njrat | 4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

Analysis

max time kernel
616s
max time network
627s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Payload1234.exe
Size

54KB
MD5

036b3d9a4d952a24395e7bb611c343fc
SHA1

c22e1bd6a08cb355af0916d071c1bca492b71948
SHA256

4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414
SHA512

2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b
SSDEEP

768:GmAQsCB2EsltNnVpladJr3N8JSNGExWQG35bmaePD5Pv42XXJdxIEpmJg:GmJtGtNnpabrmGGWWQcGD/X3xIEpmJg

Score

10^/10

njrat ramnit banker bootkit credential_access discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Njrat family
njrat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 19 IoCs

pid	Process
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
4156	abd28a3d0ea344bba5184a3f2ec8725c.exe
3748	ae63de9a6ae14b478d8d4b16cd20d84a.exe
1508	5ee7f7834e8f41998c06f7dc51203082.exe
1940	fa928e6afe98458ba88682b0705ae05d.exe
3184	af11a4b27ebc4103b9c2a63ee0506b3a.exe
4596	a38b4a829f2445ccb50e53b43be0b202.exe
4240	95cc9600a31a4559b3ecee637383a1e4.exe
5268	8a604591af664133a040b4db76806c6f.exe
5396	fcb9f7538d764214a8f4206710204e4f.exe
5628	a99e7f5779a74b39b0d88dfc204213ce.exe
3336	420ea28c36314af395b7ef04eefe107d.exe
2584	420ea28c36314af395b7ef04eefe107dSrv.exe
1216	e9edbd1c38dd4245bb1d05dac2c354af.exe
2580	ee95c39e1d334c26be2ae75542f69092.exe
1648	ee95c39e1d334c26be2ae75542f69092Srv.exe
5468	64873ef65abc4ce7a96b41e04fcf7d4d.exe
5676	abebd79fd0bf41b296ba4d1d5d3c354a.exe
3400	7eaaefcbdcb34d5081ee8521bac39d3d.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Payload1234.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	abebd79fd0bf41b296ba4d1d5d3c354a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 392	2732	Payload1234.exe	111

