njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
757s
max time network
762s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

jldfefkrpayl.exe
Size

778KB
MD5

4bb30012aaf74f260f455c79615cac5d
SHA1

eeb77e509d86bdac5325c1152bf9c89d6b16bec2
SHA256

686e4b531fb9f5d3db659a5a410e5450ced562758d8a85754cb0b4f0bc3469c1
SHA512

469ec5b3f19e6e81cc6325fd53519de3884e09bd9b0bdd25ae948b6cf974aa1e7abeaf12d767cdff2d873bcaf7233dfddbf029bdfe19639ff1a3433a91e64f4d
SSDEEP

12288:71UpeAQXl+jmPVle82J+IBXEhZPNNBZuNfM3q9RNIwo:7qeVXlsXUI1EhZlNyN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral6/memory/4956-605-0x0000000002FB0000-0x0000000002FBA000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	jldfefkrpayl.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jldfefkrpayl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jldfefkrpayl.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	jldfefkrpayl.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4984 netsh.exe

pid	process
4984	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exejldfefkrpayl.exemhtscdqz.sip.exeTrojan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	jldfefkrpayl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	mhtscdqz.sip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Trojan.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.exemhtscdqz.sip.exeTrojan.exe

pid process

2324 Trojan.exe
3612 mhtscdqz.sip.exe
1504 Trojan.exe

pid	process
2324	Trojan.exe
3612	mhtscdqz.sip.exe
1504	Trojan.exe

Loads dropped DLL 22 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
1204
2568	WmiApSrv.exe
2960
4116
4424	powershell.exe
4352
4968
1268
1092	powershell.exe
1468
2952
1948
1560	msedge.exe
1572	msedge.exe
1520	msedge.exe
1472
1900	CompPkgSrv.exe
4532	CompPkgSrv.exe
3388	msedge.exe
2388
4784	shutdown.exe
3472	LogonUI.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jldfefkrpayl.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jldfefkrpayl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	jldfefkrpayl.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jldfefkrpayl.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

56 0.tcp.eu.ngrok.io
82 0.tcp.eu.ngrok.io
87 8.tcp.ngrok.io
163 8.tcp.ngrok.io
171 0.tcp.eu.ngrok.io
31 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

jldfefkrpayl.exe

description pid process target process

PID 4956 set thread context of 3476 4956 jldfefkrpayl.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

jldfefkrpayl.exe

description ioc process

File created C:\Windows\xdwd.dll jldfefkrpayl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
56	0.tcp.eu.ngrok.io
82	0.tcp.eu.ngrok.io
87	8.tcp.ngrok.io
163	8.tcp.ngrok.io
171	0.tcp.eu.ngrok.io
31	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 4956 set thread context of 3476	4956	jldfefkrpayl.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	jldfefkrpayl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

jldfefkrpayl.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
4956	jldfefkrpayl.exe
2568	WmiApSrv.exe
2568	WmiApSrv.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
1560	msedge.exe
1560	msedge.exe
1572	msedge.exe
1572	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1900	CompPkgSrv.exe
1572	msedge.exe
1572	msedge.exe
4532	CompPkgSrv.exe
4796	identity_helper.exe
4796	identity_helper.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
4784	shutdown.exe
4784	shutdown.exe
3472	LogonUI.exe
3472	LogonUI.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1572 msedge.exe
1572 msedge.exe
1572 msedge.exe
1572 msedge.exe
1572 msedge.exe
1572 msedge.exe
1572 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jldfefkrpayl.exepowershell.exepowershell.exeTrojan.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	4956	jldfefkrpayl.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: 33	1504	Trojan.exe
Token: SeIncBasePriorityPrivilege	1504	Trojan.exe
Token: SeShutdownPrivilege	4784	shutdown.exe
Token: SeRemoteShutdownPrivilege	4784	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

jldfefkrpayl.exeRegAsm.execmd.exepowershell.exemhtscdqz.sip.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 4956 wrote to memory of 4424	4956	jldfefkrpayl.exe	powershell.exe
PID 4956 wrote to memory of 4424	4956	jldfefkrpayl.exe	powershell.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 4956 wrote to memory of 3476	4956	jldfefkrpayl.exe	RegAsm.exe
PID 3476 wrote to memory of 2324	3476	RegAsm.exe	Trojan.exe
PID 3476 wrote to memory of 2324	3476	RegAsm.exe	Trojan.exe
PID 3476 wrote to memory of 2324	3476	RegAsm.exe	Trojan.exe
PID 4956 wrote to memory of 4656	4956	jldfefkrpayl.exe	cmd.exe
PID 4956 wrote to memory of 4656	4956	jldfefkrpayl.exe	cmd.exe
PID 4656 wrote to memory of 1092	4656	cmd.exe	powershell.exe
PID 4656 wrote to memory of 1092	4656	cmd.exe	powershell.exe
PID 1092 wrote to memory of 3612	1092	powershell.exe	mhtscdqz.sip.exe
PID 1092 wrote to memory of 3612	1092	powershell.exe	mhtscdqz.sip.exe
PID 1092 wrote to memory of 3612	1092	powershell.exe	mhtscdqz.sip.exe
PID 3612 wrote to memory of 1504	3612	mhtscdqz.sip.exe	Trojan.exe
PID 3612 wrote to memory of 1504	3612	mhtscdqz.sip.exe	Trojan.exe
PID 3612 wrote to memory of 1504	3612	mhtscdqz.sip.exe	Trojan.exe
PID 1504 wrote to memory of 4984	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 4984	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 4984	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 60	1504	Trojan.exe	cmd.exe
PID 1504 wrote to memory of 60	1504	Trojan.exe	cmd.exe
PID 1504 wrote to memory of 60	1504	Trojan.exe	cmd.exe
PID 60 wrote to memory of 1572	60	cmd.exe	msedge.exe
PID 60 wrote to memory of 1572	60	cmd.exe	msedge.exe
PID 1572 wrote to memory of 1560	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 1560	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 4116	1572	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	jldfefkrpayl.exe

C:\Users\Admin\AppData\Local\Temp\jldfefkrpayl.exe
"C:\Users\Admin\AppData\Local\Temp\jldfefkrpayl.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mhtscdqz.sip.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mhtscdqz.sip.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mhtscdqz.sip.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mhtscdqz.sip.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC925.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x98,0x130,0x7ffd434746f8,0x7ffd43474708,0x7ffd43474718
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
8⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
8⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
8⤵
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
8⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
8⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
8⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
8⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
8⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
8⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
8⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5076 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1196 /prefetch:1
8⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13539939297978721820,13040402900189874969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
8⤵
PID:2764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:2180

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3949855 /state1:0x41c64e6d
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
3f920f1c50bd11b9fe3711e472c3fd0f

SHA1
2660b26e608d9191fad6dd45f67e6f9479e991cf

SHA256
d392c49e2798901889129d94e18730c3b24b6e7f446d7cc0eb11ee118e6c785c

SHA512
ffccdc2d9431e84e5026924238bd4b3dd92568aaec6b5cffa5ad98481bf78218feec3edda14516dcef261735cffe62abbfc7e8e55dd19697f3120679df2fb3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
81a323a9d23681db9f8641532c0feba2

SHA1
8306908109fa014683c9a7107690921efd17daac

SHA256
24564bb44f51dc22083e8321903ec2a192cb9add85ccba67efca4208bee0d191

SHA512
f72ecbefa6481b8cec3d6a2a7af08ea87dfe58e313b7376e97b771faea1731103e3d7dc531d3e10b31e2c8fd4a76f68e74643b6c9890b0a54379a9c0831104e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
79490c6a9309a6290870b6340ed17244

SHA1
0186f18d86b0cb5254127852404e684fdac7d0b4

SHA256
af8f781296894d65d1a91725f6b60ed496983ceb9d0d1a215d2e3de515be261b

SHA512
e746974304f6dfda33faa5607e525f532e620c1b508810ad8e54edb1601f17c38b64ab15cf72b32f427a60f4eb4a1ebf4b771e5208b72cf20e67e929628eefdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
28ed160c59ce0c58e50a3f33df65d590

SHA1
ba9e23d22bcf3a2a1cb715f38b0b9bb5b3ac60fa

SHA256
1dfd633b95585f5a630f6c5e326780b16603a18825ddcbeaba3cd1420ac3f86a

SHA512
1ecb6d1fc637ae6da25e2d8d63e84b13ff32b534a1369cfc0e2323ae054fd2ef611e4d1d9248b7ac48540af7acc7466a95cd10078df3145e5b704836aa5c0ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe602752.TMP
Filesize
48B

MD5
e79c6e67a106d5fa796b75707214acd1

SHA1
f37c3db81e2a3919e80baa475ad2c59f375ffcd4

SHA256
17075356586558abbfd1723aab927f95e1c3b7e62ccae9b4715169672fba1065

SHA512
6bc7a9eb2c1dcfd68a7b0d3003bebf5699322ece45545b70e1f4431c452e81abb98a6173db00b78a9ebc8f004f9e18f9953724f1d72a0cf129a88401d344ad0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
88ce2fdf10bb52112790738aa70658e9

SHA1
fa6aef04a122139414a2af10270f5032e79fc3a2

SHA256
5f50430dd0aa0e86c64851aca370817064b696c2f11fbf129c20f9bf3ea3f701

SHA512
897eea687a30fe449d1e21add09f046c7cbc041a0541aa372db1cb2beb7f58847833208a317bb9d4124c71aa7c57ac4c1dae1d9d9dc2842543d8eaa8b36e11a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b6202327bab07f1095719f41a2732e9d

SHA1
fb5b0136375de4a37e4eca58ce8e6d30f770fbf5

SHA256
310b64d4d4e9cc6c9da91f4f0fba8f58173727e0593264a01b0d3b310d2577e4

SHA512
168846680ca2028fa7627ef91aff16f18762942357a3282b98ff9f9319f8ad34601c347900cb944032391c3dd1f89c2b7521f31c448fbac85e62c016442fe3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxpdsh3r.jeq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC925.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mhtscdqz.sip.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
778KB

MD5
4bb30012aaf74f260f455c79615cac5d

SHA1
eeb77e509d86bdac5325c1152bf9c89d6b16bec2

SHA256
686e4b531fb9f5d3db659a5a410e5450ced562758d8a85754cb0b4f0bc3469c1

SHA512
469ec5b3f19e6e81cc6325fd53519de3884e09bd9b0bdd25ae948b6cf974aa1e7abeaf12d767cdff2d873bcaf7233dfddbf029bdfe19639ff1a3433a91e64f4d

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\Windows\xdwd.dll
Filesize
10KB

MD5
ac305f7820ac13928eead7f8f53f74e4

SHA1
e45e99748f7a64c1e5b19a69923c6bf9d9606d11

SHA256
f9fffee87f97508e09402374a4720b85245a690df81ea8b066e2731fcaa0df47

SHA512
8a76e43fb00d02366a9da05ee06d0715a6c1944fa987a0ec974761dc4295202e7079a8a43747c6d733f0c052a785d15a34e8a4144b05ef69391a662fdf5666fd

Download Submit
\??\pipe\LOCAL\crashpad_1572_MZLIDLSYZHBOHDXP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1092-4176-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/1092-4175-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/1092-4157-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/1092-4158-0x00007FFD57660000-0x00007FFD57661000-memory.dmp

Filesize
4KB

Download
memory/1092-4168-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/1092-4156-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/1092-4169-0x000001B82FA20000-0x000001B82FA30000-memory.dmp

Filesize
64KB

Download
memory/1092-4170-0x000001B82FA20000-0x000001B82FA30000-memory.dmp

Filesize
64KB

Download
memory/1504-4420-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1504-4334-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1504-4247-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1504-4246-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1504-4419-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1504-4533-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1504-6579-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/1900-4647-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/1900-4663-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/1900-4646-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/2324-3954-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2324-3757-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2324-3755-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/2568-69-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/2568-67-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/2568-68-0x00007FFD57660000-0x00007FFD57661000-memory.dmp

Filesize
4KB

Download
memory/3472-6549-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/3472-6577-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/3476-3754-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3476-3684-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/3476-3682-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/3476-3683-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/3476-3681-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3612-4245-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3612-4178-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/3612-4179-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3612-4177-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4424-682-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4424-677-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/4424-683-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/4424-665-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4424-666-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4424-678-0x0000020FC04C0000-0x0000020FC04D0000-memory.dmp

Filesize
64KB

Download
memory/4424-679-0x0000020FC04C0000-0x0000020FC04D0000-memory.dmp

Filesize
64KB

Download
memory/4424-673-0x0000020FC04D0000-0x0000020FC04F2000-memory.dmp

Filesize
136KB

Download
memory/4532-4666-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4532-4665-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4532-4664-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4784-6546-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4784-6547-0x00007FFD57670000-0x00007FFD57865000-memory.dmp

Filesize
2.0MB

Download
memory/4956-0-0x0000000000E60000-0x0000000000F28000-memory.dmp

Filesize
800KB

Download
memory/4956-605-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/4956-604-0x000000001D9D0000-0x000000001DA46000-memory.dmp

Filesize
472KB

Download
memory/4956-6543-0x00000000015C0000-0x00000000015C8000-memory.dmp

Filesize
32KB

Download
memory/4956-606-0x000000001C200000-0x000000001C21E000-memory.dmp

Filesize
120KB

Download
memory/4956-3680-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

Filesize
48KB

Download
memory/4956-210-0x000000001C290000-0x000000001C2A0000-memory.dmp

Filesize
64KB

Download
memory/4956-63-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/4956-33-0x000000001C290000-0x000000001C2A0000-memory.dmp

Filesize
64KB

Download
memory/4956-1-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download
memory/4956-6578-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads