njrat | f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

Analysis

max time kernel
482s
max time network
479s
platform
windows11-21h2_x64
resource
win11-20250207-es
resource tags

arch:x64arch:x86image:win11-20250207-eslocale:es-esos:windows11-21h2-x64systemwindows
submitted
08-02-2025 08:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

lmlmdos.exe
Size

23KB
MD5

5eb67cac2f9ef8a548ba327896909cda
SHA1

b8f3612f2d00c581387b02a615ad178874b51329
SHA256

f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d
SHA512

40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f
SSDEEP

384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

Score

10^/10

njrat bootkit defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmp245C.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tmpFF2F.tmp.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4032	netsh.exe
4460	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\052a8691abcf06ff30b5f4c68922a91f.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\052a8691abcf06ff30b5f4c68922a91f.exe	server.exe

Executes dropped EXE 16 IoCs

pid	Process
4092	server.exe
1928	tmpFC48.tmp.exe
4888	Mlzlz.exe
1048	MMLo7.exe
2640	Commandos.exe
4352	.exe
1936	tmpFF2F.tmp.exe
2620	tmp245C.tmp.exe
2900	tmpCE97.tmp.COM
1736	server.exe
4116	MBR2.exe
4280	TROLL5.exe
2368	TROLL2.exe
2940	MatrixMBR.exe
4604	GDI.exe
892	MBR.exe

Loads dropped DLL 2 IoCs

pid	Process
4888	Mlzlz.exe
4888	Mlzlz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000\Software\Microsoft\Windows\CurrentVersion\Run\052a8691abcf06ff30b5f4c68922a91f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\052a8691abcf06ff30b5f4c68922a91f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	.exe
File opened for modification	\??\PhysicalDrive0	tmpFF2F.tmp.exe
File opened for modification	\??\PhysicalDrive0	tmp245C.tmp.exe
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MatrixMBR.exe	MBR2.exe
File opened for modification	C:\Windows\System32\MatrixMBR.exe	MBR2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlzlz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MMLo7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmlmdos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFF2F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp245C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDI.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3376	MicrosoftEdgeUpdate.exe
1732	MicrosoftEdgeUpdate.exe
1268	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Mlzlz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Mlzlz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Mlzlz.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe
1048	MMLo7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: SeDebugPrivilege	1048	MMLo7.exe
Token: SeDebugPrivilege	4352	.exe
Token: SeDebugPrivilege	4352	.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe
Token: 33	4092	server.exe
Token: SeIncBasePriorityPrivilege	4092	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3284	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4092	4736	lmlmdos.exe	89
PID 4736 wrote to memory of 4092	4736	lmlmdos.exe	89
PID 4736 wrote to memory of 4092	4736	lmlmdos.exe	89
PID 4092 wrote to memory of 4460	4092	server.exe	90
PID 4092 wrote to memory of 4460	4092	server.exe	90
PID 4092 wrote to memory of 4460	4092	server.exe	90
PID 4092 wrote to memory of 1928	4092	server.exe	102
PID 4092 wrote to memory of 1928	4092	server.exe	102
PID 1928 wrote to memory of 4888	1928	tmpFC48.tmp.exe	103
PID 1928 wrote to memory of 4888	1928	tmpFC48.tmp.exe	103
PID 1928 wrote to memory of 4888	1928	tmpFC48.tmp.exe	103
PID 1928 wrote to memory of 1048	1928	tmpFC48.tmp.exe	104
PID 1928 wrote to memory of 1048	1928	tmpFC48.tmp.exe	104
PID 1928 wrote to memory of 1048	1928	tmpFC48.tmp.exe	104
PID 1928 wrote to memory of 2640	1928	tmpFC48.tmp.exe	105
PID 1928 wrote to memory of 2640	1928	tmpFC48.tmp.exe	105
PID 4888 wrote to memory of 2228	4888	Mlzlz.exe	106
PID 4888 wrote to memory of 2228	4888	Mlzlz.exe	106
PID 2640 wrote to memory of 4352	2640	Commandos.exe	112
PID 2640 wrote to memory of 4352	2640	Commandos.exe	112
PID 4352 wrote to memory of 1428	4352	.exe	113
PID 4352 wrote to memory of 1428	4352	.exe	113
PID 4092 wrote to memory of 1936	4092	server.exe	124
PID 4092 wrote to memory of 1936	4092	server.exe	124
PID 4092 wrote to memory of 1936	4092	server.exe	124
PID 4092 wrote to memory of 2620	4092	server.exe	126
PID 4092 wrote to memory of 2620	4092	server.exe	126
PID 4092 wrote to memory of 2620	4092	server.exe	126
PID 4092 wrote to memory of 2900	4092	server.exe	128
PID 4092 wrote to memory of 2900	4092	server.exe	128
PID 4092 wrote to memory of 1736	4092	server.exe	129
PID 4092 wrote to memory of 1736	4092	server.exe	129
PID 4092 wrote to memory of 1736	4092	server.exe	129
PID 2900 wrote to memory of 4116	2900	tmpCE97.tmp.COM	130
PID 2900 wrote to memory of 4116	2900	tmpCE97.tmp.COM	130
PID 2900 wrote to memory of 4280	2900	tmpCE97.tmp.COM	131
PID 2900 wrote to memory of 4280	2900	tmpCE97.tmp.COM	131
PID 2900 wrote to memory of 4280	2900	tmpCE97.tmp.COM	131
PID 2900 wrote to memory of 2368	2900	tmpCE97.tmp.COM	132
PID 2900 wrote to memory of 2368	2900	tmpCE97.tmp.COM	132
PID 2900 wrote to memory of 2368	2900	tmpCE97.tmp.COM	132
PID 1736 wrote to memory of 4032	1736	server.exe	134
PID 1736 wrote to memory of 4032	1736	server.exe	134
PID 1736 wrote to memory of 4032	1736	server.exe	134
PID 4116 wrote to memory of 2940	4116	MBR2.exe	136
PID 4116 wrote to memory of 2940	4116	MBR2.exe	136
PID 2940 wrote to memory of 4604	2940	MatrixMBR.exe	137
PID 2940 wrote to memory of 4604	2940	MatrixMBR.exe	137
PID 2940 wrote to memory of 4604	2940	MatrixMBR.exe	137
PID 2940 wrote to memory of 892	2940	MatrixMBR.exe	138
PID 2940 wrote to memory of 892	2940	MatrixMBR.exe	138
PID 2940 wrote to memory of 892	2940	MatrixMBR.exe	138

C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\tmpFC48.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpFC48.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\Mlzlz.exe
      "C:\Users\Admin\AppData\Local\Temp\Mlzlz.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.net/8pqbq1v7s732ldmg/MMLo7.mp3
        5⤵
        
        PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\MMLo7.exe
      "C:\Users\Admin\AppData\Local\Temp\MMLo7.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\Commandos.exe
      "C:\Users\Admin\AppData\Local\Temp\Commandos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
        6⤵
        
        PID:1428
- - C:\Users\Admin\AppData\Local\Temp\tmpFF2F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpFF2F.tmp.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\tmp245C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp245C.tmp.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\tmpCE97.tmp.COM
    "C:\Users\Admin\AppData\Local\Temp\tmpCE97.tmp.COM"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:892
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4612,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:14
1⤵
PID:1572

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTVBMEJBMDktOTlBRS00RDZFLUIyNDAtRURGQTg5REVEMDEzfSIgdXNlcmlkPSJ7MUNDN0Y2NDItQkYzNi00ODg1LUIzNkMtOTlENDNFRDc0QTdEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjRBRDU0MDMtRDk2Ni00NTM5LUFFRUMtNTNGMTA1NzBGOTNEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjY0MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MjY4NjIxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU5MzkxODU4MzUiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3376

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5052" "1296" "1168" "1300" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2228

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTVBMEJBMDktOTlBRS00RDZFLUIyNDAtRURGQTg5REVEMDEzfSIgdXNlcmlkPSJ7MUNDN0Y2NDItQkYzNi00ODg1LUIzNkMtOTlENDNFRDc0QTdEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5OTAyQ0MzOC1CMjc3LTRCNUMtOUFBNi01QUE4ODNERkU3NER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjE2MiI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwMjc3OTk2MTAiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1732

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTVBMEJBMDktOTlBRS00RDZFLUIyNDAtRURGQTg5REVEMDEzfSIgdXNlcmlkPSJ7MUNDN0Y2NDItQkYzNi00ODg1LUIzNkMtOTlENDNFRDc0QTdEfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4QTRGQUVBNS00OTc4LTQ3REQtQTMyOS04QjA5OUFBNzFGNzN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC4wOCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2RkJBQTk1RC1FM0UzLTQwRkEtQUVCNS0wRUIwMjZENjY4QTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMTEiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzgyNjE3MTEyODcwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0M4QkYxQzI4LUYxRTYtNEU0Ri1CMzE4LTIyRUMyMTQ4MjU0N30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjI1IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkIyOUY3QkItN0QwRS00MzVDLUEyQjAtQTU2NzNEQkQwRjhFfSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4132,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:14
1⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5176,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:14
1⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5024,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:14
1⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --always-read-main-dll --field-trial-handle=4188,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:1
1⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=es --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --always-read-main-dll --field-trial-handle=1020,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:1
1⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5788,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:14
1⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=es --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5904,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:14
1⤵
PID:4244

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5780,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:14
1⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=es --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5932,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:14
1⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6276,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:14
1⤵
PID:236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6132,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:14
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6320,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:14
1⤵
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6476,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:14
1⤵
PID:2796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C8
1⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=es --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=6212,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:14
1⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=es --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6180,i,16761705620895268742,9685554740317047389,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:14
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
351KB

MD5
8c389818db0e746778d6751ed65c6a69

SHA1
d8a74dd637466a7314693a2df51ddcb00bcc4526

SHA256
7126a27689d05128ff5c1664c7f1a37213beb36c69cc87fd3652486504385111

SHA512
c3fbe0f515e6ed209471dac3c68c3dbd1910d19846c206d7ea3ff9c86d0f32cd3f728634213dac213beb3c720b2da3bcbe8526f4af4880ef0fa96172c7803ee4

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
377KB

MD5
b0b2610ea005edac31dfea4933b77510

SHA1
8db1f59f67b86b3fcf94363bddb25e3e26f16e17

SHA256
7ed286bd4a77c5b7f8357573989045effb8166c55ad92bb6bb65da17c23d04f3

SHA512
8ef34886d214e9de4f57b1bf40658ffbdd06f450886cb6bc5feee33a900e7f04bcb92b0594be4b0688254237c36617d861cb4c7c3a68d9aea8321fd217573b49

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
4f8d09d8a67058f5127b35ad5faa3a23

SHA1
582da38c0e3dbde62efc2942bf5fb793637343ba

SHA256
2a8df8f2a39c51b0d8072a50b672b470e17cd201d5631a85ba2d1bb326c7fd63

SHA512
392656b9a0bcd32b8c6b958907a7fcb4f7a7f8e114cb444caa4112eabab205cd10b73370b30c37c6eba55ae10853db33f58ea2e384db1d206f5beef1f5be6a41

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
689bd49a500ea4dfc7a430d381e30151

SHA1
775401a4e0e408480cd64d3daae5b4a6963a58ae

SHA256
6508d364221b19f115ea5b93d9532cfa7013555510f02283c6923ce4e4247e6f

SHA512
fcc06a8d5c745ca40ef224b2a5f42dab54b1adfd2fe9989279a38bcd357b6fa5d4b4212062bc2e639b532015423818f027816ec3773a1eb159dd9adb1a4e2bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
14KB

MD5
cec3e3a5a16622f1cc92a9d0cc6f25bf

SHA1
befa9d83a13d9a680ed46510c35a03da2232a14b

SHA256
070bb826b94e3660f53f35099c60f02326214a67afa68cd0c65bfee50dd1f8a2

SHA512
c53e456c5d3a00bbf746d078be9dad653d8e10c718510d13026ef57deda3f790ecf3a71bcfdae6ea2dadddda521cfd23b5f66921e736327ac677e753b1f24d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commandos.exe

Filesize
58KB

MD5
c34f84509d0993785c85e2ee3df646f8

SHA1
46a2487df782af941740a4e0d67dfb5b6a8c649e

SHA256
95930cd1ef5ade8990cef637a618f17c6ae971d80e25791c20edbe0253cdeb03

SHA512
80744df7a596cd9f3703f3064913a37f39480a14ad3bf17eb95aed511248485bb5b44dbdce8609776e130a313f8e40ee05e6f681a453ddbfcb83b6407a66ee23

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

Filesize
1.9MB

MD5
1915011997fdb9aa95f15e567f4e6070

SHA1
40a7853f14d6d4919279965f026d57cf9a104998

SHA256
952fa59d3d6d8c8c5fad8a1144e5effdf0fa92d58db1fb2a2899faf84c6273ab

SHA512
5cca71b42ed9dc154e6d5919e7cd93046168781a55c051818157848efc918b2e4dd92f422eb1c47e0940b645ba750facf83bce240748a8170ac8ce0afc9efa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMLo7.exe

Filesize
21KB

MD5
41bfa34d74d03666a9b3d71faf3ae962

SHA1
794fc090d5e08bb7e039413a00a81d4aa319b1fd

SHA256
86270344f64dbe47a8e148473167814bdf657abd64cc12d3bdc23cf2ad3a227e

SHA512
654bfb5461f911937ac45dc68e7f70a0553db2ce6270898de06a856241ee9aa6a4eca78946a2477d472a09781879c4cf6329c04ac827977bcd98f23a9c569fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mlzlz.exe

Filesize
5.0MB

MD5
bff2ce60601b7f5a6e01a8632d2c27e6

SHA1
6e6be38db34caef7baaa06f58d0cc29dd5b945a4

SHA256
77ec1962afaabb6a3bfda99f99da786c6864fdd10546a55ec208ddf2df6db773

SHA512
b0c4a1402a9551936f9045ab5f1210f058a547ec6e4acda1f9eb9db3114af2d99ec9feec8aadc0dfe335850f73ab6b9bfd19f397ddc8fdfbb85769249cebed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
5eb67cac2f9ef8a548ba327896909cda

SHA1
b8f3612f2d00c581387b02a615ad178874b51329

SHA256
f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

SHA512
40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2488.tmp

Filesize
92KB

MD5
c918234b22aeb6c01b260c37ae13d8a2

SHA1
9d63aa80460c51b743ddbb5ec7536ce42d945d6b

SHA256
f3c612c8dd809ac950616f33833ab016b3664e6748da56377776ee765dd34e2a

SHA512
3e04013137ac414ba4055d1b521b256be7c023a0326b55fd7f692da9a58261b24899f5e3e8c405964b8f0becc5597c43e3b9b1e22c61ab454be73fb7f449dd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE97.tmp.COM

Filesize
921KB

MD5
d0ae6aea701de9f127f91e7efdb50252

SHA1
cb9ef64cbcb999372fb4046e99fe89a03df9bc81

SHA256
c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

SHA512
505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC48.tmp.exe

Filesize
5.9MB

MD5
3a2748162ca6fd403aeb6ef4a368c996

SHA1
14f630c097afd82e35a83ed011e872e2e6c4d9c8

SHA256
2bed70136d10778ef824023dac8722ccf8452a4f84878f75fe2cb9fdb01109e2

SHA512
1aa7c3da5b7bcaa76e753f1b39e5457d44c9c6d301fa774364580214c8cf9276bbf2efda66f9bd29f0c77aa65affede1c25025feeae67eb51b05e65f634547b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF2F.tmp.exe

Filesize
219KB

MD5
25c10f0ddf7f592df6b8f8b4564d340f

SHA1
d438750f1420857237546b943b63a4b39b8ccefb

SHA256
5510587a96e59199167ed1ac5d7e53f22d0f702c01958e67f332e6a6685d8138

SHA512
b4bbc94a71853f1a9c4126a15ce35797e003028c7d0dde0fff82d0a8ab09c2949b29c8bacfe8962f009c5b2ef16f9de4e532098f1eec7e0cb7e3665a7e4aafd6

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/1048-93-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1048-96-0x0000000004A20000-0x0000000004AB2000-memory.dmp

Filesize
584KB

Download
memory/1048-95-0x0000000004F30000-0x00000000054D6000-memory.dmp

Filesize
5.6MB

Download
memory/1928-56-0x0000000000910000-0x0000000000EF6000-memory.dmp

Filesize
5.9MB

Download
memory/1936-126-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

Filesize
240KB

Download
memory/2368-204-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2640-92-0x0000000000550000-0x0000000000564000-memory.dmp

Filesize
80KB

Download
memory/2900-150-0x000000001B270000-0x000000001B354000-memory.dmp

Filesize
912KB

Download
memory/2900-149-0x00000000004B0000-0x000000000059C000-memory.dmp

Filesize
944KB

Download
memory/2940-203-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/4116-170-0x00000000005B0000-0x00000000005EA000-memory.dmp

Filesize
232KB

Download
memory/4280-189-0x0000000000490000-0x0000000000548000-memory.dmp

Filesize
736KB

Download
memory/4352-113-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/4604-225-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/4736-32-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/4736-0-0x00000000744D1000-0x00000000744D2000-memory.dmp

Filesize
4KB

Download
memory/4736-2-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/4736-1-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/4888-101-0x00000000061A0000-0x0000000006396000-memory.dmp

Filesize
2.0MB

Download
memory/4888-94-0x0000000000EC0000-0x00000000013C0000-memory.dmp

Filesize
5.0MB

Download
memory/4888-97-0x0000000005DD0000-0x0000000005DDA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads