35d11f02338eb2

    SHA256

    bf36ef47d125cf899784719d4f66050e8f0f64c28d895d10b33795e5b98642fa

    SHA512

    67f4a1049a134a77c002319c493cdd682e3395d2409bd73e8accd2528fff842e5da27a0513ff41bca12c46d64b3e7cb7c6e3d594513c9de6dc91035169b6c371

  • memory/4676-15-0x00000000007B0000-0x00000000007BC000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.