njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
756s
max time network
762s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

qywfpvbxbvih.exe
Size

763KB
MD5

7487d47ee73f83579acea7333014b9eb
SHA1

d5826d492bf720306fbdab1d83047d3c8ee2c7cf
SHA256

4d33372e2991bc62a668eb682bb840fd6b02b95213ea849195e3fc688208379d
SHA512

5c45641e9e4c56653212bd6325163202c842c031c9a2d7843fffd7e6283c8b095843469a83a1ddef488df0c8aead269a4e64e7190be9874a884a33728555d08c
SSDEEP

12288:9yYV6aHOa4biYPVle8G3dNi4wixQQsGeOCxNfM3q9RNIwo:9FDunbil3dNi47QjN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral18/memory/3472-607-0x00000000016C0000-0x00000000016CA000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

qywfpvbxbvih.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	qywfpvbxbvih.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

qywfpvbxbvih.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	qywfpvbxbvih.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

qywfpvbxbvih.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	qywfpvbxbvih.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

952 netsh.exe

pid	process
952	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0q3bbokd.5i5.exeTrojan.exeRegAsm.exeqywfpvbxbvih.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	0q3bbokd.5i5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Trojan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	qywfpvbxbvih.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.exe0q3bbokd.5i5.exeTrojan.exe

pid process

3076 Trojan.exe
2396 0q3bbokd.5i5.exe
3664 Trojan.exe

pid	process
3076	Trojan.exe
2396	0q3bbokd.5i5.exe
3664	Trojan.exe

Loads dropped DLL 21 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exe

pid	process
4180
4684
664
3572	WmiApSrv.exe
2208
4864
3564	powershell.exe
1664
1720
640
3500	powershell.exe
2288
3668
2320
3548	msedge.exe
2580	msedge.exe
1288	msedge.exe
2812
4656	CompPkgSrv.exe
4088	CompPkgSrv.exe
3408	msedge.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

qywfpvbxbvih.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" qywfpvbxbvih.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	qywfpvbxbvih.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qywfpvbxbvih.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	qywfpvbxbvih.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

qywfpvbxbvih.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	qywfpvbxbvih.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

65 8.tcp.ngrok.io
145 8.tcp.ngrok.io
153 0.tcp.eu.ngrok.io
20 0.tcp.eu.ngrok.io
47 0.tcp.eu.ngrok.io
61 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

qywfpvbxbvih.exe

description pid process target process

PID 3472 set thread context of 5060 3472 qywfpvbxbvih.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

qywfpvbxbvih.exe

description ioc process

File created C:\Windows\xdwd.dll qywfpvbxbvih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
65	8.tcp.ngrok.io
145	8.tcp.ngrok.io
153	0.tcp.eu.ngrok.io
20	0.tcp.eu.ngrok.io
47	0.tcp.eu.ngrok.io
61	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 3472 set thread context of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	qywfpvbxbvih.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

qywfpvbxbvih.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exe

pid	process
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3472	qywfpvbxbvih.exe
3572	WmiApSrv.exe
3572	WmiApSrv.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3500	powershell.exe
3500	powershell.exe
3500	powershell.exe
3500	powershell.exe
3548	msedge.exe
3548	msedge.exe
2580	msedge.exe
2580	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
4656	CompPkgSrv.exe
2580	msedge.exe
2580	msedge.exe
4088	CompPkgSrv.exe
4056	identity_helper.exe
4056	identity_helper.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2580 msedge.exe
2580 msedge.exe
2580 msedge.exe
2580 msedge.exe
2580 msedge.exe
2580 msedge.exe
2580 msedge.exe
2580 msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

qywfpvbxbvih.exepowershell.exepowershell.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	3472	qywfpvbxbvih.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe
Token: 33	3664	Trojan.exe
Token: SeIncBasePriorityPrivilege	3664	Trojan.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

qywfpvbxbvih.exeRegAsm.execmd.exepowershell.exe0q3bbokd.5i5.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 3472 wrote to memory of 3564	3472	qywfpvbxbvih.exe	powershell.exe
PID 3472 wrote to memory of 3564	3472	qywfpvbxbvih.exe	powershell.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 3472 wrote to memory of 5060	3472	qywfpvbxbvih.exe	RegAsm.exe
PID 5060 wrote to memory of 3076	5060	RegAsm.exe	Trojan.exe
PID 5060 wrote to memory of 3076	5060	RegAsm.exe	Trojan.exe
PID 5060 wrote to memory of 3076	5060	RegAsm.exe	Trojan.exe
PID 3472 wrote to memory of 4736	3472	qywfpvbxbvih.exe	cmd.exe
PID 3472 wrote to memory of 4736	3472	qywfpvbxbvih.exe	cmd.exe
PID 4736 wrote to memory of 3500	4736	cmd.exe	powershell.exe
PID 4736 wrote to memory of 3500	4736	cmd.exe	powershell.exe
PID 3500 wrote to memory of 2396	3500	powershell.exe	0q3bbokd.5i5.exe
PID 3500 wrote to memory of 2396	3500	powershell.exe	0q3bbokd.5i5.exe
PID 3500 wrote to memory of 2396	3500	powershell.exe	0q3bbokd.5i5.exe
PID 2396 wrote to memory of 3664	2396	0q3bbokd.5i5.exe	Trojan.exe
PID 2396 wrote to memory of 3664	2396	0q3bbokd.5i5.exe	Trojan.exe
PID 2396 wrote to memory of 3664	2396	0q3bbokd.5i5.exe	Trojan.exe
PID 3664 wrote to memory of 952	3664	Trojan.exe	netsh.exe
PID 3664 wrote to memory of 952	3664	Trojan.exe	netsh.exe
PID 3664 wrote to memory of 952	3664	Trojan.exe	netsh.exe
PID 3664 wrote to memory of 668	3664	Trojan.exe	cmd.exe
PID 3664 wrote to memory of 668	3664	Trojan.exe	cmd.exe
PID 3664 wrote to memory of 668	3664	Trojan.exe	cmd.exe
PID 668 wrote to memory of 2580	668	cmd.exe	msedge.exe
PID 668 wrote to memory of 2580	668	cmd.exe	msedge.exe
PID 2580 wrote to memory of 3548	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 3548	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe
PID 2580 wrote to memory of 1948	2580	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

qywfpvbxbvih.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	qywfpvbxbvih.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	qywfpvbxbvih.exe

C:\Users\Admin\AppData\Local\Temp\qywfpvbxbvih.exe
"C:\Users\Admin\AppData\Local\Temp\qywfpvbxbvih.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC405.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
8⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
8⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
8⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
8⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
8⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
8⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
8⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
8⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
8⤵
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
8⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
8⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
8⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
8⤵
PID:3560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:2396

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:4280

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8393546f8,0x7ff839354708,0x7ff839354718
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396c855 /state1:0x41c64e6d
1⤵
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
77d662d25e06e3b6b1bd50d6ac973144

SHA1
6b26e8a4b2d0d07349e0d15aca676503bfebcc4e

SHA256
c4a0c70cd153183e7e0a33e043e30d3cc24cc5b862c5aaef5ae3dbb1e5484917

SHA512
22a27940ad4cc59e3b6c52f3ad5cc7b1fbb9ec7474e32c81f7298a3790782b53355689a7182a6a515a7b8ab0c8efcd2660ed7c0223774feb007f88169ab79da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fe243e85c24ae3ba6d2ecb12d8160107

SHA1
f1173e4dc7678a64dc7b1510ae9009e6c54774e5

SHA256
3f0654cd7143e8d9bad3a75f2845b8382de07210c957c96cc640d3c59c4c38e7

SHA512
a9f0083644d869fd4c7071f00e130f1a7de7b359cbb90a1ada6fe1b2de7839712e9db458da1b52f00b97441247e4dd9aeedbbe390951a14ea7054983293479cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5883cd5e092248dcf24195f766d2cfd2

SHA1
bc2fecb311b18c6350b38c3bf13ed9dea019ca67

SHA256
7b33b839c24c50930039d670d991397203121c84137d9faa947357fecbe127a5

SHA512
ef372da63e35d98d41a740680e211e87c46c27e2ff02d5e05e1b096bfeabfc7cd413dc75128d50d91da8d80980184eadb95f4b522a4e184b8e9e6c2f885b6363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
7bddda99db80f482c60e22406c758476

SHA1
d2adfcc49af6316f5812b89c5235ce7ebc96bfa4

SHA256
3d43b0ba9a1de896e03df63f9b6d9aab9c0a7f1c7c663d22cd2b730683009937

SHA512
fd9cc647cc404101426461a0bbbd719f025041c1842de05aa22079b25f262404b29066a6e42f398a1d43e44df82eaeb09644432802c3da44b4d219f7b3c90839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6027c0.TMP
Filesize
48B

MD5
f314d44f4d66b1b8ffbf81f2a82c8e4f

SHA1
ebc43cb7a0ce3a161bada72f43ce36f5b7a541d9

SHA256
0195e0abe9b533d7c14c6531b97110196782736136fe92e5fd956376b8a19a81

SHA512
288bdd0ee39867a4fb2c536ddb602d48181a36e7bf1293b6ad72e65538fb9bf94ec591e563e5ef3981ccf72b7ecb2b5e15dcea038d25e8ebb1f6d36828d2484f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
1KB

MD5
4bd9232bd8d2da78f0c43fe57a720d4b

SHA1
66e4f661c5171965d86af7f4541d14f5471f86e2

SHA256
bd76a8fb5337bf3e9b2ff641e88bd53577c9b8710ea198dd7371ac4bc682ac6b

SHA512
61904c1e94f63a7f7ffbfef4175324ce02c09629698861f77605a7349f6a435fe23a2dc6f15e12767057b00d74b8582a84d3ad6befbbca4482b49ecc29d13256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr1umiba.fyu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC405.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
763KB

MD5
7487d47ee73f83579acea7333014b9eb

SHA1
d5826d492bf720306fbdab1d83047d3c8ee2c7cf

SHA256
4d33372e2991bc62a668eb682bb840fd6b02b95213ea849195e3fc688208379d

SHA512
5c45641e9e4c56653212bd6325163202c842c031c9a2d7843fffd7e6283c8b095843469a83a1ddef488df0c8aead269a4e64e7190be9874a884a33728555d08c

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\Windows\xdwd.dll
Filesize
108KB

MD5
e2834e76bdd3e3a4072a6a36fcd32694

SHA1
7dfcba13be2278a48df1bff8c1dce5862a5c1d1d

SHA256
186ee797450d2162b0a9b54cfb377b65e8f53c533b558852b28707b42e9f318a

SHA512
0fe664e3d4da9544a8df547c0f8d869cc4c26e40155c0585012ae783ac340467c56496bc200681a929d97b605f86f969cb28a5751b2160c9f064f24a94f93b08

Download Submit
C:\Windows\xdwd.dll
Filesize
133KB

MD5
0ce0e2b4b89d92e4f7041002bedbd42d

SHA1
21842cca58d4052933bf6762a041642b87f05cb5

SHA256
460499c94176001c29c1378fb12fa54d1e223cb3a765501b8342d34032d6f4db

SHA512
8b1b94e121d690b3d4ac4119aa685663fe2eedc6c0e6552bf9e0fa7e481c1d49658c2b1346a43c949b47a31d6dcea4835b91465d159c97c784822337530b7518

Download Submit
C:\Windows\xdwd.dll
Filesize
116KB

MD5
8cdd0cbc0cad03b4a1ceecdf6b3e14f0

SHA1
ca5081b53b46ea7a3d7ae22b219a662feaeb4d4f

SHA256
18c2df450a2f5fda6e1e5df9be12d013e69417d7d7a3407985e1310b5a2cfcd0

SHA512
2a6a7ec649e1a86844b5163b6cfed4850440c8c712faa08dc39bd43fbe3313499897b91f0f44cd6bccbdcdfebf8b0100d626b2dfab93820e20cc1d99d7bf39f9

Download Submit
\??\pipe\LOCAL\crashpad_2580_FRJJIWZCOBFZSMOM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2396-4207-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2396-4205-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2396-4273-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/2396-4206-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/3076-3758-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3076-3757-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/3076-3760-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3472-6570-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3472-67-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3472-608-0x000000001C120000-0x000000001C13E000-memory.dmp

Filesize
120KB

Download
memory/3472-33-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/3472-3682-0x00000000015B0000-0x00000000015BC000-memory.dmp

Filesize
48KB

Download
memory/3472-6535-0x0000000001690000-0x0000000001698000-memory.dmp

Filesize
32KB

Download
memory/3472-212-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/3472-1-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3472-0-0x0000000000D30000-0x0000000000DF6000-memory.dmp

Filesize
792KB

Download
memory/3472-606-0x000000001D850000-0x000000001D8C6000-memory.dmp

Filesize
472KB

Download
memory/3472-607-0x00000000016C0000-0x00000000016CA000-memory.dmp

Filesize
40KB

Download
memory/3500-4189-0x00000177EE5F0000-0x00000177EE600000-memory.dmp

Filesize
64KB

Download
memory/3500-4186-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3500-4188-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3500-4187-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3500-4204-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3500-4203-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3564-680-0x0000019F34A60000-0x0000019F34A70000-memory.dmp

Filesize
64KB

Download
memory/3564-667-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3564-668-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3564-681-0x0000019F34A60000-0x0000019F34A70000-memory.dmp

Filesize
64KB

Download
memory/3564-684-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3564-679-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3564-685-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/3564-678-0x0000019F4D0A0000-0x0000019F4D0C2000-memory.dmp

Filesize
136KB

Download
memory/3572-70-0x00007FF84B7E0000-0x00007FF84B7E1000-memory.dmp

Filesize
4KB

Download
memory/3572-71-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-69-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3664-4559-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/3664-4446-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3664-6569-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3664-4274-0x00000000755A0000-0x0000000075B51000-memory.dmp

Filesize
5.7MB

Download
memory/3664-4361-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4088-4663-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4088-4662-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4088-4664-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4280-6539-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4656-4645-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4656-4644-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4656-4661-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4816-6541-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4816-6540-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmp

Filesize
2.0MB

Download
memory/5060-3686-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/5060-3755-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/5060-3684-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/5060-3685-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/5060-3683-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads