njrat | 6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df

Analysis

max time kernel
107s
max time network
192s
platform
windows7_x64
resource
win7v20210408
submitted
30-09-2021 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
Size

2.3MB
MD5

751be7e898d61998e52402b813e391bf
SHA1

6b8572889dbac9938e8552f05bf57496b6ab0367
SHA256

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
SHA512

baa23385c716c6fc682fad2ba963b55c957101d7545143c804b5a846b4bba1fa64761e26e77f225f56961fc63cc956023173ea9cd558c08f31b31541a88ab84e

Score

10^/10

njrat suricata trojan upx

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 7 IoCs

Processes:

LastFudCy.exeLastFudCy.exeLastFudCy.exeLastFudCy.exeLastFudCy.exeLastFudCy.exeLastFudCy.exe

pid process

460 LastFudCy.exe
1788 LastFudCy.exe
1704 LastFudCy.exe
1716 LastFudCy.exe
1696 LastFudCy.exe
1684 LastFudCy.exe
1672 LastFudCy.exe

pid	process
460	LastFudCy.exe
1788	LastFudCy.exe
1704	LastFudCy.exe
1716	LastFudCy.exe
1696	LastFudCy.exe
1684	LastFudCy.exe
1672	LastFudCy.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1672-88-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1672-94-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\advpack.url	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RAVBg64.url	LastFudCy.exe

Loads dropped DLL 10 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

pid	process
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

description	pid	process	target process
PID 1992 set thread context of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 460 set thread context of 1672	460	LastFudCy.exe	LastFudCy.exe

autoit_exe 18 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe

pid	process
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe
Token: 33	948	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	948	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

pid	process
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

pid	process
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
460	LastFudCy.exe
460	LastFudCy.exe
460	LastFudCy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LastFudCy.exe

pid process

1672 LastFudCy.exe

pid	process
1672	LastFudCy.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exeLastFudCy.exe

description	pid	process	target process
PID 1992 wrote to memory of 460	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	LastFudCy.exe
PID 1992 wrote to memory of 460	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	LastFudCy.exe
PID 1992 wrote to memory of 460	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	LastFudCy.exe
PID 1992 wrote to memory of 460	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	LastFudCy.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 1992 wrote to memory of 948	1992	6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe	RegSvcs.exe
PID 460 wrote to memory of 1788	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1788	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1788	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1788	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1704	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1704	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1704	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1704	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1716	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1716	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1716	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1716	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1684	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1684	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1684	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1684	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1696	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1696	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1696	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1696	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe
PID 460 wrote to memory of 1672	460	LastFudCy.exe	LastFudCy.exe

C:\Users\Admin\AppData\Local\Temp\6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe
"C:\Users\Admin\AppData\Local\Temp\6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
PID:1788

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
"C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
\Users\Admin\AppData\Local\Temp\LastFudCy.exe
MD5
0a236522a4053835ac2093099e535fcb

SHA1
3f039b58ff3db3f597cff65e9dcaa80b15fee28c

SHA256
1ea5ebe3eac08648aa427c9a864e9c98407366981c6547281e134573c86074d7

SHA512
2972be7422a82030e9dde987233cd1d1db8516c28c410c8c03d38acb68d9783a5bd6aa93f182129b0830223523b95633c1f3eee9869bd779bbd7b8de2ff9472f

Download Submit
memory/460-64-0x0000000000000000-mapping.dmp

Download
memory/948-106-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-117-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-78-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-146-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-77-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-73-0x00000000000BA08E-mapping.dmp

Download
memory/948-145-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-68-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-144-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-95-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/948-96-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-97-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-98-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-99-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-100-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-101-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-102-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-103-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-104-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-105-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-107-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-143-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-108-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-109-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-110-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-111-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-112-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-113-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-114-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-115-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-116-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-142-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-118-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-119-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-120-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-121-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-122-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-123-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-124-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-125-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-126-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-127-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-128-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-129-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-130-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-131-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-132-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-133-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-134-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-135-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-136-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-137-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-138-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-139-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-140-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/948-141-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/1672-94-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1672-90-0x0000000000423390-mapping.dmp

Download
memory/1672-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1992-79-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1992-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download