netwire | c6116c1f7d5326b65000c44e2c690967672a658d6123f8ecb1634277748bebbc

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe
Size

543KB
MD5

841e9227af67d61b8db0d61e56a2674c
SHA1

53570172745634ae234cc5781c4537bfec5931b2
SHA256

c6116c1f7d5326b65000c44e2c690967672a658d6123f8ecb1634277748bebbc
SHA512

c12c17aafbd7d9ce65f7bb067f90ae7a9d1d4b494e2e60ec099b2afbe2d190b8840689217c58bd724fb1706489a063da49e1aa973df10cd6c004fa5af80b8c06
SSDEEP

12288:cQawNsW7lerECtu4aLgbqu6khVc0qI7oe3gP5WecUa/0TBPf0:cQa+HperrOUj6k7ZqC30tbBPf0

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

79.172.242.87:3305

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Summer
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
HsOoVGHW
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4156-18-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4156-25-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WARLYLeiLefdXcZF.lnk	RQKLOiEWbKfOiLhDWVGTf.cmd

Executes dropped EXE 25 IoCs

pid	Process
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
4224	Host.exe
2608	Host.exe
3404	Host.exe
2088	Host.exe
1540	Host.exe
3120	Host.exe
3220	Host.exe
1836	Host.exe
2572	Host.exe
4632	Host.exe
3164	Host.exe
4928	Host.exe
4968	Host.exe
4272	Host.exe
224	Host.exe
4796	Host.exe
4808	Host.exe
3968	Host.exe
4780	Host.exe
2516	Host.exe
5024	Host.exe
3788	Host.exe
3180	Host.exe
4388	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 3408 set thread context of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 3408 set thread context of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 3408 set thread context of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 3408 set thread context of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 3408 set thread context of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 3408 set thread context of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3408 set thread context of 2636	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	115
PID 3408 set thread context of 4620	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	118
PID 3408 set thread context of 1808	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	120
PID 3408 set thread context of 5096	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	122
PID 3408 set thread context of 1508	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	124
PID 3408 set thread context of 4380	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	126
PID 3408 set thread context of 3764	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	128
PID 3408 set thread context of 1460	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	132
PID 3408 set thread context of 2000	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	137
PID 3408 set thread context of 1892	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	139
PID 3408 set thread context of 824	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	141
PID 3408 set thread context of 5020	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	144
PID 3408 set thread context of 4044	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	146
PID 3408 set thread context of 1156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	150
PID 3408 set thread context of 4968	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	152
PID 3408 set thread context of 5116	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	154
PID 3408 set thread context of 4904	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	157
PID 3408 set thread context of 736	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	159

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd
3408	RQKLOiEWbKfOiLhDWVGTf.cmd

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3408	792	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	90
PID 792 wrote to memory of 3408	792	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	90
PID 792 wrote to memory of 3408	792	841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe	90
PID 3408 wrote to memory of 2228	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	91
PID 3408 wrote to memory of 2228	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	91
PID 3408 wrote to memory of 2228	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	91
PID 3408 wrote to memory of 4480	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	92
PID 3408 wrote to memory of 4480	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	92
PID 3408 wrote to memory of 4480	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	92
PID 3408 wrote to memory of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 3408 wrote to memory of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 3408 wrote to memory of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 3408 wrote to memory of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 3408 wrote to memory of 4156	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	93
PID 4156 wrote to memory of 4224	4156	wscript.exe	94
PID 4156 wrote to memory of 4224	4156	wscript.exe	94
PID 4156 wrote to memory of 4224	4156	wscript.exe	94
PID 3408 wrote to memory of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 3408 wrote to memory of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 3408 wrote to memory of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 3408 wrote to memory of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 3408 wrote to memory of 220	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	95
PID 220 wrote to memory of 2608	220	wscript.exe	96
PID 220 wrote to memory of 2608	220	wscript.exe	96
PID 220 wrote to memory of 2608	220	wscript.exe	96
PID 3408 wrote to memory of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 3408 wrote to memory of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 3408 wrote to memory of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 3408 wrote to memory of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 3408 wrote to memory of 4320	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	97
PID 4320 wrote to memory of 3404	4320	wscript.exe	100
PID 4320 wrote to memory of 3404	4320	wscript.exe	100
PID 4320 wrote to memory of 3404	4320	wscript.exe	100
PID 3408 wrote to memory of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 3408 wrote to memory of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 3408 wrote to memory of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 3408 wrote to memory of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 3408 wrote to memory of 4336	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	101
PID 4336 wrote to memory of 2088	4336	wscript.exe	104
PID 4336 wrote to memory of 2088	4336	wscript.exe	104
PID 4336 wrote to memory of 2088	4336	wscript.exe	104
PID 3408 wrote to memory of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 3408 wrote to memory of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 3408 wrote to memory of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 3408 wrote to memory of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 3408 wrote to memory of 2948	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	105
PID 2948 wrote to memory of 1540	2948	wscript.exe	110
PID 2948 wrote to memory of 1540	2948	wscript.exe	110
PID 2948 wrote to memory of 1540	2948	wscript.exe	110
PID 3408 wrote to memory of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 3408 wrote to memory of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 3408 wrote to memory of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 3408 wrote to memory of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 3408 wrote to memory of 4520	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	111
PID 4520 wrote to memory of 3120	4520	wscript.exe	112
PID 4520 wrote to memory of 3120	4520	wscript.exe	112
PID 4520 wrote to memory of 3120	4520	wscript.exe	112
PID 3408 wrote to memory of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3408 wrote to memory of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3408 wrote to memory of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3408 wrote to memory of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3408 wrote to memory of 3704	3408	RQKLOiEWbKfOiLhDWVGTf.cmd	113
PID 3704 wrote to memory of 3220	3704	wscript.exe	114
PID 3704 wrote to memory of 3220	3704	wscript.exe	114

C:\Users\Admin\AppData\Local\Temp\841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\841e9227af67d61b8db0d61e56a2674c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd RQKLOiEWbKfOiLhDWVG
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4224
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2608
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3404
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2088
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1540
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3120
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3220
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2636
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:1836
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4620
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2572
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1808
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4632
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3164
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1508
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4928
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4380
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4968
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:3764
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4272
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1460
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:224
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4796
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1892
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4808
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3968
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:5020
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4780
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4044
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:2516
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:5024
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4968
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3788
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3180
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:4388
- - C:\Windows\SysWOW64\wscript.exe
    - vbc
    3⤵
    PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVG

Filesize
47KB

MD5
18f33384d94dcb1b64c41ce700f09133

SHA1
ce3dc15e620224dfd617b325c6506ae64c5044c7

SHA256
03820afb4df4b6117811c1c537426e7bb3ac8d533a231f4981e228ddb6fbd7ab

SHA512
a0169c2c0eb667f6cc322efe42ebaabcd09dce68cd467ba0b62fe6b5b17c22a66dfaae79fa56cc736c34f1ba1a409a59bfcfdb626c14e3faab58dd1054f21ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RQKLOiEWbKfOiLhDWVGTf.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WARLYLeiLefd

Filesize
84KB

MD5
547c89d00251c1f8e7b09e9e6dd44c33

SHA1
87f6452217915ba0f9232d80c8c53dfeab60e2e1

SHA256
97eca6ef0ffe505508e2176372283435ce1bd9cd6be41b66677071d7853211d4

SHA512
8622ce054473eaa8b5b7cc520249b71b22f42f701769f9cbe0db4ddc0e0ffb1bf9c3f280b880c947abaf3cb998661d971c744b94d5f3816b607c18e6d85b9b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
144KB

MD5
ff00e0480075b095948000bdc66e81f0

SHA1
c2326cc50a739d3bc512bb65a24d42f1cde745c9

SHA256
8c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea

SHA512
3a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced

Download Submit
memory/3408-17-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3408-67-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3408-77-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4156-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4156-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download