Overview
overview
10Static
static
3anhezkzllnds.exe
windows10-1703-x64
anhezkzllnds.exe
windows10-2004-x64
bghfldfyngmg.exe
windows10-1703-x64
bghfldfyngmg.exe
windows10-2004-x64
jldfefkrpayl.exe
windows10-1703-x64
jldfefkrpayl.exe
windows10-2004-x64
molbfgsxjpwv.exe
windows10-1703-x64
molbfgsxjpwv.exe
windows10-2004-x64
msxsbkvjyoho.exe
windows10-1703-x64
msxsbkvjyoho.exe
windows10-2004-x64
oboekjkdross.exe
windows10-1703-x64
oboekjkdross.exe
windows10-2004-x64
puugtqapzxao.exe
windows10-1703-x64
puugtqapzxao.exe
windows10-2004-x64
pyaxlaetvdvq.exe
windows10-1703-x64
pyaxlaetvdvq.exe
windows10-2004-x64
qywfpvbxbvih.exe
windows10-1703-x64
qywfpvbxbvih.exe
windows10-2004-x64
ylyxcgqrxdhu.exe
windows10-1703-x64
ylyxcgqrxdhu.exe
windows10-2004-x64
Analysis
-
max time kernel
753s -
max time network
763s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
anhezkzllnds.exe
Resource
win10-20240214-en
Behavioral task
behavioral2
Sample
anhezkzllnds.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
bghfldfyngmg.exe
Resource
win10-20240214-en
Behavioral task
behavioral4
Sample
bghfldfyngmg.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
jldfefkrpayl.exe
Resource
win10-20240214-en
Behavioral task
behavioral6
Sample
jldfefkrpayl.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
molbfgsxjpwv.exe
Resource
win10-20240214-en
Behavioral task
behavioral8
Sample
molbfgsxjpwv.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
msxsbkvjyoho.exe
Resource
win10-20240214-en
Behavioral task
behavioral10
Sample
msxsbkvjyoho.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
oboekjkdross.exe
Resource
win10-20240214-en
Behavioral task
behavioral12
Sample
oboekjkdross.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
puugtqapzxao.exe
Resource
win10-20240214-en
Behavioral task
behavioral14
Sample
puugtqapzxao.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
pyaxlaetvdvq.exe
Resource
win10-20240214-en
Behavioral task
behavioral16
Sample
pyaxlaetvdvq.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
qywfpvbxbvih.exe
Resource
win10-20240214-en
Behavioral task
behavioral18
Sample
qywfpvbxbvih.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
ylyxcgqrxdhu.exe
Resource
win10-20240214-en
Behavioral task
behavioral20
Sample
ylyxcgqrxdhu.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
molbfgsxjpwv.exe
-
Size
764KB
-
MD5
3943e12f7f33ccff610fbad61defc66f
-
SHA1
b893d92e017997f411cfcda76425cc42ddd5405f
-
SHA256
22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b
-
SHA512
4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3
-
SSDEEP
12288:gfQQEGPVle8phMeVUF5nqLL7fNfM3q9RNIwo:gr3+F5nqTN03qD
Malware Config
Extracted
njrat
0.7d
Lammer
8.tcp.ngrok.io:19346
bca7344ec33c4f045ea133b6b48694e2
-
reg_key
bca7344ec33c4f045ea133b6b48694e2
-
splitter
|'|'|
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral8/memory/4080-454-0x0000000002420000-0x000000000242A000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
molbfgsxjpwv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe" molbfgsxjpwv.exe -
Processes:
molbfgsxjpwv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" molbfgsxjpwv.exe -
Processes:
molbfgsxjpwv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" molbfgsxjpwv.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2112 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exemolbfgsxjpwv.exexsxm5swk.a1q.exeTrojan.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation molbfgsxjpwv.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation xsxm5swk.a1q.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation Trojan.exe -
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe Trojan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe Trojan.exe -
Executes dropped EXE 3 IoCs
Processes:
Trojan.exexsxm5swk.a1q.exeTrojan.exepid process 2768 Trojan.exe 4180 xsxm5swk.a1q.exe 1736 Trojan.exe -
Loads dropped DLL 22 IoCs
Processes:
WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exepid process 2712 2236 376 2352 2296 3284 WmiApSrv.exe 3740 2884 powershell.exe 1744 4540 404 5028 powershell.exe 1020 2760 4192 1620 msedge.exe 2652 msedge.exe 2460 1156 msedge.exe 4092 CompPkgSrv.exe 4716 CompPkgSrv.exe 3208 msedge.exe -
Processes:
molbfgsxjpwv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" molbfgsxjpwv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
molbfgsxjpwv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe" molbfgsxjpwv.exe -
