amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
95s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-08-2024 00:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0 1
Email To:
[email protected]

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

127.0.0.1:22253

eu-central-7075.packetriot.net:6606

eu-central-7075.packetriot.net:7707

eu-central-7075.packetriot.net:8808

eu-central-7075.packetriot.net:1604

eu-central-7075.packetriot.net:22253

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

185.215.113.9:12617

Extracted

Family

amadey

Version

4.41

Botnet

cd33f9

http://193.176.158.185

Attributes

install_dir
fed0c9a4d3
install_file
Hkbsse.exe
strings_key
a2163aef710017f5548e7e730af53cca
url_paths
/B0kf3CbAbR/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000002a751-125.dat	family_xworm
behavioral2/memory/2128-132-0x00000000005A0000-0x00000000005E8000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000002aae9-355.dat	family_redline
behavioral2/memory/4084-362-0x0000000000060000-0x00000000000B2000-memory.dmp	family_redline

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/3388-51-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral2/memory/5232-544-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000400000002a91f-140.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3416	powershell.exe
4408	powershell.exe
2796	powershell.exe
3760	powershell.exe
3088	powershell.exe
3828	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 16 IoCs

pid	Process
2984	robotic.exe
2196	asusns.exe
3388	asusns.exe
2128	msedge.exe
1828	stub.exe
4352	build2.exe
3956	keylogger.exe
2960	svchost.exe
3416	networks_profile.exe
2992	networks_profile.exe
5080	backdoor.exe
1920	wahost.exe
4920	regasm.exe
4084	cookie250.exe
1760	Hkbsse.exe
2788	sahost.exe

Loads dropped DLL 6 IoCs

pid	Process
2992	networks_profile.exe
2992	networks_profile.exe
2992	networks_profile.exe
2992	networks_profile.exe
2992	networks_profile.exe
2992	networks_profile.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	asusns.exe
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	asusns.exe
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	asusns.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
36	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 3388	2196	asusns.exe	106

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\Hkbsse.job	build2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000600000002aada-260.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 10 IoCs

pid	pid_target	Process	procid_target
5004	4352	WerFault.exe	125
4200	4352	WerFault.exe	125
1808	4352	WerFault.exe	125
972	4352	WerFault.exe	125
2992	4352	WerFault.exe	125
3168	4352	WerFault.exe	125
1928	4352	WerFault.exe	125
1724	4352	WerFault.exe	125
1928	4352	WerFault.exe	125
4480	4352	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asusns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asusns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wahost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cookie250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sahost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1724	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4988	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133682403899324678"	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	cookie250.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	cookie250.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe
1892	schtasks.exe
5088	schtasks.exe
2820	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2128	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	robotic.exe
3388	asusns.exe
3416	powershell.exe
3416	powershell.exe
3388	asusns.exe
3340	chrome.exe
3340	chrome.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
1828	stub.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
3088	powershell.exe
3088	powershell.exe
3088	powershell.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe
2128	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	New Text Document mod.exe
Token: SeDebugPrivilege	2984	robotic.exe
Token: SeBackupPrivilege	2984	robotic.exe
Token: SeSecurityPrivilege	2984	robotic.exe
Token: SeSecurityPrivilege	2984	robotic.exe
Token: SeSecurityPrivilege	2984	robotic.exe
Token: SeSecurityPrivilege	2984	robotic.exe
Token: SeDebugPrivilege	2624	New Text Document mod.exe
Token: SeDebugPrivilege	3388	asusns.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	2128	msedge.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1828	stub.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	2128	msedge.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeDebugPrivilege	2960	svchost.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
4352	build2.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2128	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2984	1328	New Text Document mod.exe	93
PID 1328 wrote to memory of 2984	1328	New Text Document mod.exe	93
PID 1328 wrote to memory of 2196	1328	New Text Document mod.exe	95
PID 1328 wrote to memory of 2196	1328	New Text Document mod.exe	95
PID 1328 wrote to memory of 2196	1328	New Text Document mod.exe	95
PID 2196 wrote to memory of 3416	2196	asusns.exe	102
PID 2196 wrote to memory of 3416	2196	asusns.exe	102
PID 2196 wrote to memory of 3416	2196	asusns.exe	102
PID 2196 wrote to memory of 1776	2196	asusns.exe	104
PID 2196 wrote to memory of 1776	2196	asusns.exe	104
PID 2196 wrote to memory of 1776	2196	asusns.exe	104
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 2196 wrote to memory of 3388	2196	asusns.exe	106
PID 3340 wrote to memory of 1268	3340	chrome.exe	109
PID 3340 wrote to memory of 1268	3340	chrome.exe	109
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 1648	3340	chrome.exe	110
PID 3340 wrote to memory of 3860	3340	chrome.exe	111
PID 3340 wrote to memory of 3860	3340	chrome.exe	111
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112
PID 3340 wrote to memory of 536	3340	chrome.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	asusns.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	asusns.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\a\robotic.exe
  "C:\Users\Admin\AppData\Local\Temp\a\robotic.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\a\asusns.exe
  "C:\Users\Admin\AppData\Local\Temp\a\asusns.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OKmzKrla.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKmzKrla" /XML "C:\Users\Admin\AppData\Local\Temp\tmp772F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\a\asusns.exe
    "C:\Users\Admin\AppData\Local\Temp\a\asusns.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3388
- C:\Users\Admin\AppData\Local\Temp\a\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\ProgramData\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5088
- C:\Users\Admin\AppData\Local\Temp\a\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\a\stub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4988
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2960
- C:\Users\Admin\AppData\Local\Temp\a\build2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 776
    3⤵
    - Program crash
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 820
    3⤵
    - Program crash
    PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 880
    3⤵
    - Program crash
    PID:1808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 952
    3⤵
    - Program crash
    PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 968
    3⤵
    - Program crash
    PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 928
    3⤵
    - Program crash
    PID:3168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 920
    3⤵
    - Program crash
    PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1112
    3⤵
    - Program crash
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1180
    3⤵
    - Program crash
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 888
    3⤵
    - Program crash
    PID:4480
- C:\Users\Admin\AppData\Local\Temp\a\keylogger.exe
  "C:\Users\Admin\AppData\Local\Temp\a\keylogger.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\a\networks_profile.exe
  "C:\Users\Admin\AppData\Local\Temp\a\networks_profile.exe"
  2⤵
  - Executes dropped EXE
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\a\networks_profile.exe
    "C:\Users\Admin\AppData\Local\Temp\a\networks_profile.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4200
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1724
- C:\Users\Admin\AppData\Local\Temp\a\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\a\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\a\wahost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wahost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\a\wahost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wahost.exe"
    3⤵
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\a\wahost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wahost.exe"
    3⤵
    PID:3068
- C:\Users\Admin\AppData\Local\Temp\a\regasm.exe
  "C:\Users\Admin\AppData\Local\Temp\a\regasm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVoVlc.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVoVlc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp168C.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\a\regasm.exe
    "C:\Users\Admin\AppData\Local\Temp\a\regasm.exe"
    3⤵
    PID:5232
- C:\Users\Admin\AppData\Local\Temp\a\cookie250.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cookie250.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\a\sahost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sahost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
- C:\Users\Admin\Desktop\a\robotic.exe
  "C:\Users\Admin\Desktop\a\robotic.exe"
  2⤵
  PID:5460
- C:\Users\Admin\Desktop\a\asusns.exe
  "C:\Users\Admin\Desktop\a\asusns.exe"
  2⤵
  PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd15dcc40,0x7ffbd15dcc4c,0x7ffbd15dcc58
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1440,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5148,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3524,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3192,i,11013657401983307184,13953933227703322585,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:5004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4352 -ip 4352
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4352 -ip 4352
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4352 -ip 4352
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4352 -ip 4352
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4352 -ip 4352
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4352 -ip 4352
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4352 -ip 4352
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4352 -ip 4352
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
1⤵
PID:5324

C:\ProgramData\msedge.exe
C:\ProgramData\msedge.exe
1⤵
PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5a5409fce3429dc7aae61f979db93636

SHA1
e028bc814bed4ea71f0d1abfe681f0a12b882a7d

SHA256
7e9236feb16ae9fcbfe21af321bf4a71f8cfe90873bb4ea6abb92edd63ba4ee0

SHA512
d6678622274ae51f025039110ab8513a7ce53141b21cc9b7bddb0812e5e21fcca6d6d67ce7c205c75ec1ca23ac3265a699a9c816fdc6041fcd534d867d9afcbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7bc15a8b14c8977241bee78c07538ae1

SHA1
9658a2d95ec55a602af9dab5671ab314964a2070

SHA256
5f40b4c8d9c90f972986c4158d5386dcefe8b9806c61cb1c15dd3be99d8fcd92

SHA512
df2d18635180b58dbbdec50d6755540989ad7753ba478c5146c152cd0298418603fb8bf45be976a88fe0b37115ba7c756f22770e277c7d09b18b37029b383d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
482f025012ac099f416dc863970a3bd2

SHA1
dd2598524a1233bc99480ed5cfb0c760ab2495d2

SHA256
078f2b18d8fcbe5eff4487eb6cacbd0e401b8281c662404190878431501dba2a

SHA512
0fe25056e19cd65071dc9145e9749886c27c484ec9ba15ba85704fc6408e776313fd9a27227a5788e3d4c04ee11ecf82441f73e5d49613f81ed04ead5c3ac3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
829b803cbf0b4afb7eff7d145571df76

SHA1
9b97322d2fb61258ed2857dbbe4379e551b244e2

SHA256
73df2d2e8e1c431434c2941ba6fc40155076d88711e5cae2421730fc72a862f5

SHA512
d019032f9f108daaff8245e09ca07a114838b6345e286828fd1bef32155ccffa92aaa7eeaf80c39b6fde7c7b726b27194973a4fccb10383d4c62362ca91e66f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b0caf4058dfad94fc3b548e9256538c

SHA1
a5f706f51887d488acc2fb294e8665736ef3b71b

SHA256
dc00fdb364a2e20577117a4d0d62cbc37adead543b6df669e3197071c5bf977c

SHA512
c7b83b9d3356d8cb6006a0cfb36c4f87adae88ddd1afac396b8ce3f4293bf7405c0ba50344736906cd7fdd67a33a4e896fcb2493b0f6567de9a461150b89715f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95069abf64ccf7769ddcf8591320f1dc

SHA1
a2ccbe3c593dde521fb1c3a2c85402b7dd3c02ec

SHA256
87b5af3eb4734efe9a15143c482c6f4a7e9a9053debf832c35591b78579e2d6e

SHA512
35864ac0ca557a6ff68266f7d7d2ceb5dcc48fa21093c7d153deb0e1dd3a416dd7d53d4031c5d608a2c121722d74607df4ac98fd1a8f2b64c80ebd8d89c720bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a465ec92d47f08e7cf7aac358f96a070

SHA1
e65b2191c0dd5f3ab5b3904f09d0c2aa1b93d0de

SHA256
24dd354b98e52186e7599a13c3fd5aa475ca6be6221ee731578abf8c2bb97b73

SHA512
d1b319bb8ea6c522f2145d046cb6273b03a44afb5e2a6735b1b52dc65e224e21b43b5eaf8db7c110cdb168edd05de1c9c850e6cde2890916352c676889a6b13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
011f83d737da9cbc670864eb479267f8

SHA1
47fc12c1d9f8240025b584aed15c3cd388134dfc

SHA256
90212a5b8d8c92445c88d1e28ee11178222fc4923e08b8ecd90708fc8f77b2ad

SHA512
63d7b5cf58577060c1bccfeabdfd5fa8de4c733548329525e4ff91c46117e7d6ab9ee6acc379bc4a606077cb39812467adf7c25f39faa8820363c7a507520a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
354651306346bdecba739804c4a6caa9

SHA1
f76304434b9ded274c791a951e7c8730456f06b4

SHA256
310c457e6cd2ab9427478b21e1118b12b0f1332ee15db3a3e731e7c7542a1175

SHA512
3a744f6d995f47d7a7b9af2bbd4612f4e52875676f48d8329d85f68e6e5f1542174f82a2678ab26762b2ef5c02421c0a7178f345a89d517d76c34196fdb9ef84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
59f20b534a151d29b28e8827b1849420

SHA1
5a6d83bdb9df99b56b39a0215da4efdbe97f1e6e

SHA256
e6b95437b8e1b88e3fdffdc00d96f13b8d1b8e273d5456e33b34f4ff9f77e2a8

SHA512
b25c4ac85f2511339d65980ad003c82dc9141e9c5436bb7d66c524ab15cf098b800ef08a6d1b2ff9c89067acb2468de0de03a450beb79f7f55ba9d81ff0f5759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d1e796c632a1a22c598565b1e38935c2

SHA1
1de9be5f066b3cafc6f6db3d45c33e6918139de8

SHA256
6a4242191b5035ffecebe9ee919a3adce0655b86157ccb90a26ff603427cb793

SHA512
ab3a8b47d6f196271820e0a13529fcd3a774e8029d4e9b4e46944908105826a181e230861fc102d6d93c273f496a3e89502f8b37c5db88ab1a91a2a690e89363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee6edeb9950921874be3d45ecc719288

SHA1
dea3709eff9447b56adf7adfd781855f1172ea18

SHA256
9d647d9792500c3c5d6d5d1d7caa8dba5f71e9a21d70d95391966f8f820d3f15

SHA512
080e170151740061507b4de85d38bc82730e94c1dbef66b64502294a3c659aceef8006e10cc548c350279a3d0a2459d801d460719483d3939e85ad148337b52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE2AA.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\base_library.zip

Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34162\select.pyd

Filesize
28KB

MD5
fed3dae56f7c9ea35d2e896fede29581

SHA1
ae5b2ef114138c4d8a6479d6441967c170c5aa23

SHA256
d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

SHA512
3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3y3rip5n.tyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\asusns.exe

Filesize
701KB

MD5
0e3ed8b5e5952cffc0e119b6082a6599

SHA1
b8275da931abd327fb0ad3b102a5917aa950c636

SHA256
e5797ef4bea22b1d24a9147c48726e9960ffa1b5866e04c11de117531483fe9d

SHA512
15e06c4a477984dac67d7301d8019935af32e7a5fc47c6d69533f00e7aa3992cd8e496d02f05f9c2f4c43f3a928fe070276bdcb18f86bcab43faae3709522beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\backdoor.exe

Filesize
68KB

MD5
698f5896ec35c84909344dc08b7cae67

SHA1
4c3eb447125f74f2eef63e14a5d97a823fa8d4e9

SHA256
9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e

SHA512
2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build2.exe

Filesize
481KB

MD5
f9a4f6684d1bf48406a42921aebc1596

SHA1
c9186ff53de4724ede20c6485136b4b2072bb6a6

SHA256
e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

SHA512
67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cookie250.exe

Filesize
304KB

MD5
1b099f749669dfe00b4177988018fc40

SHA1
c007e18cbe95b286b146531a01dde05127ebd747

SHA256
f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262

SHA512
87dc26b28cb2c43c788d9ae9ef384b69be52b27500bc23cdc6acc8567e51705d99ef942cdc0b23fa6a7c84d4ddaaa8f05865a8e7bb4ad943ba5deabf7a4105fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\keylogger.exe

Filesize
51KB

MD5
fbbc99e0b5c7a5f4b76886520f5a4f63

SHA1
361b841c52643792c26868f90e0330ba2ab131ae

SHA256
6054e52edc7112fcecaaf39f37c6bdaa35f98bfaff45d4e01802b9a8bedd2eef

SHA512
5de0b99a9d3f7cdee1d9ed8122c62f096b59cca93c9ad4c4eb15da6bb08d5ea07c09f2864e8a841dcc4095e890e47dd595f51c535ab37713f807a151de52cb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msedge.exe

Filesize
271KB

MD5
c2ec3c7d003e11d0db8aab918df1e47a

SHA1
9c1c3421a1d0207bec271b9cd38a48cb0a1fb285

SHA256
97b1441bd0a459186311604d3cf3fc2b212dff334f4640d9171189080698c940

SHA512
bb43cf35712213ec0643a48451791da6cd8e9c4f1281980dd972e8483ddba7f56b55d23cd4fc9eca91b1ca4e1bc7370769b71cdc3e250c9f1941eb72ce278170

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\networks_profile.exe

Filesize
6.6MB

MD5
7306abcf62c8ee10a1692a6a85af9297

SHA1
69900ccc2400e685b981b3654af57c062ffb44e2

SHA256
37c9a26faec0bb21171b3968d2e4254f6ae10ff7ae0d0b1493226685bc5d3b4b

SHA512
cd00a60387e06fcc6f14242adb97a54575a49cf1e9b22c74aa5d8bb7617e571fc194049691e4ee0fcff8bdd659b04de62f46d07e2f3330c18ac7035134e183d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\regasm.exe

Filesize
593KB

MD5
f74f2df998219d602185c46107329e82

SHA1
a0f8eeb2e5c712e690923fdaf3b7cefc64f3d63e

SHA256
5f569c72db9c31528daf2e907938b9bb711ea3a050efe5bf5d514dc962c5415c

SHA512
b28e1eafefaf4f71666bf6c216c8672eb615a5e369bd913b85d99b2774df76ffaa489f145722a93f80f2afcb76eef40e62dcf246793bcf867d696487e9343a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\robotic.exe

Filesize
538KB

MD5
6b1bbe4e391cdfd775780d8502ccbc41

SHA1
a910f7ac9ed8fd57f7455f04e99bcd732bc8241a

SHA256
2999b0ecf157b9f37dcfa1cb4a0ffff73092c416499a356fdb1558d66985e9a3

SHA512
9ad2ca4cc8af0b6185be87d9026da5cdac2c52ff15b0fd2ba333ff3a25016e06a294d7cf5cf32b1869a1f5e3692f071f582ba2151ac16f9be738ea7862ab57d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sahost.exe

Filesize
499KB

MD5
29e3de6b17d0fdfb360834f038b59a39

SHA1
1e3fdca7e4dec1ebb618f69675928363657ba064

SHA256
8cf6a3d7e5694a0453d85e67a038bb5804b6eb8969287f1d021bdb7b95234e9d

SHA512
ebf889085bb105182739d7a748d8b12b26de3e47f11535260adac23beee3d5b43aa572b6043ace7ac068cee36529c3cf448986f3218aec742ab6fce4db47440a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\stub.exe

Filesize
48KB

MD5
a7ed4ba445aa61c4632dd6579c212bf5

SHA1
a81d766d12a6dd8c3cec537387a089650b34e103

SHA256
91fb355fdc173c40fa77f8a252031d6bc32fab91c5e5573da28044494691c820

SHA512
2a0e0afdecf803657f2d67433399dc3119a3b4221334a9c8d7cb3e3e741457aaa26d2edd32377a102f1c539a4ef065cb5296d4cdfe7657993223e675e3fd4bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wahost.exe

Filesize
712KB

MD5
14b98daca4a9912ad416eb7c0231cc21

SHA1
58328f022b71c8b3001449e87f91fbad4ac973ea

SHA256
850752cfce58c44ce5d48735f4d53ccc1f8d12b7e1ae00d367d9c42103d9ad99

SHA512
1169760e0245b4b1f2676271e0e56b62db0157a08ada4098d7dfacbf5c1e2d6cac29275c04a2d59471d7a9d9420425c07387c63fd3bc9bc4f91a9b3d5addcb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD18.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseD18.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp467A.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46BC.tmp

Filesize
114KB

MD5
02ab6938b515ec3ddd6522a02f389fb1

SHA1
e28c597019484e3879425053501d0f47910f3487

SHA256
27b568107aba4d0c0c7405c6e3e911871fc1fc52edda32f93578c30f86fa8d71

SHA512
4955182941788fd7d0a90ca828461a9eedaf2d05b9528e5e23a14a4956212e1e1897b8519d7cf956599136cc990deac93d02b708c49d0242dbaab64843bbaa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp772F.tmp

Filesize
1KB

MD5
e55a68fca6c4256f735de793fac92af5

SHA1
c03ce693fc9d3f5fa46b5a1375a5eb746ced086c

SHA256
71e52845cb296ea7e03df4a07b579ed0bf67ec798b2c08e40535e1de81a78d40

SHA512
63093181f9b7b5e6ad3fe4da45ef55a6a4e603d1536c68ceec6ddbfaec9cf78849b29d5074ce465248651959dee0655b61e9b495224b22490ab99b469903f1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC39.tmp.bat

Filesize
151B

MD5
0a93db44e4237b755ecc4eafaea3cd79

SHA1
76f9d218e738e838dd33a0b309761f823fdcfb4d

SHA256
93270b9eaa60ece812bd96d1f6167f4858ad5f8c01e649bae63fca1e0ef6b6e4

SHA512
f2bf3526161e994955168fd2700fd876e94c5b00d18a2b8fbaf866a9705290744e7698866d3b744260ea9dd9bd80d5dd7f958653dfcb51c7ea8a5762815cd443

Download Submit
memory/1328-0-0x00007FFBD72C3000-0x00007FFBD72C5000-memory.dmp

Filesize
8KB

Download
memory/1328-4-0x00007FFBD72C0000-0x00007FFBD7D82000-memory.dmp

Filesize
10.8MB

Download
memory/1328-3-0x00007FFBD72C3000-0x00007FFBD72C5000-memory.dmp

Filesize
8KB

Download
memory/1328-2-0x00007FFBD72C0000-0x00007FFBD7D82000-memory.dmp

Filesize
10.8MB

Download
memory/1328-1-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1828-147-0x0000000000070000-0x0000000000082000-memory.dmp

Filesize
72KB

Download
memory/1920-333-0x0000000000C50000-0x0000000000D04000-memory.dmp

Filesize
720KB

Download
memory/1920-334-0x00000000059A0000-0x00000000059B6000-memory.dmp

Filesize
88KB

Download
memory/1920-514-0x0000000006990000-0x0000000006A1C000-memory.dmp

Filesize
560KB

Download
memory/1920-507-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/2128-132-0x00000000005A0000-0x00000000005E8000-memory.dmp

Filesize
288KB

Download
memory/2128-133-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2196-32-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/2196-29-0x0000000000450000-0x0000000000506000-memory.dmp

Filesize
728KB

Download
memory/2196-30-0x00000000056B0000-0x0000000005C56000-memory.dmp

Filesize
5.6MB

Download
memory/2196-34-0x0000000005670000-0x000000000568E000-memory.dmp

Filesize
120KB

Download
memory/2196-33-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/2196-31-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/2196-44-0x000000000A290000-0x000000000A2F8000-memory.dmp

Filesize
416KB

Download
memory/2196-43-0x00000000056A0000-0x00000000056B6000-memory.dmp

Filesize
88KB

Download
memory/2984-36-0x000000001D720000-0x000000001D732000-memory.dmp

Filesize
72KB

Download
memory/2984-37-0x000000001EA30000-0x000000001EA6C000-memory.dmp

Filesize
240KB

Download
memory/2984-41-0x0000000020030000-0x0000000020558000-memory.dmp

Filesize
5.2MB

Download
memory/2984-215-0x00007FFBD72C0000-0x00007FFBD7D82000-memory.dmp

Filesize
10.8MB

Download
memory/2984-40-0x000000001F930000-0x000000001FAF2000-memory.dmp

Filesize
1.8MB

Download
memory/2984-39-0x000000001EA70000-0x000000001EA8E000-memory.dmp

Filesize
120KB

Download
memory/2984-38-0x000000001F050000-0x000000001F0C6000-memory.dmp

Filesize
472KB

Download
memory/2984-16-0x0000000000D60000-0x0000000000DEC000-memory.dmp

Filesize
560KB

Download
memory/2984-17-0x00007FFBD72C0000-0x00007FFBD7D82000-memory.dmp

Filesize
10.8MB

Download
memory/2984-42-0x00007FFBD72C0000-0x00007FFBD7D82000-memory.dmp

Filesize
10.8MB

Download
memory/2984-35-0x000000001EB40000-0x000000001EC4A000-memory.dmp

Filesize
1.0MB

Download
memory/3068-528-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3388-135-0x0000000006AB0000-0x0000000006C72000-memory.dmp

Filesize
1.8MB

Download
memory/3388-134-0x0000000006890000-0x00000000068E0000-memory.dmp

Filesize
320KB

Download
memory/3388-51-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3416-70-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/3416-49-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download
memory/3416-53-0x0000000005A80000-0x00000000060AA000-memory.dmp

Filesize
6.2MB

Download
memory/3416-88-0x0000000007D90000-0x0000000007DAA000-memory.dmp

Filesize
104KB

Download
memory/3416-87-0x0000000007C90000-0x0000000007CA5000-memory.dmp

Filesize
84KB

Download
memory/3416-86-0x0000000007C80000-0x0000000007C8E000-memory.dmp

Filesize
56KB

Download
memory/3416-85-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/3416-57-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/3416-55-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/3416-84-0x0000000007CD0000-0x0000000007D66000-memory.dmp

Filesize
600KB

Download
memory/3416-89-0x0000000007D80000-0x0000000007D88000-memory.dmp

Filesize
32KB

Download
memory/3416-82-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/3416-56-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/3416-69-0x00000000076B0000-0x00000000076E4000-memory.dmp

Filesize
208KB

Download
memory/3416-66-0x0000000006290000-0x00000000065E7000-memory.dmp

Filesize
3.3MB

Download
memory/3416-67-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3416-79-0x00000000076F0000-0x000000000770E000-memory.dmp

Filesize
120KB

Download
memory/3416-80-0x0000000007710000-0x00000000077B4000-memory.dmp

Filesize
656KB

Download
memory/3416-68-0x0000000006C60000-0x0000000006CAC000-memory.dmp

Filesize
304KB

Download
memory/3416-81-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/3416-83-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/3828-601-0x00000000079D0000-0x00000000079E1000-memory.dmp

Filesize
68KB

Download
memory/3828-535-0x0000000005FA0000-0x00000000062F7000-memory.dmp

Filesize
3.3MB

Download
memory/3828-580-0x0000000007670000-0x0000000007714000-memory.dmp

Filesize
656KB

Download
memory/3828-571-0x000000006C260000-0x000000006C2AC000-memory.dmp

Filesize
304KB

Download
memory/3828-604-0x0000000007A10000-0x0000000007A25000-memory.dmp

Filesize
84KB

Download
memory/4084-362-0x0000000000060000-0x00000000000B2000-memory.dmp

Filesize
328KB

Download
memory/4084-379-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/4084-377-0x00000000055A0000-0x0000000005616000-memory.dmp

Filesize
472KB

Download
memory/4084-382-0x00000000065E0000-0x0000000006BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4084-383-0x0000000006130000-0x000000000623A000-memory.dmp

Filesize
1.0MB

Download
memory/4084-386-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/4084-385-0x00000000060D0000-0x000000000610C000-memory.dmp

Filesize
240KB

Download
memory/4084-384-0x0000000006070000-0x0000000006082000-memory.dmp

Filesize
72KB

Download
memory/4352-397-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/4408-164-0x00000245143C0000-0x00000245143E2000-memory.dmp

Filesize
136KB

Download
memory/4920-515-0x0000000005F90000-0x0000000005FF8000-memory.dmp

Filesize
416KB

Download
memory/4920-347-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4920-346-0x00000000001F0000-0x000000000028A000-memory.dmp

Filesize
616KB

Download
memory/5232-544-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads