asyncrat | b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

Analysis

max time kernel
297s
max time network
308s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
07-07-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat meduza redline stormkitty venom clients collection discovery infostealer rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

94.232.249.204:6660

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe	family_meduza

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\build.exe	family_redline

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Server.exe	family_stormkitty

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Server.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\a\aaa.exe	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

PACKAGE_DEMO.exek.exek.exelumma0607.exewin.exewin.exelolMiner.exemy.exemy.exewindows_update.exewindows_update.exe1.exe1.exe

pid	process
4932	PACKAGE_DEMO.exe
3044	k.exe
968	k.exe
2876	lumma0607.exe
3544	win.exe
2832	win.exe
3496	lolMiner.exe
2080	my.exe
3064	my.exe
2572	windows_update.exe
2540	windows_update.exe
1452	1.exe
1216	1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\k.exe	upx
behavioral8/memory/3044-27-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-31-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/3044-30-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-32-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-34-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-36-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-37-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-38-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-49-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-50-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\win.exe	upx
behavioral8/memory/3544-59-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/2832-63-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/3544-64-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-65-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-66-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-67-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/2832-69-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-68-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe	upx
behavioral8/memory/3496-78-0x00007FF626700000-0x00007FF62AE5F000-memory.dmp	upx
behavioral8/memory/968-79-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-80-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-81-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-82-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-83-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-84-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/2832-86-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-87-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-88-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-89-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-90-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-91-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-100-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-102-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/2832-103-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-104-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/968-105-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-106-0x0000000000220000-0x0000000001246000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe	upx
behavioral8/memory/2572-116-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/2832-117-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-118-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2540-119-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/2832-120-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-121-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2540-122-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/2832-123-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-124-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2540-125-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/2832-126-0x0000000000220000-0x0000000001246000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\1.exe	upx
behavioral8/memory/968-136-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/1452-138-0x0000000000760000-0x0000000000F4D000-memory.dmp	upx
behavioral8/memory/2540-139-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/2832-141-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/968-140-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2540-142-0x0000000000540000-0x0000000001565000-memory.dmp	upx
behavioral8/memory/1216-143-0x0000000000760000-0x0000000000F4D000-memory.dmp	upx
behavioral8/memory/968-144-0x00000000008C0000-0x00000000018E6000-memory.dmp	upx
behavioral8/memory/2832-145-0x0000000000220000-0x0000000001246000-memory.dmp	upx
behavioral8/memory/1216-146-0x0000000000760000-0x0000000000F4D000-memory.dmp	upx
behavioral8/memory/2540-148-0x0000000000540000-0x0000000001565000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
8 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

lumma0607.exe

description pid process target process

PID 2876 set thread context of 1452 2876 lumma0607.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	api.ipify.org
8	api.ipify.org

description	pid	process	target process
PID 2876 set thread context of 1452	2876	lumma0607.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

PACKAGE_DEMO.exek.exek.exeRegAsm.exewin.exewin.exemy.exemy.exewindows_update.exewindows_update.exe1.exe1.exe

pid	process
4932	PACKAGE_DEMO.exe
4932	PACKAGE_DEMO.exe
3044	k.exe
968	k.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
1452	RegAsm.exe
3544	win.exe
2832	win.exe
2080	my.exe
3064	my.exe
2572	windows_update.exe
2540	windows_update.exe
1452	1.exe
1216	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

New Text Document mod.exewhoami.exewhoami.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	4884	New Text Document mod.exe
Token: SeDebugPrivilege	1512	whoami.exe
Token: SeDebugPrivilege	1812	whoami.exe
Token: SeDebugPrivilege	1632	whoami.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

New Text Document mod.exek.exelumma0607.exewin.exewin.exemy.exewindows_update.exewindows_update.exe1.exe1.exe

description	pid	process	target process
PID 4884 wrote to memory of 4932	4884	New Text Document mod.exe	PACKAGE_DEMO.exe
PID 4884 wrote to memory of 4932	4884	New Text Document mod.exe	PACKAGE_DEMO.exe
PID 4884 wrote to memory of 3044	4884	New Text Document mod.exe	k.exe
PID 4884 wrote to memory of 3044	4884	New Text Document mod.exe	k.exe
PID 3044 wrote to memory of 968	3044	k.exe	k.exe
PID 3044 wrote to memory of 968	3044	k.exe	k.exe
PID 4884 wrote to memory of 2876	4884	New Text Document mod.exe	lumma0607.exe
PID 4884 wrote to memory of 2876	4884	New Text Document mod.exe	lumma0607.exe
PID 4884 wrote to memory of 2876	4884	New Text Document mod.exe	lumma0607.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 2876 wrote to memory of 1452	2876	lumma0607.exe	RegAsm.exe
PID 4884 wrote to memory of 3544	4884	New Text Document mod.exe	win.exe
PID 4884 wrote to memory of 3544	4884	New Text Document mod.exe	win.exe
PID 3544 wrote to memory of 2832	3544	win.exe	win.exe
PID 3544 wrote to memory of 2832	3544	win.exe	win.exe
PID 2832 wrote to memory of 1512	2832	win.exe	whoami.exe
PID 2832 wrote to memory of 1512	2832	win.exe	whoami.exe
PID 4884 wrote to memory of 3496	4884	New Text Document mod.exe	lolMiner.exe
PID 4884 wrote to memory of 3496	4884	New Text Document mod.exe	lolMiner.exe
PID 4884 wrote to memory of 2080	4884	New Text Document mod.exe	my.exe
PID 4884 wrote to memory of 2080	4884	New Text Document mod.exe	my.exe
PID 2080 wrote to memory of 3064	2080	my.exe	my.exe
PID 2080 wrote to memory of 3064	2080	my.exe	my.exe
PID 4884 wrote to memory of 2572	4884	New Text Document mod.exe	windows_update.exe
PID 4884 wrote to memory of 2572	4884	New Text Document mod.exe	windows_update.exe
PID 2572 wrote to memory of 2540	2572	windows_update.exe	windows_update.exe
PID 2572 wrote to memory of 2540	2572	windows_update.exe	windows_update.exe
PID 2540 wrote to memory of 1812	2540	windows_update.exe	whoami.exe
PID 2540 wrote to memory of 1812	2540	windows_update.exe	whoami.exe
PID 4884 wrote to memory of 1452	4884	New Text Document mod.exe	1.exe
PID 4884 wrote to memory of 1452	4884	New Text Document mod.exe	1.exe
PID 4884 wrote to memory of 1452	4884	New Text Document mod.exe	1.exe
PID 1452 wrote to memory of 1216	1452	1.exe	1.exe
PID 1452 wrote to memory of 1216	1452	1.exe	1.exe
PID 1452 wrote to memory of 1216	1452	1.exe	1.exe
PID 1216 wrote to memory of 1632	1216	1.exe	whoami.exe
PID 1216 wrote to memory of 1632	1216	1.exe	whoami.exe
PID 1216 wrote to memory of 1632	1216	1.exe	whoami.exe

outlook_office_path 1 IoCs

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

outlook_win_path 1 IoCs

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4932
- C:\Users\Admin\AppData\Local\Temp\a\k.exe
  "C:\Users\Admin\AppData\Local\Temp\a\k.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\a\k.exe
    C:\Users\Admin\AppData\Local\Temp\a\k.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:968
- C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\a\win.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    C:\Users\Admin\AppData\Local\Temp\a\win.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1512
- C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe"
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\a\my.exe
  "C:\Users\Admin\AppData\Local\Temp\a\my.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\a\my.exe
    C:\Users\Admin\AppData\Local\Temp\a\my.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe
    C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\a\1.exe
    C:\Users\Admin\AppData\Local\Temp\a\1.exe --foreground
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\whoami.exe
      whoami
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- C:\Users\Admin\AppData\Local\Temp\a\igccu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\igccu.exe"
  2⤵
  PID:1480
- - C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
    3⤵
    PID:4868
- C:\Users\Admin\AppData\Local\Temp\a\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\a\aaa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aaa.exe"
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\a\build.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build.exe"
  2⤵
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\a\update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\update.exe"
  2⤵
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\goopdate.dll

Filesize
1.8MB

MD5
25482ea33f9816821fa298c0f13dd23c

SHA1
5568ed10ffef3d0fac0638e81a0634407f4f3523

SHA256
ec6f7ef351bd716fef2c3f4701c262bc1a64e9653bc6b61e49a133650bf608ae

SHA512
636847352c037f4bf119abc26827caa31e6c1fcd19306176030165d448d80d29f519ece82eacab39edce9681564dec5e350c622124889263f0404837e2acad77

Download Submit
C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\goopdate.dll

Filesize
1.9MB

MD5
b235a510d74783594b5a50f60d6a841a

SHA1
101395a59c156139786554153e29a72e445776f7

SHA256
6a478176c0e2257485b517c5b549d6a4b9b93264b8ae67f134c8e87571db50ba

SHA512
78adc152a2b11a750e398f19fc611e27b6a53c6dd0aec959f49d3ac0bc6121901c58a32fca065cc9bbe41fbbc034d4807c8d26d7c9719dcb133073a05687d292

Download Submit
C:\Program Files (x86)\Google\Temp\GUM51E0.tmp\goopdateres_en.dll

Filesize
47KB

MD5
b6fea8f291da55bb35d408040f354250

SHA1
19ed99a4f169467055474454f2b35204f2cd6568

SHA256
6dcbd0c88d81ffa42a926787cbdecf8042685cc44f0484ef87307f89ec220bcc

SHA512
1b47352ddc03bb1b6a171e7cf58bfd1e1214a4f9cc04cf8ad58326e17a33b4c639cf23b4f7372b1010021ce3816129ca270d06a2c55ba3a3b001e1587c5ab75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
2.9MB

MD5
ed44c98c40576ef50f6abcf6e40c71d7

SHA1
3fa4d2232ebaef519eb388cae03a329123410113

SHA256
05d385e9faa8175db3c963f7fad2b3ecee0bb45deacfbf8824bdea9a181e63b1

SHA512
c66dd4cbf1b4743e455a70f65ffa4fba0a95926767c1a1c03fe9bfba52cc364c2f609bf5b65c786213718a139dd5b2ff40f7cf8a60d8e2663347c0168c9a72ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe

Filesize
914KB

MD5
e450ca946d4bf6173ebe3f00c3d08d81

SHA1
3653f8f0231dfad94100f3f3ae3fbae0c3b0d208

SHA256
44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff

SHA512
9c884eb29f2d084973a7cc760d3c4e41f3601ef9b22081e083e371301d5b6b22d8e52cacaf6e4a2fd7466d5819876a69921326fa59a24ff75ed85297cda88fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe

Filesize
175KB

MD5
68fad5f5f8de1c290df5d3754b4af358

SHA1
0028395243f38a03b13726915144b9848e8da39a

SHA256
dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e

SHA512
ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aaa.exe

Filesize
63KB

MD5
e52ba92d25281e90aa7f27bd3719951f

SHA1
f67b856dbac5bdd315dce1df2738a1b4f88f4f39

SHA256
8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa

SHA512
96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe

Filesize
300KB

MD5
7081e613321921500b70899fddb56a4d

SHA1
fbb9ef6899fb0ea1999404ccff08ee61ca8de11f

SHA256
7c03173d3bd7a27e446d8fe70829b963942f746d933a9eab4d198d524b45cb68

SHA512
679431a866a9806e967515eb97905d458798d8d9832a6fd57e519b12f5a8a5e8331297331a84c95a43bfca5953987ae9248638bc084fda92471540919a76a72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\igccu.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\k.exe

Filesize
5.7MB

MD5
4af91af5e4cdc7c3ffcb265d1d4ba84e

SHA1
0822bc3f0daa2af8cf7ce3ea2d170eddda1f8474

SHA256
d410edc3f58ae5fc315e6a991ec7f695ecec65695234fca528be1c7d87c8323b

SHA512
2edf7dfe8f9db0d541e726eb0414a845bfd333e092e7f93b81bf1399f254bc1a15d2cd501cbd14b7b5ffb9d725760b67b8b202fbf3741a27179a6346bc212a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe

Filesize
7.7MB

MD5
03ab160d92dd13e549a778a844d008b4

SHA1
e1a147adc6b19ef1b61d171dc724e6073318c369

SHA256
8846c90b130f131059261045607983827e68aa26e699c591fb7e4a9235389e4e

SHA512
c865df80f6a97cd9e04b0e963d2b10dd71811271d47c554d410561bb4e69b08d276116c071c256f79b504975d2f6e2002b598a181d3c7c1959aae082d394ed51

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe

Filesize
512KB

MD5
383dc98d03038d2374701a5bfa5d8c0a

SHA1
e7fb6995ef4ea1b28f9527c96321452ac59686e1

SHA256
48a4712ae782ae16698b8a85c74dcb790e610c5a31c746319fb1d30e0e3c6096

SHA512
b846e728ec92a77af8b2a822c970646170951254dbd9ec5332191dc7d4b1fd15708e4850912049a772e4af1992fe2658ae3af49a377fb2172eb588fe8c6baff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\my.exe

Filesize
10.9MB

MD5
6470b936622d9502880cae6452d1bb48

SHA1
46f9dcbaec8def83dd90a5b56b480c70c0d8dd28

SHA256
8dff8555a5960f7dd9b5915c7046d006eafabe9181627d0ee7f56aeddfc727af

SHA512
6c9fcaa7c896f1dd26b0f69ee4c049702424e4a4227918dab5679602c1b1382143fcc01b833dd2e989100ed6bac9f71883f6db9340c62ca33ee0d479f6e898ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe

Filesize
320KB

MD5
ad6244bc20ec765fbda081b442bc591a

SHA1
2af32e47c041f960ce511af0073fbd94687481be

SHA256
e1866bf7e18ed3bc7a5df96695f4cdcc79dd522c5829e1ba14aae5fb300726c7

SHA512
0768f4451bd3d034303a7062e1fb46a7f13e9cbe11835fd6c4ab26e173f192f646fb7cda8dc58d0be6bb602f56e9375ac198dcba3c908a8cdf9895dd55cbb466

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe

Filesize
220KB

MD5
77bc9a5be6fc3a8b35bc4fb77b8422df

SHA1
a5b826f09c18f0d12eaf7a61a268faee7bdf6adb

SHA256
48bc4f4199ebb23a87bfb79e15ebfa873851de5fa83ff8b23da90339f1ef7c1e

SHA512
f11f5e605560dd14baa62f85569e4bbaf4edfdca53c60e4088f3d361b9581ac1c5844b490fef3c1bbe8a58b27174562e102bb21ce59a7492fa2bafbe78a6fe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe

Filesize
256KB

MD5
14983117357f064d404cab571012b4cf

SHA1
d721546e9ed7421e46585aea27dd0ba48982c72a

SHA256
574700226613004d160de42869f9dc19f736a4f903251abaf270295f0cee99cc

SHA512
0d9c8873f51d8a6ffa7bd4a2441b1a48a3674421a551238e97345959fb5bf26f98d8b7306623bbfdb53540e78350fec3309056ded20c25fa34689cbba50b8a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win.exe

Filesize
5.7MB

MD5
36dcf115331160b2f88e83e5b8d07036

SHA1
70a1eacbb83628c336792a5d5a1961a81b8d3a48

SHA256
6730f3ff0586fe95fd3c8514df7dc362eb4efe30a3a43f072797681bb196ad2c

SHA512
c63046a6decdddd1fccd4854bb76a38dc796677497b1cfdde03f1c8c72f60e3292bfcb335651220b89e8de70b5772a47ec73cb0e796045aeff0145c2af3552c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe

Filesize
5.7MB

MD5
14129aa32bbd6bf03d3cde8837119e2a

SHA1
ad34a9a1b7bba694acdcc89da603f13424e9c138

SHA256
a14cf7fe50d04752115b10db3af584676082152adae4295b44c1aefd2074fbf4

SHA512
a4bb9b1cef0031746df7bcf5605c812e6805d8e3686541593d1e71d0ab698f2d25c09c94f79fa9b150a2b3cf4e8b7bae0ec7e86ef6b00a75dd74558a1cf065b2

Download Submit
memory/968-105-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-91-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-136-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-49-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-31-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-65-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-66-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-124-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-38-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-68-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-37-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-36-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-79-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-140-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-81-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-121-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-83-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-154-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-118-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-87-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-32-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-89-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-150-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-50-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-34-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-100-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-144-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/968-104-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/1216-146-0x0000000000760000-0x0000000000F4D000-memory.dmp

Filesize
7.9MB

Download
memory/1216-143-0x0000000000760000-0x0000000000F4D000-memory.dmp

Filesize
7.9MB

Download
memory/1216-152-0x0000000000760000-0x0000000000F4D000-memory.dmp

Filesize
7.9MB

Download
memory/1216-156-0x0000000000760000-0x0000000000F4D000-memory.dmp

Filesize
7.9MB

Download
memory/1452-138-0x0000000000760000-0x0000000000F4D000-memory.dmp

Filesize
7.9MB

Download
memory/1452-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1452-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1888-271-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2540-142-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-155-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-122-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-119-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-125-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-139-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-151-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2540-148-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2572-116-0x0000000000540000-0x0000000001565000-memory.dmp

Filesize
16.1MB

Download
memory/2832-63-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-84-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-141-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-123-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-120-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-117-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-106-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-145-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-103-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-102-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-149-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-90-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-88-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-86-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-153-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-126-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-82-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-80-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-67-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/2832-69-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/3044-30-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/3044-27-0x00000000008C0000-0x00000000018E6000-memory.dmp

Filesize
16.1MB

Download
memory/3496-78-0x00007FF626700000-0x00007FF62AE5F000-memory.dmp

Filesize
71.4MB

Download
memory/3544-64-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/3544-59-0x0000000000220000-0x0000000001246000-memory.dmp

Filesize
16.1MB

Download
memory/4884-0-0x00007FFD30813000-0x00007FFD30815000-memory.dmp

Filesize
8KB

Download
memory/4884-35-0x00007FFD30810000-0x00007FFD312D2000-memory.dmp

Filesize
10.8MB

Download
memory/4884-33-0x00007FFD30813000-0x00007FFD30815000-memory.dmp

Filesize
8KB

Download
memory/4884-2-0x00007FFD30810000-0x00007FFD312D2000-memory.dmp

Filesize
10.8MB

Download
memory/4884-1-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download