Processes:
molbfgsxjpwv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" molbfgsxjpwv.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 34 0.tcp.eu.ngrok.io 63 0.tcp.eu.ngrok.io 68 8.tcp.ngrok.io 150 8.tcp.ngrok.io 160 0.tcp.eu.ngrok.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
molbfgsxjpwv.exedescription pid process target process PID 4080 set thread context of 2796 4080 molbfgsxjpwv.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
molbfgsxjpwv.exedescription ioc process File created C:\Windows\xdwd.dll molbfgsxjpwv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
molbfgsxjpwv.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exepid process 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 4080 molbfgsxjpwv.exe 3284 WmiApSrv.exe 3284 WmiApSrv.exe 2884 powershell.exe 2884 powershell.exe 2884 powershell.exe 2884 powershell.exe 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe 5028 powershell.exe 1620 msedge.exe 1620 msedge.exe 2652 msedge.exe 2652 msedge.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe 2652 msedge.exe 2652 msedge.exe 4092 CompPkgSrv.exe 4716 CompPkgSrv.exe 1208 identity_helper.exe 1208 identity_helper.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe 3208 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
molbfgsxjpwv.exepowershell.exepowershell.exeTrojan.exedescription pid process Token: SeDebugPrivilege 4080 molbfgsxjpwv.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 5028 powershell.exe Token: SeDebugPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe Token: 33 1736 Trojan.exe Token: SeIncBasePriorityPrivilege 1736 Trojan.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe 2652 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
molbfgsxjpwv.exeRegAsm.execmd.exepowershell.exexsxm5swk.a1q.exeTrojan.execmd.exemsedge.exedescription pid process target process PID 4080 wrote to memory of 2884 4080 molbfgsxjpwv.exe powershell.exe PID 4080 wrote to memory of 2884 4080 molbfgsxjpwv.exe powershell.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 4080 wrote to memory of 2796 4080 molbfgsxjpwv.exe RegAsm.exe PID 2796 wrote to memory of 2768 2796 RegAsm.exe Trojan.exe PID 2796 wrote to memory of 2768 2796 RegAsm.exe Trojan.exe PID 2796 wrote to memory of 2768 2796 RegAsm.exe Trojan.exe PID 4080 wrote to memory of 2152 4080 molbfgsxjpwv.exe cmd.exe PID 4080 wrote to memory of 2152 4080 molbfgsxjpwv.exe cmd.exe PID 2152 wrote to memory of 5028 2152 cmd.exe powershell.exe PID 2152 wrote to memory of 5028 2152 cmd.exe powershell.exe PID 5028 wrote to memory of 4180 5028 powershell.exe xsxm5swk.a1q.exe PID 5028 wrote to memory of 4180 5028 powershell.exe xsxm5swk.a1q.exe PID 5028 wrote to memory of 4180 5028 powershell.exe xsxm5swk.a1q.exe PID 4180 wrote to memory of 1736 4180 xsxm5swk.a1q.exe Trojan.exe PID 4180 wrote to memory of 1736 4180 xsxm5swk.a1q.exe Trojan.exe PID 4180 wrote to memory of 1736 4180 xsxm5swk.a1q.exe Trojan.exe PID 1736 wrote to memory of 2112 1736 Trojan.exe netsh.exe PID 1736 wrote to memory of 2112 1736 Trojan.exe netsh.exe PID 1736 wrote to memory of 2112 1736 Trojan.exe netsh.exe PID 1736 wrote to memory of 4596 1736 Trojan.exe cmd.exe PID 1736 wrote to memory of 4596 1736 Trojan.exe cmd.exe PID 1736 wrote to memory of 4596 1736 Trojan.exe cmd.exe PID 4596 wrote to memory of 2652 4596 cmd.exe msedge.exe PID 4596 wrote to memory of 2652 4596 cmd.exe msedge.exe PID 2652 wrote to memory of 1620 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 1620 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe PID 2652 wrote to memory of 432 2652 msedge.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
molbfgsxjpwv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" molbfgsxjpwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" molbfgsxjpwv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe"C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"'3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F63.tmp.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf07146f8,0x7ffbf0714708,0x7ffbf07147188⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:38⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 /prefetch:28⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:18⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 002⤵
-
C:\Windows\system32\shutdown.exeShutdown /s /f /t 003⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa395a055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5efc9c7501d0a6db520763baad1e05ce8
SHA160b5e190124b54ff7234bb2e36071d9c8db8545f
SHA2567af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
480B
MD524d1e3f018e897986a7cdc44d2868a97
SHA1c75331b8ea11e265cf0e1a49aca0f263bafda652
SHA256d16b06fca1625f925e4aadef44315619d4dbb04564ec00fb36c19f3a326b5a7e
SHA5122473c480cda33026f56b26a549a2faede7e7e4732848781b5fb58473b8f71e22297243d8410148fde00a33ae31cbeee3917954230ccbe8c190577242ef921d17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5b2148080cd307f0008ec7d5c747e80bc
SHA124ba9ed4cae66be90a07e1fa3d902ff38119cf78
SHA2561f01ff4a89af71afca9d5cec62bc12b61934082e2e4a2e14ce97ff6f9bc70e70
SHA512738f48d0f013f99a6fddfe830b92af312526776d9621cf2368f82363c0128d4a0040e98db896d6085e29a5723373ed96774e7eb5a53063332e5e3b2c9de8aa4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af04a13b6221215502cf75d2651c0f52
SHA118587e0890f339d9fff7a20b28f5156235180448
SHA25695e50a9422f37e8189d1704bd22e725bbfccee2eac1563de9966071ccfec38b6
SHA512b2dbdbe2d4244434c6b5cc76e52684565c4bb7aeea0fcf3228070c75bc9b7eba16b83aadb75311cd12fde03492b467ff8de10e4e3820e982f00d39a95b679b94
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e68630af375bcc2042fd55cd28348b3a
SHA1d819dd562ded99cd31740f9ffeb67b4d5e9221f1
SHA256c069f4bedf5a669213bd068ac9d0c8b9a86d18573629e4533c8dfa2edbec6a67
SHA5127310b1a8b5160ab7f36dd7495d715ac16083943512ca6725d22f677fc9aec12547cc023835a7951d34f5c40e0f42216d863b7540c6c3934d34a56d04facd1087
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5121510c1483c9de9fdb590c20526ec0a
SHA196443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
168B
MD5802961fcf9d54b862a08bbd9742aad2e
SHA113353c578590827459d998b2e9bfeb24e57cdfe6
SHA256001f5329eaae5c7ce3eb4c33dfd02f2fdc4682e359e5ef78f7dfddb1fe1648cd
SHA512073cfd270598c96e46fdd650c808c2fdab7a65add82b529662034d69474dfd391fb4f08bef7d002d45417d43a853bcfb876db25291814363e1d5cb3cc0b31755
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe608e98.TMPFilesize
48B
MD5794be25530761a2f7fdde569e8194194
SHA193a1eaedcce2114325f27d1f0382a9fce9bdd53f
SHA25610e948ba142adaa6eea44ac0c9aa747553ef073e4048775982085732f349c448
SHA51283174ef222837b34054dcf19a16aa5721280037df23b5b8bbafd07fe06fca5c29b697152f822428185f16fb265c53edc30486647cc219398ea745b25b2ce235a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD58d4e51044befc759878de32e3bfddc37
SHA16c890ce77e1e9450db910cb54a981198268f927e
SHA25622ef7491927800c65af82352e067895746c3283e289233045f0e27678dd8e181
SHA512df016a2a9667e9dd0b5a9899706aefbf1320dd12c4d6bbe4a7acafaf987e3f22e95ec40622c6eca06256791ec1d7098803ad73e88ef5c731202a24960100c47f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55ec23bfad1d5640a3b832107c8bedee2
SHA1482d0c45041019805677417f4d374f7a4f55fdaf
SHA2569b58f55a0426bc80232b6fef0e7f5ea4e8d960b586b0a8fcdc4771e5c81d5c80
SHA512b0eb7393b71a0a3f89a33e4e492b935ef187abf2612220dec0e7db6d499ae92d913642155198beb9ad024a8833c0da950e415b62bad1325e8e81ad69f1cc3c65
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56234d7b99a5ad158e767b510210c6880
SHA1397418534e40e2b1e24e6e12ff894f7b4cf903a3
SHA256ccfeab53c84ed5d54e2471afec94f07b44911a8950e71e7ae6ce023633122504
SHA5124af1d036e25ee55e65b41787356770c5ae05bc8b865157d42bb1d9d62cd5ba527052bc4e2b0b56feb9e2a914bee37d699661a3319006fd1c26fdf5a27cc8675d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp2toib2.hij.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp1F63.tmp.batFilesize
37B
MD5f5726d253fe5d4ecc9568bd9999883ca
SHA18fec12574c36283782076dd020fe67bbd6c49b8b
SHA2561ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687
SHA5122bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exeFilesize
23KB
MD52c16e91ad2c6bdd99a1c2d419fbb0ec3
SHA1f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da
SHA2565b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed
SHA512ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc
-
C:\Users\Admin\Documents\Sub\xdwdClient.exeFilesize
764KB
MD53943e12f7f33ccff610fbad61defc66f
SHA1b893d92e017997f411cfcda76425cc42ddd5405f
SHA25622f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b
SHA5124d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
C:\Windows\xdwd.dllFilesize
89KB
MD5f63cff4abf2e13a0e1eee4a239d03436
SHA116d27b616ebeb188eff5d840c00c3278a4807ff6
SHA256299294a6f6615f6e37c0659a5618e12bffb5f13205a32de552a555fa6c8f45c6
SHA5129621d72574ec9241362af419eb6afae09f27e1ab65a3dc53f5221cf7c48520562a0c7c91adde2256e1e9b7f3c4905a1be96300c8bf818250fd47da0114839f93
-
\??\pipe\LOCAL\crashpad_2652_UYHQIAQTGHJEDZWDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1592-6331-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/1736-4056-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/1736-4055-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/1736-4053-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/1736-4171-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/1736-4233-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/1736-6334-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/1736-4257-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/1736-4370-0x00000000016C0000-0x00000000016D0000-memory.dmpFilesize
64KB
-
memory/2748-6332-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/2748-6333-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/2768-3579-0x0000000074340000-0x0000000074AF0000-memory.dmpFilesize
7.7MB
-
memory/2768-3587-0x0000000074340000-0x0000000074AF0000-memory.dmpFilesize
7.7MB
-
memory/2768-3578-0x0000000000DD0000-0x0000000000DE2000-memory.dmpFilesize
72KB
-
memory/2796-3490-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2796-3562-0x0000000074320000-0x0000000074AD0000-memory.dmpFilesize
7.7MB
-
memory/2796-3493-0x00000000052F0000-0x0000000005894000-memory.dmpFilesize
5.6MB
-
memory/2796-3491-0x0000000004CA0000-0x0000000004D3C000-memory.dmpFilesize
624KB
-
memory/2796-3492-0x0000000074320000-0x0000000074AD0000-memory.dmpFilesize
7.7MB
-
memory/2884-515-0x000001B0B5930000-0x000001B0B5952000-memory.dmpFilesize
136KB
-
memory/2884-500-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/2884-502-0x000001B0CE010000-0x000001B0CE020000-memory.dmpFilesize
64KB
-
memory/2884-548-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/2884-547-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/2884-543-0x000001B0CE010000-0x000001B0CE020000-memory.dmpFilesize
64KB
-
memory/2884-526-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/2884-501-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/2884-503-0x000001B0CE010000-0x000001B0CE020000-memory.dmpFilesize
64KB
-
memory/3284-101-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/3284-98-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/3284-99-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/3284-100-0x00007FFC05C00000-0x00007FFC05C01000-memory.dmpFilesize
4KB
-
memory/4080-242-0x000000001B530000-0x000000001B540000-memory.dmpFilesize
64KB
-
memory/4080-453-0x000000001CBD0000-0x000000001CC46000-memory.dmpFilesize
472KB
-
memory/4080-6362-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4080-454-0x0000000002420000-0x000000000242A000-memory.dmpFilesize
40KB
-
memory/4080-469-0x000000001C710000-0x000000001C72E000-memory.dmpFilesize
120KB
-
memory/4080-0-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4080-6327-0x000000001AE20000-0x000000001AE28000-memory.dmpFilesize
32KB
-
memory/4080-3489-0x0000000002410000-0x000000000241C000-memory.dmpFilesize
48KB
-
memory/4080-34-0x000000001B530000-0x000000001B540000-memory.dmpFilesize
64KB
-
memory/4080-2-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/4080-1-0x0000000000170000-0x0000000000236000-memory.dmpFilesize
792KB
-
memory/4092-4497-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4092-4498-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4092-4499-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4180-3985-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/4180-4054-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/4180-3986-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB
-
memory/4180-3987-0x0000000001B00000-0x0000000001B10000-memory.dmpFilesize
64KB
-
memory/4716-4501-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4716-4502-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/4716-4503-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/5028-3984-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/5028-3983-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB
-
memory/5028-3978-0x000002405ACE0000-0x000002405ACF0000-memory.dmpFilesize
64KB
-
memory/5028-3979-0x000002405ACE0000-0x000002405ACF0000-memory.dmpFilesize
64KB
-
memory/5028-3977-0x000002405ACE0000-0x000002405ACF0000-memory.dmpFilesize
64KB
-
memory/5028-3971-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmpFilesize
10.8MB
-
memory/5028-3964-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmpFilesize
2.0MB