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b2df-170.dat	upx
behavioral1/memory/3336-173-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x001900000002b2e2-177.dat	upx
behavioral1/memory/2584-178-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2584-179-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3336-181-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3336-182-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/392-195-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/392-196-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/392-202-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/392-197-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/3336-208-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3336-210-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3336-228-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3336-246-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3336-249-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\Win32.bat	cmd.exe
File opened for modification	C:\Windows\Win32.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1916	2584	WerFault.exe	104
888	1216	WerFault.exe	108
3620	1648	WerFault.exe	114
784	5676	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abd28a3d0ea344bba5184a3f2ec8725c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae63de9a6ae14b478d8d4b16cd20d84a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	420ea28c36314af395b7ef04eefe107d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee95c39e1d334c26be2ae75542f69092.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eaaefcbdcb34d5081ee8521bac39d3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a99e7f5779a74b39b0d88dfc204213ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	420ea28c36314af395b7ef04eefe107dSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9edbd1c38dd4245bb1d05dac2c354af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee95c39e1d334c26be2ae75542f69092Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64873ef65abc4ce7a96b41e04fcf7d4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abebd79fd0bf41b296ba4d1d5d3c354a.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2440	taskkill.exe
5924	taskkill.exe
4076	taskkill.exe
5348	taskkill.exe
4892	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
540	reg.exe
6132	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe
5196	2dfdf4b673db4b5c8121a753b9133b3f.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2732	Payload1234.exe
3336	420ea28c36314af395b7ef04eefe107d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe
Token: SeIncBasePriorityPrivilege	2732	Payload1234.exe
Token: 33	2732	Payload1234.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5468	64873ef65abc4ce7a96b41e04fcf7d4d.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5628	a99e7f5779a74b39b0d88dfc204213ce.exe
5468	64873ef65abc4ce7a96b41e04fcf7d4d.exe
5468	64873ef65abc4ce7a96b41e04fcf7d4d.exe
5468	64873ef65abc4ce7a96b41e04fcf7d4d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 5196	2732	Payload1234.exe	89
PID 2732 wrote to memory of 5196	2732	Payload1234.exe	89
PID 2732 wrote to memory of 4156	2732	Payload1234.exe	90
PID 2732 wrote to memory of 4156	2732	Payload1234.exe	90
PID 2732 wrote to memory of 4156	2732	Payload1234.exe	90
PID 2732 wrote to memory of 3748	2732	Payload1234.exe	91
PID 2732 wrote to memory of 3748	2732	Payload1234.exe	91
PID 2732 wrote to memory of 3748	2732	Payload1234.exe	91
PID 2732 wrote to memory of 1508	2732	Payload1234.exe	92
PID 2732 wrote to memory of 1508	2732	Payload1234.exe	92
PID 2732 wrote to memory of 1940	2732	Payload1234.exe	94
PID 2732 wrote to memory of 1940	2732	Payload1234.exe	94
PID 2732 wrote to memory of 3184	2732	Payload1234.exe	95
PID 2732 wrote to memory of 3184	2732	Payload1234.exe	95
PID 2732 wrote to memory of 4596	2732	Payload1234.exe	96
PID 2732 wrote to memory of 4596	2732	Payload1234.exe	96
PID 2732 wrote to memory of 4240	2732	Payload1234.exe	97
PID 2732 wrote to memory of 4240	2732	Payload1234.exe	97
PID 2732 wrote to memory of 5268	2732	Payload1234.exe	98
PID 2732 wrote to memory of 5268	2732	Payload1234.exe	98
PID 2732 wrote to memory of 5396	2732	Payload1234.exe	99
PID 2732 wrote to memory of 5396	2732	Payload1234.exe	99
PID 2732 wrote to memory of 5628	2732	Payload1234.exe	102
PID 2732 wrote to memory of 5628	2732	Payload1234.exe	102
PID 2732 wrote to memory of 5628	2732	Payload1234.exe	102
PID 2732 wrote to memory of 3336	2732	Payload1234.exe	103
PID 2732 wrote to memory of 3336	2732	Payload1234.exe	103
PID 2732 wrote to memory of 3336	2732	Payload1234.exe	103
PID 3336 wrote to memory of 2584	3336	420ea28c36314af395b7ef04eefe107d.exe	104
PID 3336 wrote to memory of 2584	3336	420ea28c36314af395b7ef04eefe107d.exe	104
PID 3336 wrote to memory of 2584	3336	420ea28c36314af395b7ef04eefe107d.exe	104
PID 2732 wrote to memory of 1216	2732	Payload1234.exe	108
PID 2732 wrote to memory of 1216	2732	Payload1234.exe	108
PID 2732 wrote to memory of 1216	2732	Payload1234.exe	108
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 392	2732	Payload1234.exe	111
PID 2732 wrote to memory of 2580	2732	Payload1234.exe	113
PID 2732 wrote to memory of 2580	2732	Payload1234.exe	113
PID 2732 wrote to memory of 2580	2732	Payload1234.exe	113
PID 2580 wrote to memory of 1648	2580	ee95c39e1d334c26be2ae75542f69092.exe	114
PID 2580 wrote to memory of 1648	2580	ee95c39e1d334c26be2ae75542f69092.exe	114
PID 2580 wrote to memory of 1648	2580	ee95c39e1d334c26be2ae75542f69092.exe	114
PID 2732 wrote to memory of 5468	2732	Payload1234.exe	117
PID 2732 wrote to memory of 5468	2732	Payload1234.exe	117
PID 2732 wrote to memory of 5468	2732	Payload1234.exe	117
PID 2732 wrote to memory of 5676	2732	Payload1234.exe	118
PID 2732 wrote to memory of 5676	2732	Payload1234.exe	118
PID 2732 wrote to memory of 5676	2732	Payload1234.exe	118
PID 2732 wrote to memory of 3400	2732	Payload1234.exe	121
PID 2732 wrote to memory of 3400	2732	Payload1234.exe	121
PID 2732 wrote to memory of 3400	2732	Payload1234.exe	121
PID 3400 wrote to memory of 1892	3400	7eaaefcbdcb34d5081ee8521bac39d3d.exe	122
PID 3400 wrote to memory of 1892	3400	7eaaefcbdcb34d5081ee8521bac39d3d.exe	122
PID 1892 wrote to memory of 4000	1892	cmd.exe	126
PID 1892 wrote to memory of 4000	1892	cmd.exe	126
PID 1892 wrote to memory of 4076	1892	cmd.exe	127
PID 1892 wrote to memory of 4076	1892	cmd.exe	127
PID 1892 wrote to memory of 5348	1892	cmd.exe	128
PID 1892 wrote to memory of 5348	1892	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\Payload1234.exe
"C:\Users\Admin\AppData\Local\Temp\Payload1234.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\2dfdf4b673db4b5c8121a753b9133b3f.exe
  "C:\Users\Admin\AppData\Local\Temp\2dfdf4b673db4b5c8121a753b9133b3f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5196
- C:\Users\Admin\AppData\Local\Temp\abd28a3d0ea344bba5184a3f2ec8725c.exe
  "C:\Users\Admin\AppData\Local\Temp\abd28a3d0ea344bba5184a3f2ec8725c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\ae63de9a6ae14b478d8d4b16cd20d84a.exe
  "C:\Users\Admin\AppData\Local\Temp\ae63de9a6ae14b478d8d4b16cd20d84a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\5ee7f7834e8f41998c06f7dc51203082.exe
  "C:\Users\Admin\AppData\Local\Temp\5ee7f7834e8f41998c06f7dc51203082.exe"
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\fa928e6afe98458ba88682b0705ae05d.exe
  "C:\Users\Admin\AppData\Local\Temp\fa928e6afe98458ba88682b0705ae05d.exe"
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\af11a4b27ebc4103b9c2a63ee0506b3a.exe
  "C:\Users\Admin\AppData\Local\Temp\af11a4b27ebc4103b9c2a63ee0506b3a.exe"
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\a38b4a829f2445ccb50e53b43be0b202.exe
  "C:\Users\Admin\AppData\Local\Temp\a38b4a829f2445ccb50e53b43be0b202.exe"
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\95cc9600a31a4559b3ecee637383a1e4.exe
  "C:\Users\Admin\AppData\Local\Temp\95cc9600a31a4559b3ecee637383a1e4.exe"
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\8a604591af664133a040b4db76806c6f.exe
  "C:\Users\Admin\AppData\Local\Temp\8a604591af664133a040b4db76806c6f.exe"
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Users\Admin\AppData\Local\Temp\fcb9f7538d764214a8f4206710204e4f.exe
  "C:\Users\Admin\AppData\Local\Temp\fcb9f7538d764214a8f4206710204e4f.exe"
  2⤵
  - Executes dropped EXE
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\a99e7f5779a74b39b0d88dfc204213ce.exe
  "C:\Users\Admin\AppData\Local\Temp\a99e7f5779a74b39b0d88dfc204213ce.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5628
- C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107d.exe
  "C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107dSrv.exe
    C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107dSrv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 320
      4⤵
      Program crash
      PID:1916
- C:\Users\Admin\AppData\Local\Temp\e9edbd1c38dd4245bb1d05dac2c354af.exe
  "C:\Users\Admin\AppData\Local\Temp\e9edbd1c38dd4245bb1d05dac2c354af.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 328
    3⤵
    - Program crash
    PID:888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\2874331"
  2⤵
  PID:392
- C:\Users\Admin\AppData\Local\Temp\ee95c39e1d334c26be2ae75542f69092.exe
  "C:\Users\Admin\AppData\Local\Temp\ee95c39e1d334c26be2ae75542f69092.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\ee95c39e1d334c26be2ae75542f69092Srv.exe
    C:\Users\Admin\AppData\Local\Temp\ee95c39e1d334c26be2ae75542f69092Srv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 320
      4⤵
      Program crash
      PID:3620
- C:\Users\Admin\AppData\Local\Temp\64873ef65abc4ce7a96b41e04fcf7d4d.exe
  "C:\Users\Admin\AppData\Local\Temp\64873ef65abc4ce7a96b41e04fcf7d4d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5468
- C:\Users\Admin\AppData\Local\Temp\abebd79fd0bf41b296ba4d1d5d3c354a.exe
  "C:\Users\Admin\AppData\Local\Temp\abebd79fd0bf41b296ba4d1d5d3c354a.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:5676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 512
    3⤵
    - Program crash
    PID:784
- C:\Users\Admin\AppData\Local\Temp\7eaaefcbdcb34d5081ee8521bac39d3d.exe
  "C:\Users\Admin\AppData\Local\Temp\7eaaefcbdcb34d5081ee8521bac39d3d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE62.tmp\BE63.bat C:\Users\Admin\AppData\Local\Temp\7eaaefcbdcb34d5081ee8521bac39d3d.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
      4⤵
      Adds Run key to start application
      PID:4000
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f chrome.exe
      4⤵
      Kills process with taskkill
      PID:4076
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f ie.exe
      4⤵
      Kills process with taskkill
      PID:5348
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f firefox.exe
      4⤵
      Kills process with taskkill
      PID:2440
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f opera.exe
      4⤵
      Kills process with taskkill
      PID:4892
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f safari.exe
      4⤵
      Kills process with taskkill
      PID:5924
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
      4⤵
      Modifies registry key
      PID:540
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
      4⤵
      Modifies registry key
      PID:6132
- C:\Users\Admin\AppData\Local\Temp\38c3d3e50fcb49b38071ca41e6300a4b.exe
  "C:\Users\Admin\AppData\Local\Temp\38c3d3e50fcb49b38071ca41e6300a4b.exe"
  2⤵
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5684

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2744

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2380

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004BC
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2584 -ip 2584
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1216 -ip 1216
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1648 -ip 1648
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5676 -ip 5676
1⤵
PID:3188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e1055 /state1:0x41c64e6d
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\95cc9600a31a4559b3ecee637383a1e4.exe.log

Filesize
594B

MD5
17d54af051d6e2279756e0394df4e94f

SHA1
c781de77a9d3f733c873e692288fdb28f0979d31

SHA256
940a773e48b39e5986e29d7b7ff9f8d92318495d18192ffe80a4c8e9988def15

SHA512
2fc05b403c74d1a3fbd8f45a625b6d454abfb08e317fabf210b4a8fc1e0d08376fc781819e4feec4254bb5b84ab355e3cef524f93710fc0e1625c2e8f178fb77

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\de3bf7d5-5278-4c13-9364-1f548d4e7db5.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2874331

Filesize
96B

MD5
4f0f313d090a031e7bfffba76d78ecab

SHA1
0d577bc0155b493820fb9fd842e3dde629b90459

SHA256
a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e

SHA512
51824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dfdf4b673db4b5c8121a753b9133b3f.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\38c3d3e50fcb49b38071ca41e6300a4b.exe

Filesize
10KB

MD5
76386705862925ccbf1e3f711a6e6b56

SHA1
2335fae9eb828b09930a2b01910b1b594395004e

SHA256
a62e7ad75ab140bf45272989ac9b9f5937298c8c5ffdccd19323452c0e793b90

SHA512
893000f32223c67dce85c7a9f0edd315743ce56372557d432a1c6fcb19b728e7110adee7e23f7de7b6ad59f48fe632d27ebafcb0fab00a3ecad01a23c7e6000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107d.exe

Filesize
76KB

MD5
6d7f5d02d25e289cb29cc23b8e90e484

SHA1
15a5d3b93a149689df3c396ce2243ba4d027f0b3

SHA256
cd5dfdde4767c1f70756f5ffb8bfcca701ed62a96bfa6a007e32e5916b5021e6

SHA512
8af7188fa6ae5d03ae60929744c852e14151d411b83c62297185229f6ab3ebff562b09426393995427d05f19bbef3b6cbee1e483255b91e0adb429d421c297fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\420ea28c36314af395b7ef04eefe107dSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ee7f7834e8f41998c06f7dc51203082.exe

Filesize
997KB

MD5
28aaac578be4ce06cb695e4f927b4302

SHA1
880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

SHA256
8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

SHA512
068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

Download Submit
C:\Users\Admin\AppData\Local\Temp\64873ef65abc4ce7a96b41e04fcf7d4d.exe

Filesize
500KB

MD5
07a9f858f9867f52163d7cec3bd899e3

SHA1
d7feae9f88b807606b747a27ac95ede57b2615f5

SHA256
0fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca

SHA512
e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7eaaefcbdcb34d5081ee8521bac39d3d.exe

Filesize
69KB

MD5
57aefeb4dc6a62340c9cd1ee49d043d1

SHA1
e769b03d88cc128982f5394c28f6ba31cac957b7

SHA256
6f396703789bb1d26f98023d79f1a634dadc1cd5c2f3c096a42119e022381edd

SHA512
db2a5c757f9d90da18a48cd6fdec120439b1e3ae9552c76d433da890c68cb9ff65f9c35da5f97a4e9bfbda1feb214895e7121fe63dd4318149a6aedf348c2e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a604591af664133a040b4db76806c6f.exe

Filesize
583KB

MD5
320b1115164e8b5e1316d86eb29cd299

SHA1
bc046d8b14359a7a2bebdecbb819e76c47d84d1b

SHA256
d88f5b00da5f05ab7f55fd7c414bb56aaf47e9f51365aaabd71f3ace3cc77523

SHA512
fab558cf31aa79caf8e4f6e5649e4e484de3e29bae1386aa61749b70e8c791d74b01fa964501d4755c7688d0420e932f30e36699a2fe4488fae82ee23558afd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\95cc9600a31a4559b3ecee637383a1e4.exe

Filesize
345KB

MD5
8efb7339fe13cf8cea9f6445776655c0

SHA1
081afd73c757c83825cf1e8ed4a4eab259d23b97

SHA256
c1badbacd2abe44fe4e8685c8eee7e983bf8b6780cfca03ae31f8fcebc98b1fb

SHA512
2a37e74aeff17b4f435d02a30019a017a4ff4fa29fc898229f6195876f53b38154c063cf052deebcc06785650f875d67eeb0de372a76df3c4e71bd4fc0392956

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE62.tmp\BE63.bat

Filesize
1KB

MD5
2854ba232e3a9bd85ebbc306b5fdbb93

SHA1
62f6c8eb5dc94e0a13ca36f880927bfbae826d8a

SHA256
995feb5aabca4e0a431003d2cf0989aafe34afaec0a42c7305d610512c9dc3b5

SHA512
ed9207b247462ef4325fed7a0f2c17263ace7117eea2b40c1ff9a966a4b2c7dcfc8f84d80e81e69e4758f9e0ff9f3f85a4085caa8633d4ad86406896e314073a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a38b4a829f2445ccb50e53b43be0b202.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a99e7f5779a74b39b0d88dfc204213ce.exe

Filesize
28KB

MD5
62cbb85434223022a0b0e369b227a3d9

SHA1
4978b691168f16c678a1ffe53e126ba1d946bce0

SHA256
ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd

SHA512
f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\abd28a3d0ea344bba5184a3f2ec8725c.exe

Filesize
336KB

MD5
30ffa22d936df7a75075352a5a0ee10b

SHA1
253abf846e56b1ba34017f3fd7e3a8848e7690fe

SHA256
6cfda6dae076c43a53a258cf73abc43ab7afc64b40d10708de701cbddcbf3b8d

SHA512
9dbfc99c79270c74d7449f3bd75f49566cd17b4cc76268b179a25ac55a7c152f858592fb904913dea69a96d2fa987e5cccb10c7f22acb7ad10e532745ca87ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\abebd79fd0bf41b296ba4d1d5d3c354a.exe

Filesize
47KB

MD5
c61693e8d501dcdbcd2346853a80417a

SHA1
edf5803d2c9cc7807b571d9d081ca06387ee7cd9

SHA256
f0d5399c42971102e56abbcc9efd1d0b104ddb36da5bccd67e18850a1a21fad4

SHA512
8cc0fe94e144e754cf0fd0d4de2f4361adaf7fc83116fc3009272efa6df2eb0c60b04dc037ffde1581906471196ffae0cb51262a7ac731b515ff091a64da41d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae63de9a6ae14b478d8d4b16cd20d84a.exe

Filesize
398KB

MD5
cdc5de14efb4fb2c0bae2db79b88c054

SHA1
e5d7c97d11a2d5803c670bb06596eaa93551bd99

SHA256
9ef6728c8a51744786ab767b921f50484820c4a4a92792e57884024b1a04a4e8

SHA512
e528d0d8eae7b22daea61a1074992101b2cac172d036904fb6766c8d48d53983d59aae4dc364f40b6fbddff727209e336c8547313502f0ed180c7943b171c94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\af11a4b27ebc4103b9c2a63ee0506b3a.exe

Filesize
961KB

MD5
4723c3c04794c09bbcb6e03f48440f15

SHA1
a5ef69c9dc9eacc2099d9c239146a0e360f1837f

SHA256
0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

SHA512
5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee95c39e1d334c26be2ae75542f69092.exe

Filesize
172KB

MD5
7eb8c9c1701f6b347721b42ba15c0993

SHA1
13e62637aa5c402383f5665d20c7491c51bccbdc

SHA256
6d5e92ccc9d65e02d8f805e3f4e33841db34a562b3c882a137146461a56bdec2

SHA512
22572a6ebf16b5e260c5d99f30aaefabd88a143bc6b6a9a4d7b82a31ffeb7970d3701c697fcb4c692c6f450782982f3e43f74e3b01fe3ebf1957fc0ef0a4a072

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcb9f7538d764214a8f4206710204e4f.exe

Filesize
280KB

MD5
dedabad13c1c4cc92c4ed2122473eb8a

SHA1
a13385641ddcbdc371dce3607381883d52ed9822

SHA256
5dc4f19b34a738b4eef99c1229b2c7e7492040819d92ddbbf52bbde2a600c2ed

SHA512
45b66665cb3e484c82775c9972f444b1d8fe6f7ef5a55185a3c071f84e9f5dd2a039c9f9e26392e950585cbf965b987df9c789106bddcb35ee55ad0ff91b190b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
70B

MD5
adff4faa6038ba596ad23f59428573ea

SHA1
d63c11774bd2c94ea9a3cdb17b8cdf0d781ba11e

SHA256
519437bc16fd54e5423739d47570fb7d6feee64408326fd9798a567160c49405

SHA512
c51d0a0d5cdf4ada4cee27756324633a1e6311c18f2233fa3f80683ff22c54e56eaea21c0009e626e806ee6d334a59f5529909cc8d976361419b97e50a6ca419

Download Submit
memory/392-195-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/392-196-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/392-202-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/392-197-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2580-222-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2580-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2584-178-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2584-179-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2732-2-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2732-4-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2732-15-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2732-0-0x0000000074BA1000-0x0000000074BA2000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2732-14-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/2732-3-0x0000000074BA0000-0x0000000075151000-memory.dmp

Filesize
5.7MB

Download
memory/3336-210-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-246-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-208-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-249-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-182-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-228-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-173-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3336-181-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3748-61-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4156-40-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/4156-41-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/5088-292-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/5088-298-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/5196-27-0x000000001B850000-0x000000001B8F6000-memory.dmp

Filesize
664KB

Download
memory/5196-28-0x000000001BDD0000-0x000000001C29E000-memory.dmp

Filesize
4.8MB

Download
memory/5196-29-0x000000001C340000-0x000000001C3DC000-memory.dmp

Filesize
624KB

Download
memory/5196-30-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/5196-31-0x000000001C570000-0x000000001C5BC000-memory.dmp

Filesize
304KB

Download
memory/5676-291-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads