njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
758s
max time network
762s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bghfldfyngmg.exe
Size

771KB
MD5

8f6f752bd6c2864a77de0ed3cc029175
SHA1

e9f586a747ba7e785e919c30d763465d4f46381e
SHA256

a7d260cd80149aa4968e8417c4f33488c99d0bcb234c24517da135328cd305d8
SHA512

18d1051eb2957849b9d6bd24e238c69d60159f0f76b30426e3efe99294c7d078edbf57fc5f69099924880c0222625cb180c11950f7da38b4f67dc32775ba1c18
SSDEEP

12288:PiJVkPVle809qfff+bdlqfPNfM3q9RNIwo:Pw3qfff+bdlqfPN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral4/memory/1148-634-0x0000000003090000-0x000000000309A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

bghfldfyngmg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	bghfldfyngmg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

bghfldfyngmg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bghfldfyngmg.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bghfldfyngmg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	bghfldfyngmg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2900 netsh.exe

pid	process
2900	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bghfldfyngmg.exejnp5t04x.v4h.exeTrojan.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	bghfldfyngmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	jnp5t04x.v4h.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Trojan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.exejnp5t04x.v4h.exeTrojan.exe

pid process

2572 Trojan.exe
4452 jnp5t04x.v4h.exe
4536 Trojan.exe

pid	process
2572	Trojan.exe
4452	jnp5t04x.v4h.exe
4536	Trojan.exe

Loads dropped DLL 22 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
4044
2852	WmiApSrv.exe
3588
1088
1316	powershell.exe
4944
3648
2276
4236	powershell.exe
3576
5084
1736
424	msedge.exe
4668	msedge.exe
3112	msedge.exe
4124
3532	CompPkgSrv.exe
4620	CompPkgSrv.exe
2764	msedge.exe
4048
4896	shutdown.exe
1200	LogonUI.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

bghfldfyngmg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bghfldfyngmg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bghfldfyngmg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bghfldfyngmg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	bghfldfyngmg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bghfldfyngmg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	bghfldfyngmg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	bghfldfyngmg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

25 0.tcp.eu.ngrok.io
66 0.tcp.eu.ngrok.io
79 0.tcp.eu.ngrok.io
83 8.tcp.ngrok.io
159 0.tcp.eu.ngrok.io
163 8.tcp.ngrok.io
169 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

bghfldfyngmg.exe

description pid process target process

PID 1148 set thread context of 2360 1148 bghfldfyngmg.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

bghfldfyngmg.exe

description ioc process

File created C:\Windows\xdwd.dll bghfldfyngmg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
25	0.tcp.eu.ngrok.io
66	0.tcp.eu.ngrok.io
79	0.tcp.eu.ngrok.io
83	8.tcp.ngrok.io
159	0.tcp.eu.ngrok.io
163	8.tcp.ngrok.io
169	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 1148 set thread context of 2360	1148	bghfldfyngmg.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	bghfldfyngmg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

bghfldfyngmg.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
1148	bghfldfyngmg.exe
2852	WmiApSrv.exe
2852	WmiApSrv.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
424	msedge.exe
424	msedge.exe
4668	msedge.exe
4668	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
4668	msedge.exe
4668	msedge.exe
3532	CompPkgSrv.exe
4620	CompPkgSrv.exe
3236	identity_helper.exe
3236	identity_helper.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
4896	shutdown.exe
4896	shutdown.exe
1200	LogonUI.exe
1200	LogonUI.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4668 msedge.exe
4668 msedge.exe
4668 msedge.exe
4668 msedge.exe
4668 msedge.exe
4668 msedge.exe
4668 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bghfldfyngmg.exepowershell.exepowershell.exeTrojan.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1148	bghfldfyngmg.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: 33	4536	Trojan.exe
Token: SeIncBasePriorityPrivilege	4536	Trojan.exe
Token: SeShutdownPrivilege	4896	shutdown.exe
Token: SeRemoteShutdownPrivilege	4896	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bghfldfyngmg.exeRegAsm.execmd.exepowershell.exejnp5t04x.v4h.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 1148 wrote to memory of 1316	1148	bghfldfyngmg.exe	powershell.exe
PID 1148 wrote to memory of 1316	1148	bghfldfyngmg.exe	powershell.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 1148 wrote to memory of 2360	1148	bghfldfyngmg.exe	RegAsm.exe
PID 2360 wrote to memory of 2572	2360	RegAsm.exe	Trojan.exe
PID 2360 wrote to memory of 2572	2360	RegAsm.exe	Trojan.exe
PID 2360 wrote to memory of 2572	2360	RegAsm.exe	Trojan.exe
PID 1148 wrote to memory of 1116	1148	bghfldfyngmg.exe	cmd.exe
PID 1148 wrote to memory of 1116	1148	bghfldfyngmg.exe	cmd.exe
PID 1116 wrote to memory of 4236	1116	cmd.exe	powershell.exe
PID 1116 wrote to memory of 4236	1116	cmd.exe	powershell.exe
PID 4236 wrote to memory of 4452	4236	powershell.exe	jnp5t04x.v4h.exe
PID 4236 wrote to memory of 4452	4236	powershell.exe	jnp5t04x.v4h.exe
PID 4236 wrote to memory of 4452	4236	powershell.exe	jnp5t04x.v4h.exe
PID 4452 wrote to memory of 4536	4452	jnp5t04x.v4h.exe	Trojan.exe
PID 4452 wrote to memory of 4536	4452	jnp5t04x.v4h.exe	Trojan.exe
PID 4452 wrote to memory of 4536	4452	jnp5t04x.v4h.exe	Trojan.exe
PID 4536 wrote to memory of 2900	4536	Trojan.exe	netsh.exe
PID 4536 wrote to memory of 2900	4536	Trojan.exe	netsh.exe
PID 4536 wrote to memory of 2900	4536	Trojan.exe	netsh.exe
PID 4536 wrote to memory of 2404	4536	Trojan.exe	cmd.exe
PID 4536 wrote to memory of 2404	4536	Trojan.exe	cmd.exe
PID 4536 wrote to memory of 2404	4536	Trojan.exe	cmd.exe
PID 2404 wrote to memory of 4668	2404	cmd.exe	msedge.exe
PID 2404 wrote to memory of 4668	2404	cmd.exe	msedge.exe
PID 4668 wrote to memory of 424	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 424	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 3116	4668	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

bghfldfyngmg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	bghfldfyngmg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	bghfldfyngmg.exe

C:\Users\Admin\AppData\Local\Temp\bghfldfyngmg.exe
"C:\Users\Admin\AppData\Local\Temp\bghfldfyngmg.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jnp5t04x.v4h.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jnp5t04x.v4h.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jnp5t04x.v4h.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jnp5t04x.v4h.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC61.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8cbbd46f8,0x7ff8cbbd4708,0x7ff8cbbd4718
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
8⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
8⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
8⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
8⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
8⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
8⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
8⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
8⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
8⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
8⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1116 /prefetch:1
8⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,11879370519688873189,7498797396671995295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1112 /prefetch:1
8⤵
PID:3180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:2828

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395f855 /state1:0x41c64e6d
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
2ab70171aeb91944f4d16f1e39880447

SHA1
e15f3c0e50e2f20c5f8bf0b2ffcecb4d1b42c696

SHA256
f6b5afba282bd6fee8420b0b3f003046512bc22c44117b715d8dfc96ce5de0a7

SHA512
2ed56a0dee740429f596f10308839b755b2ae3e75d86c5025a7ec24f1bcfb24b838889851f8036ef4c48d37b9f29565f39f91eabe174f5daae68a0584fc0609f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
9cb491309e918e85c9a30caf3aeda891

SHA1
03cdd22d1922335126c75de49568cbed4f867cd3

SHA256
50ce3eb86f82528f24cff8c121bec6549f545b71197d6e9c1f50f8596f1bd2f1

SHA512
78376cab5a1c03a646e5e223869ba970cdb3f756b2863628e93e3e61cac4973893defd22cb7619f24c766c2c1496ed23861257fa0e1a8a56f76c59e4f6dc3b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e1e2851e51584d81b360c10c988b3780

SHA1
edb7d6ee16e5ef6e66b18a90dd4890d2cec7c942

SHA256
c0e68efd185e2baca63be5f7e306fd13b85cf901f0f1e31c254081b427bf5526

SHA512
0d25e9b3edc5325568ecbdfb5ea68bebd1c186ba25c24e3ae0be6da5e03c397d7577e3a56008d29242f780b7402c6b9edf94f46a3e02d013f2cc78ce8e55abdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2aaafe309bf40866bed4fd09ee6aed43

SHA1
882326da9de857768b9cce478c27d409d886e58b

SHA256
4ab2b1bc4dcbaa0d984a96107f88ca95c6bed93f8837fe4ae85fde8609df2d18

SHA512
bae236b1356434e0de477cbc98e69d80a5f2ea560d5cce4657a411854ddecb4531af4751a0f16409228b0dd107f908314c3bfeb92fdf13947e52d7e89f1bd090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
ba8c9d514a0d08387463f15c2f51a365

SHA1
03a7e34f3738ca0926bb61dcd0880d4f5aaff144

SHA256
3b6f950947c4c0468da5dbfd987264f1447cbe23bf9764318646cf2ea8e08f1b

SHA512
f5952173288e626f486e9aa93eda286f62621cadf9202ac37ede7c6345306e704ef93a47bccebe68e7182323dfb6786bd6d638448b113175e0dfc81b84ce9c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe602ea5.TMP
Filesize
48B

MD5
b5fe90ae9ce32cfc4e6b96cddd457bb9

SHA1
512d15109f66c9b2af80c5c9fc871d3f37ebf208

SHA256
3ff8e882241b40f1e37088be26099f1d578cdee303a645901b8cb7dc855aba1f

SHA512
6d4c37b82b7bb71e2907b47c75340c336ae4fee7f2ce5b3cca4f8b1d0013e3586e4af317da372911922d10eee43f5310ceccf4da02532e7909f1adfa24e257cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6a8ac0a30b835dcf5479684666d2cde1

SHA1
36b05fa182204f85dfa02c46fd454e34dee9b0be

SHA256
5f337e8bacec533e19295cd0813cc4833608a43d69044c51cd81bdd8a23815f3

SHA512
d77d8e51f966cce778858d612cf0c6fa9c9cba916faf0ad7ecff023bd1203d871d34f5cbb076122b5e59181333eb45108f9057bbc6fc5295492540b4570a99c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
24f33ea0f6f284ef801f897e008dcffc

SHA1
2f29b352da2588ec8e6083677680ad9efb2766d6

SHA256
c0df380a5f18ad20c5d7104370551eaaba4717b91f7ef189da521dad0733f00a

SHA512
cd6736afbcc0f814955c3e295c1118b67cc9868ca9a70bf4864d4b88dac3661eb5610cd1e749f63e141ba529fe4471b2cb0175e88c9ce71aac50cbed402d7b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aiopkf5b.1sp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC61.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\jnp5t04x.v4h.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
771KB

MD5
8f6f752bd6c2864a77de0ed3cc029175

SHA1
e9f586a747ba7e785e919c30d763465d4f46381e

SHA256
a7d260cd80149aa4968e8417c4f33488c99d0bcb234c24517da135328cd305d8

SHA512
18d1051eb2957849b9d6bd24e238c69d60159f0f76b30426e3efe99294c7d078edbf57fc5f69099924880c0222625cb180c11950f7da38b4f67dc32775ba1c18

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\Windows\xdwd.dll
Filesize
70KB

MD5
a5e7d8c89d644092a86cd6b1ff92e285

SHA1
592b179d389e631b18f1690d70a71c0a0aa9e9f1

SHA256
d08bffe292564f27bd054f2b3bb5aae227941c7e4ff55a7098c2728be9091a68

SHA512
1ac67e0a98c695c8fe9ce6d6950330f0cdb2ed8943ead0f106de27dc1f06ea6ef29b4fe6d23fea311f21995244fee2f8cfb1a8bce24b8bc52a12aa199b0ef711

Download Submit
\??\pipe\LOCAL\crashpad_4668_PZGJQFOEYZXYGXSE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1148-635-0x00000000031A0000-0x00000000031BE000-memory.dmp

Filesize
120KB

Download
memory/1148-3681-0x00000000030E0000-0x00000000030EC000-memory.dmp

Filesize
48KB

Download
memory/1148-33-0x000000001C2E0000-0x000000001C2F0000-memory.dmp

Filesize
64KB

Download
memory/1148-0-0x0000000000F50000-0x0000000001018000-memory.dmp

Filesize
800KB

Download
memory/1148-65-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1148-6571-0x0000000003160000-0x0000000003168000-memory.dmp

Filesize
32KB

Download
memory/1148-6605-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1148-634-0x0000000003090000-0x000000000309A000-memory.dmp

Filesize
40KB

Download
memory/1148-633-0x000000001D9B0000-0x000000001DA26000-memory.dmp

Filesize
472KB

Download
memory/1148-211-0x000000001C2E0000-0x000000001C2F0000-memory.dmp

Filesize
64KB

Download
memory/1148-1-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1200-6576-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/1200-6577-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/1316-708-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-711-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1316-694-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/1316-695-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/1316-703-0x000002352DC70000-0x000002352DC92000-memory.dmp

Filesize
136KB

Download
memory/1316-697-0x00000235465A0000-0x00000235465B0000-memory.dmp

Filesize
64KB

Download
memory/1316-696-0x00000235465A0000-0x00000235465B0000-memory.dmp

Filesize
64KB

Download
memory/1316-712-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/2360-3768-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2360-3713-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/2360-3703-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/2360-3688-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2360-3704-0x0000000074980000-0x0000000075130000-memory.dmp

Filesize
7.7MB

Download
memory/2572-3787-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/2572-3775-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2572-3776-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/2852-66-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/2852-70-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/2852-68-0x00007FF8E0F80000-0x00007FF8E0F81000-memory.dmp

Filesize
4KB

Download
memory/2852-67-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/3532-4693-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/3532-4691-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/3532-4676-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4236-4172-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-4160-0x000001FEA10C0000-0x000001FEA10D0000-memory.dmp

Filesize
64KB

Download
memory/4236-4159-0x00007FF8E0F80000-0x00007FF8E0F81000-memory.dmp

Filesize
4KB

Download
memory/4236-4161-0x000001FEA10C0000-0x000001FEA10D0000-memory.dmp

Filesize
64KB

Download
memory/4236-4158-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4236-4157-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4236-4176-0x00007FF8C3030000-0x00007FF8C3AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-4177-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4452-4178-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4452-4180-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4452-4179-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/4452-4246-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4536-4450-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4536-4248-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4536-4449-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4536-4563-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4536-4247-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4536-4364-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4536-4249-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4536-6618-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4620-4695-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4620-4694-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download
memory/4896-6575-0x00007FF8E0F90000-0x00007FF8E1185000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads