babylonrat | hxxps://mega[.]nz/file/L81XQTSQ#nWJScUjhSm_6pyxuQZJlXf3L3x6TmBB3bE3HTqTO8Zw

Analysis

max time kernel
70s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/L81XQTSQ#nWJScUjhSm_6pyxuQZJlXf3L3x6TmBB3bE3HTqTO8Zw

Score

10^/10

babylonrat defense_evasion discovery evasion persistence trojan upx

Malware Config

Extracted

Family

babylonrat

killer114.ddns.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Windows Command Processer\\cmd.exe\""	cmd.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cmd.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\DisableExceptionChainValidation	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bleutemp.exe

Executes dropped EXE 15 IoCs

pid	Process
5808	bleu.exe
5904	client.exe
5956	client.exe
6008	bleutemp.exe
6100	cmd.exe
5168	bleutemp.exe
3904	bleutemp.exe
5400	bleu.exe
5420	client.exe
5524	bleu.exe
4884	client.exe
4488	bleu.exe
2212	client.exe
2360	bleu.exe
5552	client.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	bleu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	bleu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	bleu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	bleu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\intel = "C:\\ProgramData\\intel\\client.exe"	bleu.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\DisableExceptionChainValidation	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows Command Processer\	bleutemp.exe
File created	C:\Windows\SysWOW64\Windows Command Processer\cmd.exe	bleutemp.exe
File opened for modification	C:\Windows\SysWOW64\Windows Command Processer\cmd.exe	bleutemp.exe
File opened for modification	C:\Windows\SysWOW64\Windows Command Processer\cmd.exe	bleutemp.exe
File opened for modification	C:\Windows\SysWOW64\Windows Command Processer\cmd.exe	bleutemp.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023cc8-216.dat	upx
behavioral1/memory/5808-217-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/5904-223-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/5808-226-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/5904-246-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/5956-248-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/5400-260-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/5420-262-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/4884-268-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/5524-266-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/4488-272-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/2212-274-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/2360-277-0x0000000000210000-0x00000000002D9000-memory.dmp	upx
behavioral1/memory/5552-279-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx
behavioral1/memory/5904-280-0x0000000000B80000-0x0000000000C49000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleutemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleutemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleutemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bleu.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
4504	msedge.exe
4504	msedge.exe
4076	identity_helper.exe
4076	identity_helper.exe
3864	msedge.exe
3864	msedge.exe
6008	bleutemp.exe
6008	bleutemp.exe
6100	cmd.exe
6100	cmd.exe
5168	bleutemp.exe
5168	bleutemp.exe
3904	bleutemp.exe
3904	bleutemp.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe
6100	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: 33	4604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4604	AUDIODG.EXE
Token: SeRestorePrivilege	5652	7zG.exe
Token: 35	5652	7zG.exe
Token: SeSecurityPrivilege	5652	7zG.exe
Token: SeSecurityPrivilege	5652	7zG.exe
Token: SeShutdownPrivilege	5808	bleu.exe
Token: SeDebugPrivilege	5808	bleu.exe
Token: SeTcbPrivilege	5808	bleu.exe
Token: SeShutdownPrivilege	5904	client.exe
Token: SeDebugPrivilege	5904	client.exe
Token: SeTcbPrivilege	5904	client.exe
Token: SeShutdownPrivilege	5956	client.exe
Token: SeDebugPrivilege	5956	client.exe
Token: SeTcbPrivilege	5956	client.exe
Token: SeDebugPrivilege	6008	bleutemp.exe
Token: SeDebugPrivilege	6100	cmd.exe
Token: SeDebugPrivilege	5168	bleutemp.exe
Token: SeDebugPrivilege	3904	bleutemp.exe
Token: SeShutdownPrivilege	5400	bleu.exe
Token: SeDebugPrivilege	5400	bleu.exe
Token: SeTcbPrivilege	5400	bleu.exe
Token: SeShutdownPrivilege	5420	client.exe
Token: SeDebugPrivilege	5420	client.exe
Token: SeTcbPrivilege	5420	client.exe
Token: SeShutdownPrivilege	5524	bleu.exe
Token: SeDebugPrivilege	5524	bleu.exe
Token: SeTcbPrivilege	5524	bleu.exe
Token: SeShutdownPrivilege	4884	client.exe
Token: SeDebugPrivilege	4884	client.exe
Token: SeTcbPrivilege	4884	client.exe
Token: SeShutdownPrivilege	4488	bleu.exe
Token: SeDebugPrivilege	4488	bleu.exe
Token: SeTcbPrivilege	4488	bleu.exe
Token: SeShutdownPrivilege	2212	client.exe
Token: SeDebugPrivilege	2212	client.exe
Token: SeTcbPrivilege	2212	client.exe
Token: SeShutdownPrivilege	2360	bleu.exe
Token: SeDebugPrivilege	2360	bleu.exe
Token: SeTcbPrivilege	2360	bleu.exe
Token: SeShutdownPrivilege	5552	client.exe
Token: SeDebugPrivilege	5552	client.exe
Token: SeTcbPrivilege	5552	client.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
5652	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5904	client.exe
6100	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 372	4504	msedge.exe	82
PID 4504 wrote to memory of 372	4504	msedge.exe	82
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 5004	4504	msedge.exe	83
PID 4504 wrote to memory of 3924	4504	msedge.exe	84
PID 4504 wrote to memory of 3924	4504	msedge.exe	84
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85
PID 4504 wrote to memory of 3264	4504	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/L81XQTSQ#nWJScUjhSm_6pyxuQZJlXf3L3x6TmBB3bE3HTqTO8Zw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c4718
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,13729263599697175618,6626948641821581230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\bleu\" -spe -an -ai#7zMap2703:70:7zEvent25913
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5652

C:\Users\Admin\Downloads\bleu\blue\bleu.exe
"C:\Users\Admin\Downloads\bleu\blue\bleu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5808
- C:\ProgramData\intel\client.exe
  "C:\ProgramData\intel\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5904
- - C:\ProgramData\intel\client.exe
    "C:\ProgramData\intel\client.exe" 5904
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5956

C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe
"C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6008
- C:\Windows\SysWOW64\Windows Command Processer\cmd.exe
  "C:\Windows\system32\Windows Command Processer\cmd.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6100

C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe
"C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe
"C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\Downloads\bleu\blue\bleu.exe
"C:\Users\Admin\Downloads\bleu\blue\bleu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5400
- C:\ProgramData\intel\client.exe
  "C:\ProgramData\intel\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5420

C:\Users\Admin\Downloads\bleu\blue\bleu.exe
"C:\Users\Admin\Downloads\bleu\blue\bleu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5524
- C:\ProgramData\intel\client.exe
  "C:\ProgramData\intel\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

C:\Users\Admin\Downloads\bleu\blue\bleu.exe
"C:\Users\Admin\Downloads\bleu\blue\bleu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4488
- C:\ProgramData\intel\client.exe
  "C:\ProgramData\intel\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

C:\Users\Admin\Downloads\bleu\blue\bleu.exe
"C:\Users\Admin\Downloads\bleu\blue\bleu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2360
- C:\ProgramData\intel\client.exe
  "C:\ProgramData\intel\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bleutemp.exe.log

Filesize
408B

MD5
e023945d55e0a46cd90b84585bb51995

SHA1
f4f7f259282b2cbfd4027db1b4e8dc1cdcd12dd9

SHA256
a33171f000df57153e343c77e31af96e23ac8b935105cf574d625efb999cb7b0

SHA512
671f9130e357dccd4f01816439fe4c8cfacfbd550ae8dbe38b09234d9193d9b43fd2f795253d984efa302a473673321da8af180e112bbc6444c8d4176c8f5c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1e5a4cfc9aedfacb8d43919fff3295f1

SHA1
7068379a4e75941bd9a843e255b76cee5a77390d

SHA256
1a27958b535ccfaad573e5d39c5c1b6187d03b8ee685583a607ad50cf31243c6

SHA512
98868818a1ecacf545db47e039c729dad346ae333207251b985ff3a8f9d88bcc8f7465c830963f0e40cc61286294bde17a4f12a23928d0aca68b8cf1bdd78c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0656ba61446729587f4884efe0b3c97

SHA1
a9ffc07402e2750d835bef0b7cd26a019669f4e9

SHA256
b5c792e9d46a849d37e26fed48718a04587d3aa88b46f9b02a4a4007a557a4cf

SHA512
709f816d2409c14fdadea8fa59ed97820f055f924ee55c820a8a9c40b66a7ddbd4575bda691bbc52188abdbc3589392fc247037ba3da31d9931fafb294cd2e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78607375dfd3cf534c3fad32fc70bd4d

SHA1
c4ff672d4ff8f6b4862b024e8958718862f0e2ac

SHA256
ef861544ce0d1ad69480aee504a5b550f0dbbd020eb556a65969165f15323632

SHA512
eb0dcdce253150dcfdc99eafb8b4876e859cbc222b74e5e56099c96c5831ef5984fabb54f38385d39a5cef9b42ad48eaf958287db7d40312bbc6663ee4a643cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5effddb2d05660de1d8ae8bf0db65b7

