njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
753s
max time network
763s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

molbfgsxjpwv.exe
Size

764KB
MD5

3943e12f7f33ccff610fbad61defc66f
SHA1

b893d92e017997f411cfcda76425cc42ddd5405f
SHA256

22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b
SHA512

4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3
SSDEEP

12288:gfQQEGPVle8phMeVUF5nqLL7fNfM3q9RNIwo:gr3+F5nqTN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral8/memory/4080-454-0x0000000002420000-0x000000000242A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	molbfgsxjpwv.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

molbfgsxjpwv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	molbfgsxjpwv.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	molbfgsxjpwv.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2112 netsh.exe

pid	process
2112	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exemolbfgsxjpwv.exexsxm5swk.a1q.exeTrojan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	molbfgsxjpwv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	xsxm5swk.a1q.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Trojan.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.exexsxm5swk.a1q.exeTrojan.exe

pid process

2768 Trojan.exe
4180 xsxm5swk.a1q.exe
1736 Trojan.exe

pid	process
2768	Trojan.exe
4180	xsxm5swk.a1q.exe
1736	Trojan.exe

Loads dropped DLL 22 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exe

pid	process
2712
2236
376
2352
2296
3284	WmiApSrv.exe
3740
2884	powershell.exe
1744
4540
404
5028	powershell.exe
1020
2760
4192
1620	msedge.exe
2652	msedge.exe
2460
1156	msedge.exe
4092	CompPkgSrv.exe
4716	CompPkgSrv.exe
3208	msedge.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

molbfgsxjpwv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	molbfgsxjpwv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	molbfgsxjpwv.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

molbfgsxjpwv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

34 0.tcp.eu.ngrok.io
63 0.tcp.eu.ngrok.io
68 8.tcp.ngrok.io
150 8.tcp.ngrok.io
160 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

molbfgsxjpwv.exe

description pid process target process

PID 4080 set thread context of 2796 4080 molbfgsxjpwv.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

molbfgsxjpwv.exe

description ioc process

File created C:\Windows\xdwd.dll molbfgsxjpwv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
34	0.tcp.eu.ngrok.io
63	0.tcp.eu.ngrok.io
68	8.tcp.ngrok.io
150	8.tcp.ngrok.io
160	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 4080 set thread context of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	molbfgsxjpwv.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

molbfgsxjpwv.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exe

pid	process
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
4080	molbfgsxjpwv.exe
3284	WmiApSrv.exe
3284	WmiApSrv.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
1620	msedge.exe
1620	msedge.exe
2652	msedge.exe
2652	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
2652	msedge.exe
2652	msedge.exe
4092	CompPkgSrv.exe
4716	CompPkgSrv.exe
1208	identity_helper.exe
1208	identity_helper.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe
3208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2652 msedge.exe
2652 msedge.exe
2652 msedge.exe
2652 msedge.exe
2652 msedge.exe
2652 msedge.exe
2652 msedge.exe
2652 msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

molbfgsxjpwv.exepowershell.exepowershell.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	4080	molbfgsxjpwv.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe
Token: 33	1736	Trojan.exe
Token: SeIncBasePriorityPrivilege	1736	Trojan.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

molbfgsxjpwv.exeRegAsm.execmd.exepowershell.exexsxm5swk.a1q.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 4080 wrote to memory of 2884	4080	molbfgsxjpwv.exe	powershell.exe
PID 4080 wrote to memory of 2884	4080	molbfgsxjpwv.exe	powershell.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 4080 wrote to memory of 2796	4080	molbfgsxjpwv.exe	RegAsm.exe
PID 2796 wrote to memory of 2768	2796	RegAsm.exe	Trojan.exe
PID 2796 wrote to memory of 2768	2796	RegAsm.exe	Trojan.exe
PID 2796 wrote to memory of 2768	2796	RegAsm.exe	Trojan.exe
PID 4080 wrote to memory of 2152	4080	molbfgsxjpwv.exe	cmd.exe
PID 4080 wrote to memory of 2152	4080	molbfgsxjpwv.exe	cmd.exe
PID 2152 wrote to memory of 5028	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 5028	2152	cmd.exe	powershell.exe
PID 5028 wrote to memory of 4180	5028	powershell.exe	xsxm5swk.a1q.exe
PID 5028 wrote to memory of 4180	5028	powershell.exe	xsxm5swk.a1q.exe
PID 5028 wrote to memory of 4180	5028	powershell.exe	xsxm5swk.a1q.exe
PID 4180 wrote to memory of 1736	4180	xsxm5swk.a1q.exe	Trojan.exe
PID 4180 wrote to memory of 1736	4180	xsxm5swk.a1q.exe	Trojan.exe
PID 4180 wrote to memory of 1736	4180	xsxm5swk.a1q.exe	Trojan.exe
PID 1736 wrote to memory of 2112	1736	Trojan.exe	netsh.exe
PID 1736 wrote to memory of 2112	1736	Trojan.exe	netsh.exe
PID 1736 wrote to memory of 2112	1736	Trojan.exe	netsh.exe
PID 1736 wrote to memory of 4596	1736	Trojan.exe	cmd.exe
PID 1736 wrote to memory of 4596	1736	Trojan.exe	cmd.exe
PID 1736 wrote to memory of 4596	1736	Trojan.exe	cmd.exe
PID 4596 wrote to memory of 2652	4596	cmd.exe	msedge.exe
PID 4596 wrote to memory of 2652	4596	cmd.exe	msedge.exe
PID 2652 wrote to memory of 1620	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1620	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 432	2652	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	molbfgsxjpwv.exe

C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe
"C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F63.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf07146f8,0x7ffbf0714708,0x7ffbf0714718
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
8⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
8⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
8⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
8⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
8⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
8⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
8⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
8⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
8⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
8⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
8⤵
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
8⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6471473699619285455,9894015471229615486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
8⤵
PID:3584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:2200

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:1592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395a055 /state1:0x41c64e6d
1⤵
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
24d1e3f018e897986a7cdc44d2868a97

SHA1
c75331b8ea11e265cf0e1a49aca0f263bafda652

SHA256
d16b06fca1625f925e4aadef44315619d4dbb04564ec00fb36c19f3a326b5a7e

SHA512
2473c480cda33026f56b26a549a2faede7e7e4732848781b5fb58473b8f71e22297243d8410148fde00a33ae31cbeee3917954230ccbe8c190577242ef921d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b2148080cd307f0008ec7d5c747e80bc

SHA1
24ba9ed4cae66be90a07e1fa3d902ff38119cf78

SHA256
1f01ff4a89af71afca9d5cec62bc12b61934082e2e4a2e14ce97ff6f9bc70e70

SHA512
738f48d0f013f99a6fddfe830b92af312526776d9621cf2368f82363c0128d4a0040e98db896d6085e29a5723373ed96774e7eb5a53063332e5e3b2c9de8aa4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
af04a13b6221215502cf75d2651c0f52

SHA1
18587e0890f339d9fff7a20b28f5156235180448

SHA256
95e50a9422f37e8189d1704bd22e725bbfccee2eac1563de9966071ccfec38b6

SHA512
b2dbdbe2d4244434c6b5cc76e52684565c4bb7aeea0fcf3228070c75bc9b7eba16b83aadb75311cd12fde03492b467ff8de10e4e3820e982f00d39a95b679b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e68630af375bcc2042fd55cd28348b3a

SHA1
d819dd562ded99cd31740f9ffeb67b4d5e9221f1

SHA256
c069f4bedf5a669213bd068ac9d0c8b9a86d18573629e4533c8dfa2edbec6a67

SHA512
7310b1a8b5160ab7f36dd7495d715ac16083943512ca6725d22f677fc9aec12547cc023835a7951d34f5c40e0f42216d863b7540c6c3934d34a56d04facd1087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
802961fcf9d54b862a08bbd9742aad2e

SHA1
13353c578590827459d998b2e9bfeb24e57cdfe6

SHA256
001f5329eaae5c7ce3eb4c33dfd02f2fdc4682e359e5ef78f7dfddb1fe1648cd

SHA512
073cfd270598c96e46fdd650c808c2fdab7a65add82b529662034d69474dfd391fb4f08bef7d002d45417d43a853bcfb876db25291814363e1d5cb3cc0b31755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe608e98.TMP
Filesize
48B

MD5
794be25530761a2f7fdde569e8194194

SHA1
93a1eaedcce2114325f27d1f0382a9fce9bdd53f

SHA256
10e948ba142adaa6eea44ac0c9aa747553ef073e4048775982085732f349c448

SHA512
83174ef222837b34054dcf19a16aa5721280037df23b5b8bbafd07fe06fca5c29b697152f822428185f16fb265c53edc30486647cc219398ea745b25b2ce235a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8d4e51044befc759878de32e3bfddc37

SHA1
6c890ce77e1e9450db910cb54a981198268f927e

SHA256
22ef7491927800c65af82352e067895746c3283e289233045f0e27678dd8e181

SHA512
df016a2a9667e9dd0b5a9899706aefbf1320dd12c4d6bbe4a7acafaf987e3f22e95ec40622c6eca06256791ec1d7098803ad73e88ef5c731202a24960100c47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5ec23bfad1d5640a3b832107c8bedee2

SHA1
482d0c45041019805677417f4d374f7a4f55fdaf

SHA256
9b58f55a0426bc80232b6fef0e7f5ea4e8d960b586b0a8fcdc4771e5c81d5c80

SHA512
b0eb7393b71a0a3f89a33e4e492b935ef187abf2612220dec0e7db6d499ae92d913642155198beb9ad024a8833c0da950e415b62bad1325e8e81ad69f1cc3c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
6234d7b99a5ad158e767b510210c6880

SHA1
397418534e40e2b1e24e6e12ff894f7b4cf903a3

SHA256
ccfeab53c84ed5d54e2471afec94f07b44911a8950e71e7ae6ce023633122504

SHA512
4af1d036e25ee55e65b41787356770c5ae05bc8b865157d42bb1d9d62cd5ba527052bc4e2b0b56feb9e2a914bee37d699661a3319006fd1c26fdf5a27cc8675d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp2toib2.hij.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F63.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xsxm5swk.a1q.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
764KB

MD5
3943e12f7f33ccff610fbad61defc66f

SHA1
b893d92e017997f411cfcda76425cc42ddd5405f

SHA256
22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b

SHA512
4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\Windows\xdwd.dll
Filesize
89KB

MD5
f63cff4abf2e13a0e1eee4a239d03436

SHA1
16d27b616ebeb188eff5d840c00c3278a4807ff6

SHA256
299294a6f6615f6e37c0659a5618e12bffb5f13205a32de552a555fa6c8f45c6

SHA512
9621d72574ec9241362af419eb6afae09f27e1ab65a3dc53f5221cf7c48520562a0c7c91adde2256e1e9b7f3c4905a1be96300c8bf818250fd47da0114839f93

Download Submit
\??\pipe\LOCAL\crashpad_2652_UYHQIAQTGHJEDZWD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1592-6331-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/1736-4056-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/1736-4055-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1736-4053-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1736-4171-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/1736-4233-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1736-6334-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/1736-4257-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/1736-4370-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/2748-6332-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/2748-6333-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/2768-3579-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-3587-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/2768-3578-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/2796-3490-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2796-3562-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2796-3493-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/2796-3491-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

Filesize
624KB

Download
memory/2796-3492-0x0000000074320000-0x0000000074AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-515-0x000001B0B5930000-0x000001B0B5952000-memory.dmp

Filesize
136KB

Download
memory/2884-500-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/2884-502-0x000001B0CE010000-0x000001B0CE020000-memory.dmp

Filesize
64KB

Download
memory/2884-548-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/2884-547-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/2884-543-0x000001B0CE010000-0x000001B0CE020000-memory.dmp

Filesize
64KB

Download
memory/2884-526-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/2884-501-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/2884-503-0x000001B0CE010000-0x000001B0CE020000-memory.dmp

Filesize
64KB

Download
memory/3284-101-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/3284-98-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/3284-99-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/3284-100-0x00007FFC05C00000-0x00007FFC05C01000-memory.dmp

Filesize
4KB

Download
memory/4080-242-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/4080-453-0x000000001CBD0000-0x000000001CC46000-memory.dmp

Filesize
472KB

Download
memory/4080-6362-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/4080-454-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/4080-469-0x000000001C710000-0x000000001C72E000-memory.dmp

Filesize
120KB

Download
memory/4080-0-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/4080-6327-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/4080-3489-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/4080-34-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/4080-2-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/4080-1-0x0000000000170000-0x0000000000236000-memory.dmp

Filesize
792KB

Download
memory/4092-4497-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/4092-4498-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/4092-4499-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/4180-3985-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4180-4054-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4180-3986-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4180-3987-0x0000000001B00000-0x0000000001B10000-memory.dmp

Filesize
64KB

Download
memory/4716-4501-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/4716-4502-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/4716-4503-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/5028-3984-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/5028-3983-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download
memory/5028-3978-0x000002405ACE0000-0x000002405ACF0000-memory.dmp

Filesize
64KB

Download
memory/5028-3979-0x000002405ACE0000-0x000002405ACF0000-memory.dmp

Filesize
64KB

Download
memory/5028-3977-0x000002405ACE0000-0x000002405ACF0000-memory.dmp

Filesize
64KB

Download
memory/5028-3971-0x00007FFBE7850000-0x00007FFBE8311000-memory.dmp

Filesize
10.8MB

Download
memory/5028-3964-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads