njrat | db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab

Analysis

max time kernel
382s
max time network
392s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-01-2025 15:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Lammer.exe
Size

23KB
MD5

8ef1c362e7a42893a331a657d021d665
SHA1

fdfe06f05c2a51ef8968ddc1d9a7595d694c93f8
SHA256

db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab
SHA512

978e8ea7504b32f1d4f18a34f7822c60593ea5bda821cd63d77b7e2e9b13f4fabfc5f89ec681cbcf88669138b2936394761e4da58e223d80c3948e28148ce299
SSDEEP

384:hYmdk8XvCJrQLdRGSiEYH7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZFP:WwWktitaeRpcnuS

Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2448	netsh.exe
3972	netsh.exe
1332	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	Lammer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ded5a8703334377d83da00a864706211.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ded5a8703334377d83da00a864706211.exe	System.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ded5a8703334377d83da00a864706211 = "\"C:\\ProgramData\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ded5a8703334377d83da00a864706211 = "\"C:\\ProgramData\\System.exe\" .."	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
3212	taskkill.exe
2416	taskkill.exe
4932	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	1992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1992	AUDIODG.EXE
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe
Token: SeIncBasePriorityPrivilege	4648	System.exe
Token: 33	4648	System.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4648	4472	Lammer.exe	88
PID 4472 wrote to memory of 4648	4472	Lammer.exe	88
PID 4472 wrote to memory of 4648	4472	Lammer.exe	88
PID 4648 wrote to memory of 2448	4648	System.exe	91
PID 4648 wrote to memory of 2448	4648	System.exe	91
PID 4648 wrote to memory of 2448	4648	System.exe	91
PID 4648 wrote to memory of 2112	4648	System.exe	99
PID 4648 wrote to memory of 2112	4648	System.exe	99
PID 4648 wrote to memory of 2112	4648	System.exe	99
PID 2112 wrote to memory of 1108	2112	cmd.exe	101
PID 2112 wrote to memory of 1108	2112	cmd.exe	101
PID 2112 wrote to memory of 1108	2112	cmd.exe	101
PID 4648 wrote to memory of 4968	4648	System.exe	102
PID 4648 wrote to memory of 4968	4648	System.exe	102
PID 4648 wrote to memory of 4968	4648	System.exe	102
PID 4968 wrote to memory of 2356	4968	cmd.exe	104
PID 4968 wrote to memory of 2356	4968	cmd.exe	104
PID 4968 wrote to memory of 2356	4968	cmd.exe	104
PID 4648 wrote to memory of 2144	4648	System.exe	105
PID 4648 wrote to memory of 2144	4648	System.exe	105
PID 4648 wrote to memory of 2144	4648	System.exe	105
PID 2144 wrote to memory of 460	2144	cmd.exe	107
PID 2144 wrote to memory of 460	2144	cmd.exe	107
PID 2144 wrote to memory of 460	2144	cmd.exe	107
PID 4648 wrote to memory of 5032	4648	System.exe	108
PID 4648 wrote to memory of 5032	4648	System.exe	108
PID 4648 wrote to memory of 5032	4648	System.exe	108
PID 4648 wrote to memory of 2592	4648	System.exe	110
PID 4648 wrote to memory of 2592	4648	System.exe	110
PID 4648 wrote to memory of 2592	4648	System.exe	110
PID 4648 wrote to memory of 984	4648	System.exe	112
PID 4648 wrote to memory of 984	4648	System.exe	112
PID 4648 wrote to memory of 984	4648	System.exe	112
PID 4648 wrote to memory of 2992	4648	System.exe	114
PID 4648 wrote to memory of 2992	4648	System.exe	114
PID 4648 wrote to memory of 2992	4648	System.exe	114
PID 4648 wrote to memory of 4448	4648	System.exe	116
PID 4648 wrote to memory of 4448	4648	System.exe	116
PID 4648 wrote to memory of 4448	4648	System.exe	116
PID 2992 wrote to memory of 4376	2992	cmd.exe	118
PID 2992 wrote to memory of 4376	2992	cmd.exe	118
PID 2992 wrote to memory of 4376	2992	cmd.exe	118
PID 4648 wrote to memory of 3680	4648	System.exe	119
PID 4648 wrote to memory of 3680	4648	System.exe	119
PID 4648 wrote to memory of 3680	4648	System.exe	119
PID 3680 wrote to memory of 3980	3680	cmd.exe	121
PID 3680 wrote to memory of 3980	3680	cmd.exe	121
PID 3680 wrote to memory of 3980	3680	cmd.exe	121
PID 3980 wrote to memory of 728	3980	net.exe	122
PID 3980 wrote to memory of 728	3980	net.exe	122
PID 3980 wrote to memory of 728	3980	net.exe	122
PID 3680 wrote to memory of 3212	3680	cmd.exe	123
PID 3680 wrote to memory of 3212	3680	cmd.exe	123
PID 3680 wrote to memory of 3212	3680	cmd.exe	123
PID 3680 wrote to memory of 3972	3680	cmd.exe	125
PID 3680 wrote to memory of 3972	3680	cmd.exe	125
PID 3680 wrote to memory of 3972	3680	cmd.exe	125
PID 4648 wrote to memory of 3168	4648	System.exe	126
PID 4648 wrote to memory of 3168	4648	System.exe	126
PID 4648 wrote to memory of 3168	4648	System.exe	126

C:\Users\Admin\AppData\Local\Temp\Lammer.exe
"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472
- C:\ProgramData\System.exe
  "C:\ProgramData\System.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\System.exe" "System.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp86D6.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89D5.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A82.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95AE.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp988D.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9BDA.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DC0.tmp.bat" "
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16494.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F76.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA34F.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im FirewallControlPanel.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA4D7.tmp.bat" "
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      PID:4532
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:4044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im FirewallControlPanel.exe
      4⤵
      Kills process with taskkill
      PID:2416
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5B3.tmp.bat" "
    3⤵
    PID:1140
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /IM EXPLORER.EXE
      4⤵
      Kills process with taskkill
      PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA73A.tmp.bat" "
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
      4⤵
      PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA96E.tmp.bat" "
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA4A.tmp.bat" "
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB16.tmp.bat" "
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC01.tmp.bat" "
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD1B.tmp.bat" "
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB049.tmp.bat" "
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB125.tmp.bat" "
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1D2.tmp.bat" "
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB29E.tmp.bat" "
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB406.tmp.bat" "
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5CC.tmp.bat" "
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB7F0.tmp.bat" "
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8BC.tmp.bat" "
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB998.tmp.bat" "
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBA45.tmp.bat" "
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAF2.tmp.bat" "
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC2B.tmp.bat" "
    3⤵
    PID:2756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3954055 /state1:0x41c64e6d
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System.exe

Filesize
23KB

MD5
8ef1c362e7a42893a331a657d021d665

SHA1
fdfe06f05c2a51ef8968ddc1d9a7595d694c93f8

SHA256
db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab

SHA512
978e8ea7504b32f1d4f18a34f7822c60593ea5bda821cd63d77b7e2e9b13f4fabfc5f89ec681cbcf88669138b2936394761e4da58e223d80c3948e28148ce299

Download Submit
C:\Users\Admin\AppData\Local\Temp\11532.vbs

Filesize
15B

MD5
1571094ba67aca326126f75e3dc4891c

SHA1
5d910d777fafb73f6f32b49ccbb2d31a610e6a79

SHA256
e2998b6e6ec64c422e94a7af91f7b74916d8165ac4021f76f63f054ff65f10fa

SHA512
06191fd946c052df09bbddf1c30352469579d52bc0aa6038b18f233009961ded6c94d17fc4c874b11a3813390576a620889810b259230e143172cf38c53a3cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86D6.tmp.bat

Filesize
136B

MD5
8f4381caf4f4466fdb23f75961e6c109

SHA1
94060d8113f25dd4872b54264cabc5ac73f95948

SHA256
e268378b2c6788f37948835806557b4d0ac887faac8a1f65989c81f4b6c6be39

SHA512
4c5968a774ae1d950e9858d9606237031c1bdc574389de1746d9d6b3861ff7954af57ba382a5555638f7f119a2e2e8ba85568cd6ee8747aad6a6bf7ce93de0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95AE.tmp.bat

Filesize
62B

MD5
273c2fb624cafc931245c7498e14546e

SHA1
0f0c1a86cde9c13849df8b4283ff8a79dd80ee42

SHA256
c295a1015d4bb45cb3bebe51598240444cf687f63e8aa63f647d6a8a5db54590

SHA512
7cb1908a9dd66c7bea734a657ff840087902ba070b085304cd26f0a47c396d69133cd9c5e2163f809c955f27c3f3a6b4162c6fe4441fe1804ef460f64e42ada3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp988D.tmp.bat

Filesize
71B

MD5
37f01d6ccab71305cd64f0f25445e393

SHA1
42905b9b48864f01900cff140fdda47702fd57e2

SHA256
094b4643e5948328cd0d6e4200979df6f9a0c64b6734c35ae7acce4425b03bbb

SHA512
e232c4a64e6531b98ef47e8e6b6956a0251863fe49582d291ebc11646f1c62f2c0345db8f36e40c1d13e86590884ea2c68a77c5ae96ad1cee500e526aa09f389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BDA.tmp.bat

Filesize
39B

MD5
d0d513a2a98a16252656b4b8515bb78a

SHA1
a2dad5ff94bd33a4f7cdded0267e07b4f0153993

SHA256
3dd9157d05ff12cdff7f1838685c88aa936add945346060bb381a943c5f97ffb

SHA512
6975573460f950e1e90702af2083ba6cb7e9b1e089c48fba9432e16aae05812b43668627e2100bb2d97ab4ffc75f1c29201147e2ad0a1d34d4459fc5b4ff686d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DC0.tmp.bat

Filesize
114B

MD5
43e331b0b04228d37be65b4bc35d3eaa

SHA1
9b4c0308492f8e88b61b5ec3bfc5ab343781dbca

SHA256
e96b950444a3775b1f70929527ef85bdb6cb57dbdb13ea5b73ce1f91053238e5

SHA512
7b0239ee379b8f6848d362637b4ffaa18f8b9772f045bb882626f1a0f2dc693e0f5dca75a2bde9786666b3e41e5068e945f6ad6a47e86017d42bbe3510870569

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F76.tmp.bat

Filesize
55B

MD5
97ef49efe0534021d0263f7585ae391b

SHA1
1945e01fe4f5daadaaf8582f8c9ae0999acfd041

SHA256
d2703dc20789862e79634c010c4bd348d4264a863a679e075eb018c97abd62e3

SHA512
a991da0830e78b7fa1f6902622645cbb8bee80d5f923fde3e7cf8a5ca3b9e4500aa1d8dc8e9073c0cdb155a74ba2bc78bd1db732b421101193fc90b3daf48591

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA34F.tmp.bat

Filesize
175B

MD5
4c233ae34e0e53590b756e9bc8468077

SHA1
e3d4cffdeecc863fc189b7abb14d09201241e309

SHA256
3823ed36754159b8544b630d7ad3a68415d77a6b04c2a1ed327ca3cbaeaaee79

SHA512
7a960eca6495e0a69944abacaf3e0ade18b35b1b0157414ff1f4a14932c661de26c0deea8a2066eab965a7e13513e40c2d05a279775a691223e24d3e8a8a859f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5B3.tmp.bat

Filesize
55B

MD5
07b4bc97851f8703052e491426e0c7fa

SHA1
49faa15bebefef1bb4657b718dd22112ae6d69ae

SHA256
919e32e4e486eb117c0aa5f5359583e9e0e49062c959e120e126760647f7409c

SHA512
e04c6ec5e44b7d5245fd450ad57f30d16a95895c0dfca42a932fe6663197a6992e636381b3748c52eba665cf44aba1064ef58f8b45172bf9315f6ce07818a642

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA96E.tmp.bat

Filesize
64B

MD5
261d83fcc22e7daa1614da176d6998bb

SHA1
2bb14f7cb19e971cd0a14588df984578c230ce93

SHA256
574555774d6626789fc283ed1c7981f627429713d8a95c63fa82f52982c2fcbd

SHA512
09d1aafccfec70009545f1ea9982bfa3be15a9645b3e539a9f0b559eedd55ad5933b47a07ae26f7c4e430c981c93a4cd776d84ba4e53423c7cfde4055d94f3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB049.tmp.bat

Filesize
34B

MD5
af45a1096d1543e3b8a84eb76743e1e5

SHA1
74b3825abdc9f63ee98ce5cf02520d4fefb1e52b

SHA256
ea973f052ee5036b535a0b1593bb982861e793367980a4f4d33b6a92d0936bd4

SHA512
db55de580e493150326567ca8879b6acfb63d55ce70d5ec74cb96e21cd6d9cf6198e0afe1cea2b4d4ca49889c50e7f616034e1abb079b544a01c67abcda3b4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB406.tmp.bat

Filesize
185B

MD5
f0dfe96c58a7a81be2c6938f53e1f982

SHA1
fa31f1755bccdcdf14174f0eb30ba0cf8da41a81

SHA256
2b51af812899dad4305fccec8de8a17df5bc05ccc93c1ebac46acabde148889e

SHA512
91b40013604a84152ef8cf5fe10e5709828860857239a560d7e3a8222dec066716abe71323ddc47994ef41c862ff403a2d7041710af9a30e59f3e4e0201eadeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7F0.tmp.bat

Filesize
76B

MD5
c8577588a762597d30f33883d7127c9c

SHA1
58bcdd75c1635e674d554b1e4ad9f24e839451a1

SHA256
18f33f0b83ced85902480d3635eeb04c43f4f1fd615f951c5232d4867f9fc9d7

SHA512
d11cc940182b4a7c7c8641c0d2d9d7fa7b4ddabf2ba6682121bef3b0c72a2d4ce2ad3c6898673196ec35822c5fb1782f63ad0d7b0d4665de4cbff2e1bea1d1f3

Download Submit
memory/4472-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4472-15-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4472-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4472-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/4648-20-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4648-16-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4648-17-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4648-18-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4648-19-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4648-279-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads