njrat | 6d58a49e876e1a2b53c0314e17306eff78819064b44618ae23029ffe0a5ba79f

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matrix loder.exe
Size

55KB
MD5

9a282dfc7b4208af4e6404a9f3286afb
SHA1

2bc2dc49c846a80f92024e3f999a7d3e576fa03b
SHA256

6d58a49e876e1a2b53c0314e17306eff78819064b44618ae23029ffe0a5ba79f
SHA512

4a40417a223f79b250347c4afd1c578f6bc42ce7bdee70d5494a20a09ff40c96237eb0a376c9c49c4d48cb5484b2eca8a7c26b732460ff0c9a94d7dfcabdf7be
SSDEEP

1536:MRksDnHNwZ8Cam8LDdwsNMD2XExI3pmJm:DsDn6SKiDdwsNMD2XExI3pm

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 38 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus19.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus32.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus33.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus35.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus5.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus7.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus15.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus20.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus24.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus2.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus17.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus30.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\celex.exe	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus1.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus9.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus13.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus29.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus6.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus10.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus11.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus12.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus27.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus18.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus22.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus23.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus16.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus25.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus26.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe	matrix loder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus4.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus8.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus14.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus28.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus31.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus34.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus3.bat	matrix loder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus21.bat	matrix loder.exe

Executes dropped EXE 57 IoCs

pid	Process
2932	b91d97dc936848ed8ed9efe815030ce9.exe
2900	62a399c80cac4f80802718645911f19f.exe
2464	99f1489ac22844dc911c4bce80c4eee1.exe
1948	10b89e1cc6c84fc9818dbc64538ac789.exe
2936	a7b8df5b50bd4b729439ed5a94de014b.exe
1044	28a5b57c148047489e1315306524abc9.exe
2288	b0e5f78a17e740a3ad09eb787bc642e7.exe
1032	b75a4a4506ad46c0a7354ed4967b58e9.exe
2624	13d440fa371e42a3a1397881bdf8cede.exe
2592	d8f2b0b949c44886ab06ef8ddddb4d6b.exe
1116	57bee71234fc4fcf81d1e68f17d7fdb2.exe
2420	05aafd40abb7474cbb2750f1d739fe74.exe
2372	aa8812dfac0a4327a1304c811d9d80da.exe
2832	a526190d30a94f319bd770f57729bd5b.exe
2244	ff046f7682e5432291fae0dfcb3225e6.exe
1380	b5a06912e4694781b68967632dfdb29e.exe
1848	6948f634c810450cbe676b8edc2539f5.exe
2468	2d6ca15c83f74df2b9dc059ace16d062.exe
2300	e71c6b37c5b6478085088e01d4a34a3a.exe
2936	70bd0f7d8c644669ada98b5414ab881a.exe
2612	b9ad99fe4fa0477b9ca906c103875028.exe
2288	e52c450518d542bba2a1813003ed1f93.exe
1620	20042a5468ef4fec86248f9e8e6c2828.exe
2620	d055e392319d4624bb6d9e1bcb3b8695.exe
1204	aa5aabb3e12a4ce0a3f44c675e565e9e.exe
2992	8214ddecf0d54f3c8ccb74f8e4a1661d.exe
2108	5081444e103b44349de44fe8f11a6b1e.exe
2432	a29e511034ad41289de506e39cdc6fb9.exe
2196	abebcf77ad214f1093251a30a58e7c40.exe
2564	8be5f3c8bee3435fae948631fef6e47c.exe
1780	116477b6288947c4b4ad665d623f25b7.exe
2768	fe5b014220c74cdf9e736e2f8438654b.exe
1632	bb2f2b1c8a6d45aa8342e554f6646558.exe
1588	e759d1fba27c454dbc22ac0178e28ae2.exe
2556	8b739d6289234ef4ac4b82f973608596.exe
1764	ad254b6ff7904fbbb164cf9602e19879.exe
2980	8b775ac9bf334a72b81771d9bd50959a.exe
1268	4df6cac860514f998be3af7bf45ade73.exe
1820	4c945345f3f54ab6abe1a422da6e22fe.exe
988	ce86c8a847a34a749ba48865f41a07b6.exe
1532	e208fdae97784d0fb68c48925de3339c.exe
2148	e1ecb5aeb42a4e1ea9688ebd26ccee43.exe
2480	0113708fb816401abdb309becc7e87f3.exe
448	0ac14e222a304e7ab8aa5868a0088f34.exe
2144	7734e15b81fe43259b7dc3632e4eb961.exe
860	7727b8fc7ff24822801d3229f14d0ac0.exe
1840	c5e14558677b4a8fb1c37e63f4333bf4.exe
1324	aeebf92c0c154207beeb6347220e6aaa.exe
2544	6bd533fd44fe411698aef4c390c6677c.exe
2452	e81dd560e04b45db8785387898e275f6.exe
1896	76b20a033d524c30beeb39ae271d4c78.exe
320	82173e2138f241538ebbb3cf0a8eabef.exe
2956	3927456dbac34f10b0a6f3e13e891ae1.exe
1760	76673742408e4182a3af1a31d9348936.exe
1608	4b0ad6faf84048d19f20d570ed6d7516.exe
2380	9ee71542da4d4f00aaea60193953a144.exe
776	cb8c72e158764f6aa9cf901f744ef798.exe

Loads dropped DLL 57 IoCs

pid	Process
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\matrix loder.exe\" .."	matrix loder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\matrix loder.exe\" .."	matrix loder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	matrix loder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe
2648	matrix loder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	matrix loder.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: SeDebugPrivilege	2932	b91d97dc936848ed8ed9efe815030ce9.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe
Token: 33	2648	matrix loder.exe
Token: SeIncBasePriorityPrivilege	2648	matrix loder.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2648	matrix loder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2932	2648	matrix loder.exe	32
PID 2648 wrote to memory of 2932	2648	matrix loder.exe	32
PID 2648 wrote to memory of 2932	2648	matrix loder.exe	32
PID 2648 wrote to memory of 2932	2648	matrix loder.exe	32
PID 2648 wrote to memory of 2900	2648	matrix loder.exe	33
PID 2648 wrote to memory of 2900	2648	matrix loder.exe	33
PID 2648 wrote to memory of 2900	2648	matrix loder.exe	33
PID 2648 wrote to memory of 2900	2648	matrix loder.exe	33
PID 2648 wrote to memory of 2464	2648	matrix loder.exe	34
PID 2648 wrote to memory of 2464	2648	matrix loder.exe	34
PID 2648 wrote to memory of 2464	2648	matrix loder.exe	34
PID 2648 wrote to memory of 2464	2648	matrix loder.exe	34
PID 2648 wrote to memory of 1948	2648	matrix loder.exe	35
PID 2648 wrote to memory of 1948	2648	matrix loder.exe	35
PID 2648 wrote to memory of 1948	2648	matrix loder.exe	35
PID 2648 wrote to memory of 1948	2648	matrix loder.exe	35
PID 2648 wrote to memory of 2936	2648	matrix loder.exe	36
PID 2648 wrote to memory of 2936	2648	matrix loder.exe	36
PID 2648 wrote to memory of 2936	2648	matrix loder.exe	36
PID 2648 wrote to memory of 2936	2648	matrix loder.exe	36
PID 2648 wrote to memory of 1044	2648	matrix loder.exe	37
PID 2648 wrote to memory of 1044	2648	matrix loder.exe	37
PID 2648 wrote to memory of 1044	2648	matrix loder.exe	37
PID 2648 wrote to memory of 1044	2648	matrix loder.exe	37
PID 2648 wrote to memory of 2288	2648	matrix loder.exe	38
PID 2648 wrote to memory of 2288	2648	matrix loder.exe	38
PID 2648 wrote to memory of 2288	2648	matrix loder.exe	38
PID 2648 wrote to memory of 2288	2648	matrix loder.exe	38
PID 2648 wrote to memory of 1032	2648	matrix loder.exe	39
PID 2648 wrote to memory of 1032	2648	matrix loder.exe	39
PID 2648 wrote to memory of 1032	2648	matrix loder.exe	39
PID 2648 wrote to memory of 1032	2648	matrix loder.exe	39
PID 2648 wrote to memory of 2624	2648	matrix loder.exe	40
PID 2648 wrote to memory of 2624	2648	matrix loder.exe	40
PID 2648 wrote to memory of 2624	2648	matrix loder.exe	40
PID 2648 wrote to memory of 2624	2648	matrix loder.exe	40
PID 2648 wrote to memory of 2592	2648	matrix loder.exe	41
PID 2648 wrote to memory of 2592	2648	matrix loder.exe	41
PID 2648 wrote to memory of 2592	2648	matrix loder.exe	41
PID 2648 wrote to memory of 2592	2648	matrix loder.exe	41
PID 2648 wrote to memory of 1116	2648	matrix loder.exe	42
PID 2648 wrote to memory of 1116	2648	matrix loder.exe	42
PID 2648 wrote to memory of 1116	2648	matrix loder.exe	42
PID 2648 wrote to memory of 1116	2648	matrix loder.exe	42
PID 2648 wrote to memory of 2420	2648	matrix loder.exe	43
PID 2648 wrote to memory of 2420	2648	matrix loder.exe	43
PID 2648 wrote to memory of 2420	2648	matrix loder.exe	43
PID 2648 wrote to memory of 2420	2648	matrix loder.exe	43
PID 2648 wrote to memory of 2372	2648	matrix loder.exe	44
PID 2648 wrote to memory of 2372	2648	matrix loder.exe	44
PID 2648 wrote to memory of 2372	2648	matrix loder.exe	44
PID 2648 wrote to memory of 2372	2648	matrix loder.exe	44
PID 2648 wrote to memory of 2832	2648	matrix loder.exe	45
PID 2648 wrote to memory of 2832	2648	matrix loder.exe	45
PID 2648 wrote to memory of 2832	2648	matrix loder.exe	45
PID 2648 wrote to memory of 2832	2648	matrix loder.exe	45
PID 2648 wrote to memory of 2244	2648	matrix loder.exe	46
PID 2648 wrote to memory of 2244	2648	matrix loder.exe	46
PID 2648 wrote to memory of 2244	2648	matrix loder.exe	46
PID 2648 wrote to memory of 2244	2648	matrix loder.exe	46
PID 2648 wrote to memory of 1380	2648	matrix loder.exe	47
PID 2648 wrote to memory of 1380	2648	matrix loder.exe	47
PID 2648 wrote to memory of 1380	2648	matrix loder.exe	47
PID 2648 wrote to memory of 1380	2648	matrix loder.exe	47

C:\Users\Admin\AppData\Local\Temp\matrix loder.exe
"C:\Users\Admin\AppData\Local\Temp\matrix loder.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\b91d97dc936848ed8ed9efe815030ce9.exe
  "C:\Users\Admin\AppData\Local\Temp\b91d97dc936848ed8ed9efe815030ce9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\62a399c80cac4f80802718645911f19f.exe
  "C:\Users\Admin\AppData\Local\Temp\62a399c80cac4f80802718645911f19f.exe"
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\99f1489ac22844dc911c4bce80c4eee1.exe
  "C:\Users\Admin\AppData\Local\Temp\99f1489ac22844dc911c4bce80c4eee1.exe"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\10b89e1cc6c84fc9818dbc64538ac789.exe
  "C:\Users\Admin\AppData\Local\Temp\10b89e1cc6c84fc9818dbc64538ac789.exe"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\a7b8df5b50bd4b729439ed5a94de014b.exe
  "C:\Users\Admin\AppData\Local\Temp\a7b8df5b50bd4b729439ed5a94de014b.exe"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\28a5b57c148047489e1315306524abc9.exe
  "C:\Users\Admin\AppData\Local\Temp\28a5b57c148047489e1315306524abc9.exe"
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\b0e5f78a17e740a3ad09eb787bc642e7.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e5f78a17e740a3ad09eb787bc642e7.exe"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\b75a4a4506ad46c0a7354ed4967b58e9.exe
  "C:\Users\Admin\AppData\Local\Temp\b75a4a4506ad46c0a7354ed4967b58e9.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\13d440fa371e42a3a1397881bdf8cede.exe
  "C:\Users\Admin\AppData\Local\Temp\13d440fa371e42a3a1397881bdf8cede.exe"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\d8f2b0b949c44886ab06ef8ddddb4d6b.exe
  "C:\Users\Admin\AppData\Local\Temp\d8f2b0b949c44886ab06ef8ddddb4d6b.exe"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\57bee71234fc4fcf81d1e68f17d7fdb2.exe
  "C:\Users\Admin\AppData\Local\Temp\57bee71234fc4fcf81d1e68f17d7fdb2.exe"
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\05aafd40abb7474cbb2750f1d739fe74.exe
  "C:\Users\Admin\AppData\Local\Temp\05aafd40abb7474cbb2750f1d739fe74.exe"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\aa8812dfac0a4327a1304c811d9d80da.exe
  "C:\Users\Admin\AppData\Local\Temp\aa8812dfac0a4327a1304c811d9d80da.exe"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\a526190d30a94f319bd770f57729bd5b.exe
  "C:\Users\Admin\AppData\Local\Temp\a526190d30a94f319bd770f57729bd5b.exe"
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\ff046f7682e5432291fae0dfcb3225e6.exe
  "C:\Users\Admin\AppData\Local\Temp\ff046f7682e5432291fae0dfcb3225e6.exe"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\b5a06912e4694781b68967632dfdb29e.exe
  "C:\Users\Admin\AppData\Local\Temp\b5a06912e4694781b68967632dfdb29e.exe"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\6948f634c810450cbe676b8edc2539f5.exe
  "C:\Users\Admin\AppData\Local\Temp\6948f634c810450cbe676b8edc2539f5.exe"
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\2d6ca15c83f74df2b9dc059ace16d062.exe
  "C:\Users\Admin\AppData\Local\Temp\2d6ca15c83f74df2b9dc059ace16d062.exe"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\e71c6b37c5b6478085088e01d4a34a3a.exe
  "C:\Users\Admin\AppData\Local\Temp\e71c6b37c5b6478085088e01d4a34a3a.exe"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\70bd0f7d8c644669ada98b5414ab881a.exe
  "C:\Users\Admin\AppData\Local\Temp\70bd0f7d8c644669ada98b5414ab881a.exe"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\b9ad99fe4fa0477b9ca906c103875028.exe
  "C:\Users\Admin\AppData\Local\Temp\b9ad99fe4fa0477b9ca906c103875028.exe"
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\e52c450518d542bba2a1813003ed1f93.exe
  "C:\Users\Admin\AppData\Local\Temp\e52c450518d542bba2a1813003ed1f93.exe"
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\20042a5468ef4fec86248f9e8e6c2828.exe
  "C:\Users\Admin\AppData\Local\Temp\20042a5468ef4fec86248f9e8e6c2828.exe"
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\d055e392319d4624bb6d9e1bcb3b8695.exe
  "C:\Users\Admin\AppData\Local\Temp\d055e392319d4624bb6d9e1bcb3b8695.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\aa5aabb3e12a4ce0a3f44c675e565e9e.exe
  "C:\Users\Admin\AppData\Local\Temp\aa5aabb3e12a4ce0a3f44c675e565e9e.exe"
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\8214ddecf0d54f3c8ccb74f8e4a1661d.exe
  "C:\Users\Admin\AppData\Local\Temp\8214ddecf0d54f3c8ccb74f8e4a1661d.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\5081444e103b44349de44fe8f11a6b1e.exe
  "C:\Users\Admin\AppData\Local\Temp\5081444e103b44349de44fe8f11a6b1e.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\a29e511034ad41289de506e39cdc6fb9.exe
  "C:\Users\Admin\AppData\Local\Temp\a29e511034ad41289de506e39cdc6fb9.exe"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\abebcf77ad214f1093251a30a58e7c40.exe
  "C:\Users\Admin\AppData\Local\Temp\abebcf77ad214f1093251a30a58e7c40.exe"
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\8be5f3c8bee3435fae948631fef6e47c.exe
  "C:\Users\Admin\AppData\Local\Temp\8be5f3c8bee3435fae948631fef6e47c.exe"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\116477b6288947c4b4ad665d623f25b7.exe
  "C:\Users\Admin\AppData\Local\Temp\116477b6288947c4b4ad665d623f25b7.exe"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\fe5b014220c74cdf9e736e2f8438654b.exe
  "C:\Users\Admin\AppData\Local\Temp\fe5b014220c74cdf9e736e2f8438654b.exe"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\bb2f2b1c8a6d45aa8342e554f6646558.exe
  "C:\Users\Admin\AppData\Local\Temp\bb2f2b1c8a6d45aa8342e554f6646558.exe"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\e759d1fba27c454dbc22ac0178e28ae2.exe
  "C:\Users\Admin\AppData\Local\Temp\e759d1fba27c454dbc22ac0178e28ae2.exe"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\8b739d6289234ef4ac4b82f973608596.exe
  "C:\Users\Admin\AppData\Local\Temp\8b739d6289234ef4ac4b82f973608596.exe"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\ad254b6ff7904fbbb164cf9602e19879.exe
  "C:\Users\Admin\AppData\Local\Temp\ad254b6ff7904fbbb164cf9602e19879.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\8b775ac9bf334a72b81771d9bd50959a.exe
  "C:\Users\Admin\AppData\Local\Temp\8b775ac9bf334a72b81771d9bd50959a.exe"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\4df6cac860514f998be3af7bf45ade73.exe
  "C:\Users\Admin\AppData\Local\Temp\4df6cac860514f998be3af7bf45ade73.exe"
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\4c945345f3f54ab6abe1a422da6e22fe.exe
  "C:\Users\Admin\AppData\Local\Temp\4c945345f3f54ab6abe1a422da6e22fe.exe"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\ce86c8a847a34a749ba48865f41a07b6.exe
  "C:\Users\Admin\AppData\Local\Temp\ce86c8a847a34a749ba48865f41a07b6.exe"
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Users\Admin\AppData\Local\Temp\e208fdae97784d0fb68c48925de3339c.exe
  "C:\Users\Admin\AppData\Local\Temp\e208fdae97784d0fb68c48925de3339c.exe"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\e1ecb5aeb42a4e1ea9688ebd26ccee43.exe
  "C:\Users\Admin\AppData\Local\Temp\e1ecb5aeb42a4e1ea9688ebd26ccee43.exe"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\0113708fb816401abdb309becc7e87f3.exe
  "C:\Users\Admin\AppData\Local\Temp\0113708fb816401abdb309becc7e87f3.exe"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\0ac14e222a304e7ab8aa5868a0088f34.exe
  "C:\Users\Admin\AppData\Local\Temp\0ac14e222a304e7ab8aa5868a0088f34.exe"
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Users\Admin\AppData\Local\Temp\7734e15b81fe43259b7dc3632e4eb961.exe
  "C:\Users\Admin\AppData\Local\Temp\7734e15b81fe43259b7dc3632e4eb961.exe"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\7727b8fc7ff24822801d3229f14d0ac0.exe
  "C:\Users\Admin\AppData\Local\Temp\7727b8fc7ff24822801d3229f14d0ac0.exe"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Users\Admin\AppData\Local\Temp\c5e14558677b4a8fb1c37e63f4333bf4.exe
  "C:\Users\Admin\AppData\Local\Temp\c5e14558677b4a8fb1c37e63f4333bf4.exe"
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\aeebf92c0c154207beeb6347220e6aaa.exe
  "C:\Users\Admin\AppData\Local\Temp\aeebf92c0c154207beeb6347220e6aaa.exe"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\6bd533fd44fe411698aef4c390c6677c.exe
  "C:\Users\Admin\AppData\Local\Temp\6bd533fd44fe411698aef4c390c6677c.exe"
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\e81dd560e04b45db8785387898e275f6.exe
  "C:\Users\Admin\AppData\Local\Temp\e81dd560e04b45db8785387898e275f6.exe"
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\76b20a033d524c30beeb39ae271d4c78.exe
  "C:\Users\Admin\AppData\Local\Temp\76b20a033d524c30beeb39ae271d4c78.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\82173e2138f241538ebbb3cf0a8eabef.exe
  "C:\Users\Admin\AppData\Local\Temp\82173e2138f241538ebbb3cf0a8eabef.exe"
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Users\Admin\AppData\Local\Temp\3927456dbac34f10b0a6f3e13e891ae1.exe
  "C:\Users\Admin\AppData\Local\Temp\3927456dbac34f10b0a6f3e13e891ae1.exe"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\76673742408e4182a3af1a31d9348936.exe
  "C:\Users\Admin\AppData\Local\Temp\76673742408e4182a3af1a31d9348936.exe"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\4b0ad6faf84048d19f20d570ed6d7516.exe
  "C:\Users\Admin\AppData\Local\Temp\4b0ad6faf84048d19f20d570ed6d7516.exe"
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\9ee71542da4d4f00aaea60193953a144.exe
  "C:\Users\Admin\AppData\Local\Temp\9ee71542da4d4f00aaea60193953a144.exe"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\cb8c72e158764f6aa9cf901f744ef798.exe
  "C:\Users\Admin\AppData\Local\Temp\cb8c72e158764f6aa9cf901f744ef798.exe"
  2⤵
  - Executes dropped EXE
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\62a399c80cac4f80802718645911f19f.exe

Filesize
961KB

MD5
4723c3c04794c09bbcb6e03f48440f15

SHA1
a5ef69c9dc9eacc2099d9c239146a0e360f1837f

SHA256
0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

SHA512
5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

Download Submit
\Users\Admin\AppData\Local\Temp\a526190d30a94f319bd770f57729bd5b.exe

Filesize
997KB

MD5
28aaac578be4ce06cb695e4f927b4302

SHA1
880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

SHA256
8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

SHA512
068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

Download Submit
\Users\Admin\AppData\Local\Temp\b0e5f78a17e740a3ad09eb787bc642e7.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
\Users\Admin\AppData\Local\Temp\b91d97dc936848ed8ed9efe815030ce9.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
\Users\Admin\AppData\Local\Temp\e71c6b37c5b6478085088e01d4a34a3a.exe

Filesize
583KB

MD5
320b1115164e8b5e1316d86eb29cd299

SHA1
bc046d8b14359a7a2bebdecbb819e76c47d84d1b

SHA256
d88f5b00da5f05ab7f55fd7c414bb56aaf47e9f51365aaabd71f3ace3cc77523

SHA512
fab558cf31aa79caf8e4f6e5649e4e484de3e29bae1386aa61749b70e8c791d74b01fa964501d4755c7688d0420e932f30e36699a2fe4488fae82ee23558afd0

Download Submit
memory/2648-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-4-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-5-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-6-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-7-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/2932-36-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-50-0x000007FEF511E000-0x000007FEF511F000-memory.dmp

Filesize
4KB

Download
memory/2932-51-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-64-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-65-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-37-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-35-0x000007FEF4E60000-0x000007FEF57FD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-34-0x000007FEF511E000-0x000007FEF511F000-memory.dmp

Filesize
4KB

Download