azorult | 394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-en-20210920
submitted
03-10-2021 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
Size

3.6MB
MD5

1c14f817504c54653c779387de0a058a
SHA1

87e8826484135a91d14a610176f7ed6347ebdc5d
SHA256

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
SHA512

10e8886d68c8e0db77037d926a613301b915afd79320d53a25f8174a63530facf68f76eb4d24a19d138049662f627520211fa80f3ab51a77037ecb8c6952bf8b

Score

10^/10

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

e16d9c3413a8d3bc552d87560e5a14148908608d

Attributes

url4cnc
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

maurizio.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Syrtlbqrhgojcisaconsoleapp18.exeSyrtlbqrhgojcisaconsoleapp18.exeQtscbzjoconsoleapp5.exeQtscbzjoconsoleapp5.exe

pid process

2032 Syrtlbqrhgojcisaconsoleapp18.exe
872 Syrtlbqrhgojcisaconsoleapp18.exe
576 Qtscbzjoconsoleapp5.exe
1580 Qtscbzjoconsoleapp5.exe

pid	process
2032	Syrtlbqrhgojcisaconsoleapp18.exe
872	Syrtlbqrhgojcisaconsoleapp18.exe
576	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe

Loads dropped DLL 9 IoCs

Processes:

WScript.exeSyrtlbqrhgojcisaconsoleapp18.exeWScript.exeQtscbzjoconsoleapp5.exeQtscbzjoconsoleapp5.exe

pid	process
552	WScript.exe
2032	Syrtlbqrhgojcisaconsoleapp18.exe
1556	WScript.exe
576	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe
1580	Qtscbzjoconsoleapp5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeSyrtlbqrhgojcisaconsoleapp18.exeQtscbzjoconsoleapp5.exe

description	pid	process	target process
PID 1500 set thread context of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 2032 set thread context of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 576 set thread context of 1580	576	Qtscbzjoconsoleapp5.exe	Qtscbzjoconsoleapp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Qtscbzjoconsoleapp5.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Qtscbzjoconsoleapp5.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1628 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Qtscbzjoconsoleapp5.exe

pid	process
1628	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exe394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exepowershell.exepowershell.exeSyrtlbqrhgojcisaconsoleapp18.exepowershell.exepowershell.exeQtscbzjoconsoleapp5.exe

pid	process
1688	powershell.exe
736	powershell.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
1440	powershell.exe
1724	powershell.exe
2032	Syrtlbqrhgojcisaconsoleapp18.exe
2032	Syrtlbqrhgojcisaconsoleapp18.exe
2032	Syrtlbqrhgojcisaconsoleapp18.exe
840	powershell.exe
976	powershell.exe
576	Qtscbzjoconsoleapp5.exe
576	Qtscbzjoconsoleapp5.exe
576	Qtscbzjoconsoleapp5.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exepowershell.exepowershell.exeSyrtlbqrhgojcisaconsoleapp18.exepowershell.exepowershell.exeQtscbzjoconsoleapp5.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	2032	Syrtlbqrhgojcisaconsoleapp18.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	576	Qtscbzjoconsoleapp5.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1628	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exeWScript.exeSyrtlbqrhgojcisaconsoleapp18.exeWScript.exeQtscbzjoconsoleapp5.exe

description	pid	process	target process
PID 1500 wrote to memory of 1688	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 1688	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 1688	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 1688	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 736	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 736	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 736	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 736	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	powershell.exe
PID 1500 wrote to memory of 552	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 1500 wrote to memory of 552	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 1500 wrote to memory of 552	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 1500 wrote to memory of 552	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	WScript.exe
PID 1500 wrote to memory of 364	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 364	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 364	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 364	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 552 wrote to memory of 2032	552	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 552 wrote to memory of 2032	552	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 552 wrote to memory of 2032	552	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 552 wrote to memory of 2032	552	WScript.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 1500 wrote to memory of 2000	1500	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe	394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
PID 2032 wrote to memory of 1440	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1440	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1440	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1440	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1724	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1724	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1724	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1724	2032	Syrtlbqrhgojcisaconsoleapp18.exe	powershell.exe
PID 2032 wrote to memory of 1556	2032	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 2032 wrote to memory of 1556	2032	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 2032 wrote to memory of 1556	2032	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 2032 wrote to memory of 1556	2032	Syrtlbqrhgojcisaconsoleapp18.exe	WScript.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 2032 wrote to memory of 872	2032	Syrtlbqrhgojcisaconsoleapp18.exe	Syrtlbqrhgojcisaconsoleapp18.exe
PID 1556 wrote to memory of 576	1556	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 1556 wrote to memory of 576	1556	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 1556 wrote to memory of 576	1556	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 1556 wrote to memory of 576	1556	WScript.exe	Qtscbzjoconsoleapp5.exe
PID 576 wrote to memory of 840	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 840	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 840	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 840	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 976	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 976	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 976	576	Qtscbzjoconsoleapp5.exe	powershell.exe
PID 576 wrote to memory of 976	576	Qtscbzjoconsoleapp5.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
"C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sinshwgbbjkobohqpsxmxghl.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
"C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Aataxxmllamhvbgmkenndscw.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
"C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1580 & erase C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe & RD /S /Q C:\\ProgramData\\231942346254985\\* & exit
7⤵
PID:1188

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1580
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
4⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
C:\Users\Admin\AppData\Local\Temp\394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a.exe
2⤵
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aataxxmllamhvbgmkenndscw.vbs
MD5
6e09876f674d62cf569f34c2b9900164

SHA1
40db5acc8ec91e01178f02d9c82f5a7fa5cf5b70

SHA256
b40103ef93c0b87328623bcd4d80b978558282ba08769c618edb8d45a2ab9a8a

SHA512
25d6d4f7878e69d56c050da2b694fc854d52765826abdb387dd3f512d5e66c931c746d769ade210c10b094724e7fc48a7b8a8ef78a019949415367d96590f3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sinshwgbbjkobohqpsxmxghl.vbs
MD5
573670414b0087f053b79f50f9a3f06b

SHA1
61222881cb0235e0f87eeb6ce3e5e6c1ffc6a075

SHA256
3a85350adde1bec707dcab1c1fe4389e8751c2880e754089573a3d0cdcd84024

SHA512
04b6438fccae5d608216869a9aabe32e9ca6efd3de80202042f37f905b423af4e7bd8974c4525a0539233a5006114d58af1af5d628a753bd891560eebd68f468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6dda23dd565309768895c14718279760

SHA1
c457665b7120d8f71c102331e2723927d4a2935a

SHA256
6ac199a50d26add1509c7f62fd6386985808125747d1f08ad37347d29be03919

SHA512
93453bb0376f6115d5f125f7bbdcfd0ce7756bc591b08d6f01991575f84c20097365c033a907ad9c30f0aefe23ba7b080c80a81e55f3ef1f1143f4fb8c90294d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6dda23dd565309768895c14718279760

SHA1
c457665b7120d8f71c102331e2723927d4a2935a

SHA256
6ac199a50d26add1509c7f62fd6386985808125747d1f08ad37347d29be03919

SHA512
93453bb0376f6115d5f125f7bbdcfd0ce7756bc591b08d6f01991575f84c20097365c033a907ad9c30f0aefe23ba7b080c80a81e55f3ef1f1143f4fb8c90294d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6dda23dd565309768895c14718279760

SHA1
c457665b7120d8f71c102331e2723927d4a2935a

SHA256
6ac199a50d26add1509c7f62fd6386985808125747d1f08ad37347d29be03919

SHA512
93453bb0376f6115d5f125f7bbdcfd0ce7756bc591b08d6f01991575f84c20097365c033a907ad9c30f0aefe23ba7b080c80a81e55f3ef1f1143f4fb8c90294d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6dda23dd565309768895c14718279760

SHA1
c457665b7120d8f71c102331e2723927d4a2935a

SHA256
6ac199a50d26add1509c7f62fd6386985808125747d1f08ad37347d29be03919

SHA512
93453bb0376f6115d5f125f7bbdcfd0ce7756bc591b08d6f01991575f84c20097365c033a907ad9c30f0aefe23ba7b080c80a81e55f3ef1f1143f4fb8c90294d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6dda23dd565309768895c14718279760

SHA1
c457665b7120d8f71c102331e2723927d4a2935a

SHA256
6ac199a50d26add1509c7f62fd6386985808125747d1f08ad37347d29be03919

SHA512
93453bb0376f6115d5f125f7bbdcfd0ce7756bc591b08d6f01991575f84c20097365c033a907ad9c30f0aefe23ba7b080c80a81e55f3ef1f1143f4fb8c90294d

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
\Users\Admin\AppData\Local\Temp\Qtscbzjoconsoleapp5.exe
MD5
536b06e106b9f179a16635a5d3c5034b

SHA1
e8f5c1cd4bb27ac6cedfa8beb05918db4b568501

SHA256
1253dff2e1b7d465478b535867516e54be57ebde1aaa71d6365978bedbf8a9f5

SHA512
d65fa96ce3f8360af1e70018ec9143705a9fda585ab1315aa908ee6e08bea3c184eebbe84108ae3494e585836fa0fd1dc468873d64579875a17f18e663c9647f

Download Submit
\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
\Users\Admin\AppData\Local\Temp\Syrtlbqrhgojcisaconsoleapp18.exe
MD5
542d9c144a1a6f94ec70822c8d8b757c

SHA1
1bab2c68f4ac848b0627a13927c6d71c5a094bd0

SHA256
e31587908889029f73855cd422d13232ae6653b59c2d1c4fb36c19118ab0cbf5

SHA512
f80c3acec61051a2971c02ee08ff3858826951ec1e94c60a9959ce4291d8bce6607781388ebcf1a651f64d7ee7f33354e0aa89bf600f208c63010718b6b073a4

Download Submit
memory/552-69-0x0000000000000000-mapping.dmp

Download
memory/576-116-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/576-108-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/576-104-0x0000000000000000-mapping.dmp

Download
memory/576-119-0x0000000004E10000-0x0000000004ECD000-memory.dmp

Filesize
756KB

Download
memory/576-120-0x0000000002060000-0x0000000002083000-memory.dmp

Filesize
140KB

Download
memory/736-67-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/736-62-0x0000000000000000-mapping.dmp

Download
memory/736-66-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/736-65-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/840-117-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/840-111-0x0000000000000000-mapping.dmp

Download
memory/872-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/872-100-0x000000000041A684-mapping.dmp

Download
memory/872-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/976-114-0x0000000000000000-mapping.dmp

Download
memory/1188-133-0x0000000000000000-mapping.dmp

Download
memory/1440-83-0x0000000000000000-mapping.dmp

Download
memory/1440-91-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/1500-72-0x00000000003B0000-0x0000000000407000-memory.dmp

Filesize
348KB

Download
memory/1500-68-0x0000000006E50000-0x00000000070CD000-memory.dmp

Filesize
2.5MB

Download
memory/1500-58-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1500-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1500-53-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1556-94-0x0000000000000000-mapping.dmp

Download
memory/1580-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-123-0x0000000000417A8B-mapping.dmp

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1688-61-0x00000000024C2000-0x00000000024C4000-memory.dmp

Filesize
8KB

Download
memory/1688-59-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1688-60-0x00000000024C1000-0x00000000024C2000-memory.dmp

Filesize
4KB

Download
memory/1724-89-0x0000000000000000-mapping.dmp

Download
memory/2000-78-0x00000000004407D8-mapping.dmp

Download
memory/2000-77-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2000-84-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2032-85-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2032-75-0x0000000000000000-mapping.dmp

Download
memory/2032-80-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2032-93-0x0000000005410000-0x0000000005584000-memory.dmp

Filesize
1.5MB

Download
memory/2032-96-0x0000000000B40000-0x0000000000B5B000-memory.dmp

Filesize
108KB

Download