SHA1
db8fb3af74754dae8fbba453fb120bc9ef62d775

SHA256
7b5b1fed26bae573ef9f6b4709e9748730bf52072d8a6247f699fa8b9c3fa13e

SHA512
f288e7ea88f5c0ff43651c82e623bc3e64859042213b18ebe7cd033941ec5b04e82adc6fec904a9ea475c8145fc7b81b92d6eecbffc7cf77567ee56e76d8945e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
71cb2054743a1c306fdbec80283910f9

SHA1
e9bc11ea1aca73e4638d3ef4e1de971522dd1b24

SHA256
dc0e1f814581f814cf01829f024bdd9a3390266d161a1330a88e6e509c65a999

SHA512
c4d38210a956de80deda5335389f0c0b24b2c8db4f46eba4225f5c5ae917f4310a24345cdc0f7e61e45e8901081791a112fb285f9c832551afdaad4be35d5f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57efaf.TMP

Filesize
48B

MD5
afaa4a21b1d59eceebb8c7b2b59ea56a

SHA1
e5ad3caec831668380ebcdc8ad55850f6e15f302

SHA256
546cb255efc77eebc5fcc7d07d4575df9d370602c8bee788cb2f4a88762d1554

SHA512
9349b27654d384f7c6ef330a26fc91fa1be9de0dea07987edbf90074c4a24bad9c517375b8bfb666db95e892c48c1d1f4d1f68d950346440dc8ea7bc55444bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3d24b93a070f21dc83824a527a5a4e0f

SHA1
7e3e4b014450c5f9f2607922f34a2197462f43da

SHA256
193903d05b5b5964a91774157c8ad8e7fa56a72ee3db6b165b096eb16c4c861b

SHA512
1f1bac1206fff8818ebea38f1751056d4f44cea897567def0944414e323a2aadc2f7eef3305ee9059b57fb29c623287484e4badc434a173529218d32d734a47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d76a27b2aae42fe4f36eff9a0d96e26

SHA1
91f84fcbe3d81bca4d5667aa6a621a882bf0d27d

SHA256
5fbd1c56fb05f8c2eb4c80d0ea7811e08b8b71b84efbb1c507149cb3b84a58d8

SHA512
bdd8067901536cf9c820c10d98fcf8292fb75e6717f6a70408d647302ae8a4a43e4f4fc61fb7b57a8d4f410653c0e415adcd9fc82d81e7d6696db88c9a8d748a

Download Submit
C:\Users\Admin\Downloads\bleu.rar

Filesize
399KB

MD5
75794617f119bb98f6e9d10496e65b23

SHA1
7494401ccc4c2ff2acae7f5f423fb0589ae7a9bd

SHA256
a583647a5cd11fd5879f44090611cd0b1d1e64e6cf10940e3b7efd296ba2c5b2

SHA512
9efdea1e7cd7ff7f5e3e76d4fb6c11889020aa9e9f9807743ac540d532b81cd02149aa1dfa55d5b23ed58aacbde6307f7ec5d5d8c4f51ecb1c01b4c094782a44

Download Submit
C:\Users\Admin\Downloads\bleu\blue\bleu.exe

Filesize
355KB

MD5
16b803a3b9020c44b15623d8a03f872f

SHA1
39174b0e71af1f4979a95fab323d04594bb47a81

SHA256
50943e171480dc161bbc6fd338bbee4eafab4ffad9030894444631ab643c3faf

SHA512
bbab3ef89ba693819453d9be5c8ecf701b8c8918c9ecac8c12d4848ee05b03f1290ef840b51774eec8e21192ea8545e4a7c007d28c0bccaa7bd9f4e611878e57

Download Submit
C:\Users\Admin\Downloads\bleu\blue\bleutemp.exe

Filesize
118KB

MD5
67e043ff0c76a11f20607c8ef40088f8

SHA1
9dc0366b99597eb7bb71d897ae93c71ad7bcfd5b

SHA256
e25cc6dcc78c23c30744d42bb43b2585474016d1791c34f9597892b510fd8e65

SHA512
9b7315449d530b9ddeda7afa79b8da233f02bdb759091001823483f6f1f9fc3cb772f81a6c2cdf97f67200ae57acd3fd38485fe4eadd1be4e6c69b6edf2c57d8

Download Submit
memory/2212-274-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/2360-277-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/4488-272-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/4884-268-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5400-260-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/5420-262-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5524-266-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/5552-279-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5808-226-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/5808-217-0x0000000000210000-0x00000000002D9000-memory.dmp

Filesize
804KB

Download
memory/5904-246-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5904-223-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5904-280-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download
memory/5956-248-0x0000000000B80000-0x0000000000C49000-memory.dmp

Filesize
804KB

Download