njrat | 3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

Analysis

max time kernel
231s
max time network
268s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pisun.exe
Size

54KB
MD5

45140e967970cd63521eaa76dc4db7d7
SHA1

aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
SHA256

3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
SHA512

d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
SSDEEP

768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg

Score

10^/10

njrat bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 17 IoCs

pid	Process
3656	34649c947c02403bbd57c24c9bd8e452.exe
4888	3d7ef531c8a948428b995bec8bf50fc1.exe
2944	6c9d7fd908e049d5b10b59971951246a.exe
2960	b5f8e207c68e424291c1b61258664349.exe
488	097d54ccb8d647439b6bb54e1a8af4fb.exe
5272	077c70ba85fc42f58e0e8158864b973e.exe
4156	899b9a40bf0d4414a8c9b0a50624648c.exe
696	644e2cd0184d41bc9634b7dc2e2c5556.exe
2312	cbafff2707ed484ea70636e83e70c129.exe
3176	741d3d06f0b846cb9b3dcbcf0ba73b82.exe
3196	13974ab250774398bbccfbf8755793dd.exe
2092	ce3e2f7c827d4400b76568be964673fc.exe
772	20628bd4123646a194bd61cfac56d277.exe
4564	1e0f36bbc57c47fe99e54103b7b6e045.exe
4676	b94792324f6e4ba6a45774743b5d0569.exe
1096	d135fd72a7e347b4b9a8134f60cac065.exe
5624	82dff2544eaf4c0183e6bd9c53590be8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d135fd72a7e347b4b9a8134f60cac065.exe
File opened for modification	\??\PhysicalDrive0	pisun.exe
File opened for modification	\??\PhysicalDrive0	34649c947c02403bbd57c24c9bd8e452.exe
File opened for modification	\??\PhysicalDrive0	1e0f36bbc57c47fe99e54103b7b6e045.exe
File opened for modification	\??\PhysicalDrive0	b94792324f6e4ba6a45774743b5d0569.exe
File opened for modification	\??\PhysicalDrive0	82dff2544eaf4c0183e6bd9c53590be8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e0f36bbc57c47fe99e54103b7b6e045.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94792324f6e4ba6a45774743b5d0569.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d135fd72a7e347b4b9a8134f60cac065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34649c947c02403bbd57c24c9bd8e452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82dff2544eaf4c0183e6bd9c53590be8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5096	reg.exe
4044	reg.exe
2084	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	pisun.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: SeDebugPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	5388	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5388	AUDIODG.EXE
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: 33	1808	pisun.exe
Token: SeIncBasePriorityPrivilege	1808	pisun.exe
Token: 33	3656	34649c947c02403bbd57c24c9bd8e452.exe
Token: SeIncBasePriorityPrivilege	3656	34649c947c02403bbd57c24c9bd8e452.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
1808	pisun.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe
1808	pisun.exe
3656	34649c947c02403bbd57c24c9bd8e452.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3656	1808	pisun.exe	79
PID 1808 wrote to memory of 3656	1808	pisun.exe	79
PID 1808 wrote to memory of 3656	1808	pisun.exe	79
PID 1808 wrote to memory of 4888	1808	pisun.exe	81
PID 1808 wrote to memory of 4888	1808	pisun.exe	81
PID 1808 wrote to memory of 2944	1808	pisun.exe	82
PID 1808 wrote to memory of 2944	1808	pisun.exe	82
PID 1808 wrote to memory of 2960	1808	pisun.exe	83
PID 1808 wrote to memory of 2960	1808	pisun.exe	83
PID 1808 wrote to memory of 488	1808	pisun.exe	84
PID 1808 wrote to memory of 488	1808	pisun.exe	84
PID 1808 wrote to memory of 5272	1808	pisun.exe	85
PID 1808 wrote to memory of 5272	1808	pisun.exe	85
PID 1808 wrote to memory of 4156	1808	pisun.exe	86
PID 1808 wrote to memory of 4156	1808	pisun.exe	86
PID 1808 wrote to memory of 696	1808	pisun.exe	87
PID 1808 wrote to memory of 696	1808	pisun.exe	87
PID 1808 wrote to memory of 2312	1808	pisun.exe	88
PID 1808 wrote to memory of 2312	1808	pisun.exe	88
PID 1808 wrote to memory of 3176	1808	pisun.exe	89
PID 1808 wrote to memory of 3176	1808	pisun.exe	89
PID 1808 wrote to memory of 3196	1808	pisun.exe	90
PID 1808 wrote to memory of 3196	1808	pisun.exe	90
PID 1808 wrote to memory of 2092	1808	pisun.exe	91
PID 1808 wrote to memory of 2092	1808	pisun.exe	91
PID 1808 wrote to memory of 772	1808	pisun.exe	92
PID 1808 wrote to memory of 772	1808	pisun.exe	92
PID 3656 wrote to memory of 4564	3656	34649c947c02403bbd57c24c9bd8e452.exe	93
PID 3656 wrote to memory of 4564	3656	34649c947c02403bbd57c24c9bd8e452.exe	93
PID 3656 wrote to memory of 4564	3656	34649c947c02403bbd57c24c9bd8e452.exe	93
PID 3656 wrote to memory of 4676	3656	34649c947c02403bbd57c24c9bd8e452.exe	95
PID 3656 wrote to memory of 4676	3656	34649c947c02403bbd57c24c9bd8e452.exe	95
PID 3656 wrote to memory of 4676	3656	34649c947c02403bbd57c24c9bd8e452.exe	95
PID 4676 wrote to memory of 4828	4676	b94792324f6e4ba6a45774743b5d0569.exe	96
PID 4676 wrote to memory of 4828	4676	b94792324f6e4ba6a45774743b5d0569.exe	96
PID 4676 wrote to memory of 4828	4676	b94792324f6e4ba6a45774743b5d0569.exe	96
PID 4828 wrote to memory of 5096	4828	cmd.exe	98
PID 4828 wrote to memory of 5096	4828	cmd.exe	98
PID 4828 wrote to memory of 5096	4828	cmd.exe	98
PID 3656 wrote to memory of 1096	3656	34649c947c02403bbd57c24c9bd8e452.exe	99
PID 3656 wrote to memory of 1096	3656	34649c947c02403bbd57c24c9bd8e452.exe	99
PID 3656 wrote to memory of 1096	3656	34649c947c02403bbd57c24c9bd8e452.exe	99
PID 3656 wrote to memory of 5624	3656	34649c947c02403bbd57c24c9bd8e452.exe	100
PID 3656 wrote to memory of 5624	3656	34649c947c02403bbd57c24c9bd8e452.exe	100
PID 3656 wrote to memory of 5624	3656	34649c947c02403bbd57c24c9bd8e452.exe	100
PID 5624 wrote to memory of 3972	5624	82dff2544eaf4c0183e6bd9c53590be8.exe	101
PID 5624 wrote to memory of 3972	5624	82dff2544eaf4c0183e6bd9c53590be8.exe	101
PID 5624 wrote to memory of 3972	5624	82dff2544eaf4c0183e6bd9c53590be8.exe	101
PID 3972 wrote to memory of 4044	3972	cmd.exe	103
PID 3972 wrote to memory of 4044	3972	cmd.exe	103
PID 3972 wrote to memory of 4044	3972	cmd.exe	103
PID 1096 wrote to memory of 5812	1096	d135fd72a7e347b4b9a8134f60cac065.exe	104
PID 1096 wrote to memory of 5812	1096	d135fd72a7e347b4b9a8134f60cac065.exe	104
PID 1096 wrote to memory of 5812	1096	d135fd72a7e347b4b9a8134f60cac065.exe	104
PID 5812 wrote to memory of 2084	5812	cmd.exe	106
PID 5812 wrote to memory of 2084	5812	cmd.exe	106
PID 5812 wrote to memory of 2084	5812	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\pisun.exe
"C:\Users\Admin\AppData\Local\Temp\pisun.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\34649c947c02403bbd57c24c9bd8e452.exe
  "C:\Users\Admin\AppData\Local\Temp\34649c947c02403bbd57c24c9bd8e452.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\1e0f36bbc57c47fe99e54103b7b6e045.exe
    "C:\Users\Admin\AppData\Local\Temp\1e0f36bbc57c47fe99e54103b7b6e045.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\b94792324f6e4ba6a45774743b5d0569.exe
    "C:\Users\Admin\AppData\Local\Temp\b94792324f6e4ba6a45774743b5d0569.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5096
- - C:\Users\Admin\AppData\Local\Temp\d135fd72a7e347b4b9a8134f60cac065.exe
    "C:\Users\Admin\AppData\Local\Temp\d135fd72a7e347b4b9a8134f60cac065.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2084
- - C:\Users\Admin\AppData\Local\Temp\82dff2544eaf4c0183e6bd9c53590be8.exe
    "C:\Users\Admin\AppData\Local\Temp\82dff2544eaf4c0183e6bd9c53590be8.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start shutdown /r /f /t 0
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /f /t 0
      4⤵
      PID:1020
- C:\Users\Admin\AppData\Local\Temp\3d7ef531c8a948428b995bec8bf50fc1.exe
  "C:\Users\Admin\AppData\Local\Temp\3d7ef531c8a948428b995bec8bf50fc1.exe"
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\6c9d7fd908e049d5b10b59971951246a.exe
  "C:\Users\Admin\AppData\Local\Temp\6c9d7fd908e049d5b10b59971951246a.exe"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\b5f8e207c68e424291c1b61258664349.exe
  "C:\Users\Admin\AppData\Local\Temp\b5f8e207c68e424291c1b61258664349.exe"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\097d54ccb8d647439b6bb54e1a8af4fb.exe
  "C:\Users\Admin\AppData\Local\Temp\097d54ccb8d647439b6bb54e1a8af4fb.exe"
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Users\Admin\AppData\Local\Temp\077c70ba85fc42f58e0e8158864b973e.exe
  "C:\Users\Admin\AppData\Local\Temp\077c70ba85fc42f58e0e8158864b973e.exe"
  2⤵
  - Executes dropped EXE
  PID:5272
- C:\Users\Admin\AppData\Local\Temp\899b9a40bf0d4414a8c9b0a50624648c.exe
  "C:\Users\Admin\AppData\Local\Temp\899b9a40bf0d4414a8c9b0a50624648c.exe"
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\644e2cd0184d41bc9634b7dc2e2c5556.exe
  "C:\Users\Admin\AppData\Local\Temp\644e2cd0184d41bc9634b7dc2e2c5556.exe"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Users\Admin\AppData\Local\Temp\cbafff2707ed484ea70636e83e70c129.exe
  "C:\Users\Admin\AppData\Local\Temp\cbafff2707ed484ea70636e83e70c129.exe"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\741d3d06f0b846cb9b3dcbcf0ba73b82.exe
  "C:\Users\Admin\AppData\Local\Temp\741d3d06f0b846cb9b3dcbcf0ba73b82.exe"
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\13974ab250774398bbccfbf8755793dd.exe
  "C:\Users\Admin\AppData\Local\Temp\13974ab250774398bbccfbf8755793dd.exe"
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Users\Admin\AppData\Local\Temp\ce3e2f7c827d4400b76568be964673fc.exe
  "C:\Users\Admin\AppData\Local\Temp\ce3e2f7c827d4400b76568be964673fc.exe"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\20628bd4123646a194bd61cfac56d277.exe
  "C:\Users\Admin\AppData\Local\Temp\20628bd4123646a194bd61cfac56d277.exe"
  2⤵
  - Executes dropped EXE
  PID:772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39df055 /state1:0x41c64e6d
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\077c70ba85fc42f58e0e8158864b973e.exe.log

Filesize
594B

MD5
17d54af051d6e2279756e0394df4e94f

SHA1
c781de77a9d3f733c873e692288fdb28f0979d31

SHA256
940a773e48b39e5986e29d7b7ff9f8d92318495d18192ffe80a4c8e9988def15

SHA512
2fc05b403c74d1a3fbd8f45a625b6d454abfb08e317fabf210b4a8fc1e0d08376fc781819e4feec4254bb5b84ab355e3cef524f93710fc0e1625c2e8f178fb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e0f36bbc57c47fe99e54103b7b6e045.exe

Filesize
135KB

MD5
c971c68b4e58ccc82802b21ae8488bc7

SHA1
7305f3a0a0a0d489e0bcf664353289f61556de77

SHA256
cede0b15d88c20bc750b516858f8bf31ee472f6cbd01640840890736c4333cce

SHA512
ff199691c35f2748772410bf454e8b76dd67d892dd76fc87d20b3bbe6c145c6af1685344de636326692df792f55d0fba9a0025a7cf491d0b4e73ff45c3b039d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\34649c947c02403bbd57c24c9bd8e452.exe

Filesize
54KB

MD5
036b3d9a4d952a24395e7bb611c343fc

SHA1
c22e1bd6a08cb355af0916d071c1bca492b71948

SHA256
4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

SHA512
2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d7ef531c8a948428b995bec8bf50fc1.exe

Filesize
844KB

MD5
8cac1595b184f66d7a122af38d5dfe71

SHA1
e0bc0162472edf77a05134e77b540663ac050ab6

SHA256
00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

SHA512
88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\741d3d06f0b846cb9b3dcbcf0ba73b82.exe

Filesize
961KB

MD5
4723c3c04794c09bbcb6e03f48440f15

SHA1
a5ef69c9dc9eacc2099d9c239146a0e360f1837f

SHA256
0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

SHA512
5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\82dff2544eaf4c0183e6bd9c53590be8.exe

Filesize
63KB

MD5
2cf51977ed60a9a59d29a72075ce52ad

SHA1
960e40eaa8445c0049d11f97abba7f4b465ad4d5

SHA256
64735679e70b0d6e67198c28df11cf449dc114df01f6c336d61a9da39448f853

SHA512
bfcad9e99ff0dfd2cd917b8160cccab3710ed9974a6c15ea7dd1b0db965a51eec5ac588a87c4bab37af60504a3deb4f11de0a4d93a0c3648673b0dc0824646ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\899b9a40bf0d4414a8c9b0a50624648c.exe

Filesize
997KB

MD5
28aaac578be4ce06cb695e4f927b4302

SHA1
880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

SHA256
8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

SHA512
068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

Download Submit
C:\Users\Admin\AppData\Local\Temp\b94792324f6e4ba6a45774743b5d0569.exe

Filesize
263KB

MD5
bbb9f19a08712300e0b9afddf1aecb5d

SHA1
0e0778cb6b0396fe98a01772f8cbb3129dfd971a

SHA256
368234de5fb9ea1a242dd22857156ddd2e6f3fa068a78199a3a2606996cf2e82

SHA512
20d7bbb4c92c11be620268d259d06b0fc9a31dc6924e84fb88671cc9be6bc35ff0949a2291da5ab3d21980689545c2c6c5996b079c50e5400f0f4a454bc879b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d135fd72a7e347b4b9a8134f60cac065.exe

Filesize
283KB

MD5
2b1e9226d7e1015552a21faca891ec41

SHA1
f87fcbe10fa9312048214d4473498ad4f9f331ce

SHA256
7163fefbf2f865ef78a2d3d4480532fffb979300d6f0a77b6f3fc5c4b0d2cada

SHA512
1852f6d05c9fca962178bc190bc8c90f0ca54ea99714480690f44417e49eee6c392579091ae8a6cd053ec47ad1980dbbbc0db3e0e00520ee1bdbadbf8dc9d69e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_4631E304968F46FE9F98D2291C758A5E.dat

Filesize
940B

MD5
19f1e508eb7214da7117718da7557110

SHA1
18adc8bc4510d8de27d59297c9132820c00cbe76

SHA256
21c712fcdcb9cf64d15635b510656bb23e0a7d9b03c1fc622b38e99e111ee4de

SHA512
2bf03a513d8e851e4ca33ceb23681af2b06762aad0add07d3fde6540779d01619c90d583d3af4fe361a1be930124a26ed46c5205b0c76605cba2f0c0ae174856

Download Submit
memory/1808-4-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-16-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-0-0x0000000074E91000-0x0000000074E92000-memory.dmp

Filesize
4KB

Download
memory/1808-231-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-5-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-3-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1808-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-15-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-14-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-232-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-17-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-179-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-19-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3656-188-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4676-200-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4888-40-0x000000001BFE0000-0x000000001C086000-memory.dmp

Filesize
664KB

Download
memory/4888-44-0x000000001CD70000-0x000000001CDBC000-memory.dmp

Filesize
304KB

Download
memory/4888-41-0x000000001C560000-0x000000001CA2E000-memory.dmp

Filesize
4.8MB

Download
memory/4888-42-0x000000001CAD0000-0x000000001CB6C000-memory.dmp

Filesize
624KB

Download
memory/4888-43-0x0000000001970000-0x0000000001978000-memory.dmp

Filesize
32KB

Download
memory/5624-222-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads