049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415

Analysis

max time kernel
268s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/09/2024, 05:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
Size

1.7MB
MD5

bdefc54e5fe6f091f968a28aa63783ba
SHA1

812e7c68f9d31ad7d8e931d5a20529ef920a736c
SHA256

049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415
SHA512

43e3597df8118c956e08af657b5a39b323a0188cd0791016dab5a3e2dddda20a5c8cccd8d70555da77a3d6b3f1da999c5c46cb40e3ca0e77461f2669fdd18c24
SSDEEP

49152:owy+Hniztba+Me18lyHU5GqiFtXWza2DxZl01:HywiztEA05GLHXj6m1

Score

10^/10

collection discovery execution spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3276 created 3436	3276	Hunting.pif	55
PID 3276 created 3436	3276	Hunting.pif	55

Deletes itself 1 IoCs

pid	Process
3276	Hunting.pif

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanMaster.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanMaster.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3276	Hunting.pif
1604	RegAsm.exe
2420	ScanMaster.scr

Loads dropped DLL 1 IoCs

pid	Process
1012	aspnet_compiler.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1132	tasklist.exe
3612	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 1012	1604	RegAsm.exe	93

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\KneeConflict	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\FillBones	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\SuseOfficials	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\ExecutedExplanation	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\EeVar	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\PrescriptionSatin	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
File opened for modification	C:\Windows\GoatPe	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScanMaster.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hunting.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
1012	aspnet_compiler.exe
1012	aspnet_compiler.exe
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	3612	tasklist.exe
Token: SeDebugPrivilege	1604	RegAsm.exe
Token: SeDebugPrivilege	1012	aspnet_compiler.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3276	Hunting.pif
3276	Hunting.pif
3276	Hunting.pif
2420	ScanMaster.scr
2420	ScanMaster.scr
2420	ScanMaster.scr

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1452	2516	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe	75
PID 2516 wrote to memory of 1452	2516	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe	75
PID 2516 wrote to memory of 1452	2516	049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe	75
PID 1452 wrote to memory of 1132	1452	cmd.exe	77
PID 1452 wrote to memory of 1132	1452	cmd.exe	77
PID 1452 wrote to memory of 1132	1452	cmd.exe	77
PID 1452 wrote to memory of 5048	1452	cmd.exe	78
PID 1452 wrote to memory of 5048	1452	cmd.exe	78
PID 1452 wrote to memory of 5048	1452	cmd.exe	78
PID 1452 wrote to memory of 3612	1452	cmd.exe	80
PID 1452 wrote to memory of 3612	1452	cmd.exe	80
PID 1452 wrote to memory of 3612	1452	cmd.exe	80
PID 1452 wrote to memory of 5004	1452	cmd.exe	81
PID 1452 wrote to memory of 5004	1452	cmd.exe	81
PID 1452 wrote to memory of 5004	1452	cmd.exe	81
PID 1452 wrote to memory of 396	1452	cmd.exe	82
PID 1452 wrote to memory of 396	1452	cmd.exe	82
PID 1452 wrote to memory of 396	1452	cmd.exe	82
PID 1452 wrote to memory of 4168	1452	cmd.exe	83
PID 1452 wrote to memory of 4168	1452	cmd.exe	83
PID 1452 wrote to memory of 4168	1452	cmd.exe	83
PID 1452 wrote to memory of 4644	1452	cmd.exe	84
PID 1452 wrote to memory of 4644	1452	cmd.exe	84
PID 1452 wrote to memory of 4644	1452	cmd.exe	84
PID 1452 wrote to memory of 3276	1452	cmd.exe	85
PID 1452 wrote to memory of 3276	1452	cmd.exe	85
PID 1452 wrote to memory of 3276	1452	cmd.exe	85
PID 1452 wrote to memory of 1240	1452	cmd.exe	86
PID 1452 wrote to memory of 1240	1452	cmd.exe	86
PID 1452 wrote to memory of 1240	1452	cmd.exe	86
PID 3276 wrote to memory of 4696	3276	Hunting.pif	87
PID 3276 wrote to memory of 4696	3276	Hunting.pif	87
PID 3276 wrote to memory of 4696	3276	Hunting.pif	87
PID 3276 wrote to memory of 420	3276	Hunting.pif	88
PID 3276 wrote to memory of 420	3276	Hunting.pif	88
PID 3276 wrote to memory of 420	3276	Hunting.pif	88
PID 4696 wrote to memory of 808	4696	cmd.exe	91
PID 4696 wrote to memory of 808	4696	cmd.exe	91
PID 4696 wrote to memory of 808	4696	cmd.exe	91
PID 3276 wrote to memory of 1604	3276	Hunting.pif	92
PID 3276 wrote to memory of 1604	3276	Hunting.pif	92
PID 3276 wrote to memory of 1604	3276	Hunting.pif	92
PID 3276 wrote to memory of 1604	3276	Hunting.pif	92
PID 3276 wrote to memory of 1604	3276	Hunting.pif	92
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 1604 wrote to memory of 1012	1604	RegAsm.exe	93
PID 4116 wrote to memory of 2420	4116	wscript.EXE	95
PID 4116 wrote to memory of 2420	4116	wscript.EXE	95
PID 4116 wrote to memory of 2420	4116	wscript.EXE	95

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe
  "C:\Users\Admin\AppData\Local\Temp\049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Visitor Visitor.bat & Visitor.bat & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5048
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3612
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 698582
      4⤵
      System Location Discovery: System Language Discovery
      PID:396
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "NicknameAffiliateDominantJohns" Bright
      4⤵
      System Location Discovery: System Language Discovery
      PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Pork + ..\Fifty + ..\Danger + ..\Faqs + ..\Buy + ..\Ibm + ..\Hd + ..\Vessel + ..\Adaptive + ..\Founder + ..\Radius + ..\Reaction + ..\Specialist r
      4⤵
      System Location Discovery: System Language Discovery
      PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\698582\Hunting.pif
      Hunting.pif r
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\698582\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\698582\RegAsm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1012
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Compaq" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Compaq" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanMaster.url" & echo URL="C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScanMaster.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:420

\??\c:\windows\system32\wscript.EXE
c:\windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.scr
  "C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.scr" "C:\Users\Admin\AppData\Local\ScanTech Innovations\N"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ScanTech Innovations\ScanMaster.js

Filesize
179B

MD5
3a4df260b7c62360668eb8efd55bd36f

SHA1
519dce9962f0f82a6c76b5df81a7e9491c7f135a

SHA256
b138453718270c22ac0a6ad3d52d5cf76c95a44a7e44ee9226319e6bed454a8e

SHA512
8a503855b186889c7e1b4390ec00fb989c59685dfeb312a91953116c06dc078f1ff6df49242c10e594b3d91e5956eb19a9081a28dda8a0e9c498054cc042dfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\698582\Hunting.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\698582\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\698582\r

Filesize
969KB

MD5
33d1528ab8d32e500c6619e47ecf1c64

SHA1
d8c8e6ec3a7c8f974d9bf227516042e3c2bbd52c

SHA256
c5f9588aac72593c2acbe82649c2ba76406a28011f3514248f0a138be11b037a

SHA512
350a9c339e7706ae3f10764f9ffb0ee69bda54d07c318a9954f171cfabbead6fb253d3948b9a92f2af1779089491b48a42445ad7e24944a6332c28feb6bb2bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Abilities

Filesize
869KB

MD5
c3799d95cc466b23ddf868f68c25dd09

SHA1
b7b8168b46946c2428634f3e5ef0a0b749115ea4

SHA256
540e8d118d39b075ed5b60ffe6c9e0f43262f10d403aa410fa55a7ffdfc3bfb0

SHA512
71a2ac8f5fcf96d7cb6aa124549718f4acddc8aa04bd4649d2d6225023fa5b380e6617d9cee80f9df959d773d9925672af6e1ac5103cbed2bfcf5c73c89c23ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adaptive

Filesize
84KB

MD5
3592e9d59a805615e334e1ee7dcd8318

SHA1
51198657957dc0ee8cac181c39181d38b0316b89

SHA256
3a082fb8b5a8b571e8c8ada97c3fe9d539e819009015c24dd52bf20e603eee75

SHA512
41652617f3d56ad747041536f9d71e24258213a7b1ee7b3403e5f551bd5646897350e5dd50e76268fcabbc89d07e6837e7d5cd514c0ed9fdf7b025dc31eb3df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bright

Filesize
2KB

MD5
e9c4d30bbbc4b911f2c9551f2cd4351c

SHA1
8eaebefaa06cbaded5bde843d55355109212f853

SHA256
cf528bb7a42888704ce7a576be8dd0f1f63bdef031c18c56a95d98817f886509

SHA512
aca8e04e2c5a243cdd3ccf252d98d776c32a8396ec177a601f005cbce869d1d2726d24efb12657a2df26bc3e0e7c46a5411da4000955bac572a50d42bceaae0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buy

Filesize
80KB

MD5
f16333f8b6f39c31251b245e453dfe2a

SHA1
6739d11669955373aeed278cfeaf5047a62bf59c

SHA256
0d041323dc5c41e015598630f55c3492dcd9013d9edfb7b2b85e08134f5b12ff

SHA512
3c42ea220db0befdf0708fe0aeb81e655f413b8d1502cfc8cd923bfa5ef30bc02ef8762608c762948ff5c6b3a1a61e0b7a062f21b6adc30287da75a5ffb95886

Download Submit
C:\Users\Admin\AppData\Local\Temp\Danger

Filesize
64KB

MD5
955b8c9bd81a7f6e92f75073e6e3bf99

SHA1
5dc9a16e6951698a7694833a468d8e4d9fb8bf5e

SHA256
1e447363f7feee53001883432eeacba5494d00e891e1bc2a831b23444db7afc9

SHA512
e11038429ab4c6afc008648b97b709c1ba27569be7171d5c6e8f0987f2ffb562b51bef4eb022443f385c386ebbfd40ec29f64764ca3658df218d67b5b7c4bd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Faqs

Filesize
59KB

MD5
3692325bfbaa1f8c5c8d1241ec1b16d0

SHA1
f6013e852b24137baa26df9ab23c24467acc070b

SHA256
0414d75bdbf05b2114d9deb7c919a4f243fdb69448ceee375312fbcf8bd15868

SHA512
16f3ed74595415a987412f3aedce7988c14f949e6f33c732db38779a398d2013200f6a272685b4cc521961d13f79afb49e3ea184efd5b5adc6f79c85aa45cf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fifty

Filesize
74KB

MD5
02e2ffb5bcdc7b0246c0c244ac6667dc

SHA1
ccb490092bf07cfa6de3809d228f7593abc1f2e2

SHA256
f6bc0658e637321fb15bb2af325a5e872d61e61afe06c8aca20d2af4c84669c4

SHA512
cdfc827df8a4b9e00b6a1f0b74e9aa6308401dca9e17392a157ef2e658d752d0b580101c60e846e698e28b587516f171e00939a6037658a4f0a8c8f7eb814920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Founder

Filesize
72KB

MD5
0f25cd94e6df8c018e555df15d6ef3e4

SHA1
1f9437034d9452ceea9ad47f6bfc4bb40fb52cd3

SHA256
c30f0f05f82d71da40d81080421ef62b4c3e67bac247c1e5d09720a9dc3baa70

SHA512
650f136af2af34d00d9e0f63be3a5b00ca58a20aea1d02fde8a28fff09db374aadff680bbaaa83862f2f930c1b21c639364e77a178fdb585dd42f1735356b40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hd

Filesize
92KB

MD5
135877d154531f6b9dba951855e271c2

SHA1
68f3e0e45aedfb38a0813a77cc10260b675cb1f8

SHA256
ccbb3578ae7e6b9d27a7561947d475bb731ee68e71668d4f375e4623e3322c92

SHA512
7ec4be1fa449348ad03282d44365beaa73364a543750095c6007b7944f42ba691c12defd6258d004c78c5c9322c753b5dae48c164a8960c4e0aba25807167ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ibm

Filesize
95KB

MD5
fb14533c6a7501f71f9bfc406e18363c

SHA1
ccce674b3dd7f823587ab2a84e06afd096eb3caa

SHA256
43f4756bc4f13640ea5ffc4cb17a0023c7b46c2e43a6655fd8dd858626bdc90a

SHA512
ad19a9228753444fbf48dca6471671cab902a0f22b1d9709324edadba22a14526203d03f38ac93d5ee0d7789bec1e1f138e6b3b0f3a1d308f6f9819aca38f9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jqixntf.tmp

Filesize
92KB

MD5
cae9079afcb4c379869afa5d34181d8a

SHA1
188e2435c533dd9633f5fcc09f245ddc1a78db2c

SHA256
2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7

SHA512
ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pork

Filesize
74KB

MD5
67e2d5345eff82da92a1de7ccc81f31b

SHA1
d80150bc86a1f9837edc9a965a889bf6271f4172

SHA256
f5a27ecf0ac8045948f101c0594474d5449f7557058847121502b0adb7411914

SHA512
d51708a52a2cc0e47a74241ebce36ff81074962b495ec7df00465d22d9a6131fe1dca669cec2b29407b08e0467860f98d955fc6a7af5cdde010e6434bfa0c81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pqqnoytql.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Radius

Filesize
67KB

MD5
ac1f6b2f372c9a5f423326f2863cbfc7

SHA1
fe541ed0d3b0937def97ed342e4a5640801aea4f

SHA256
4186d27c3c983e3359867e5784bac03a1941842b8a3965db2a6fd1c854345bb1

SHA512
320bb205d73f0ed5b8b3eb2d9b155c3cad14fd343e811d9b5c65722cc4cb16f2b6d31e5647599866a83947dc94fc755109dbad32f273624818e474bff9108282

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reaction

Filesize
85KB

MD5
492e361cd60a7ac2105fd465662a6347

SHA1
03be61e20864ceed34aec6c1f2a6dad6e6f1fc23

SHA256
000c0b0014747951943983478265dee1b9504635bbee1fca23335db577a57c88

SHA512
e79688ae29c450b9888c75cc127815fbd50212d90f3b9c0793edd3e851a7cb98750af5324dc00ee2e2134fc8acb2f0cc10856903119372ed42568a21ad4ba1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialist

Filesize
51KB

MD5
090e3920f8cfa9f5a7d5cd3583f53ef7

SHA1
88c6263dd2b27d9d12fb6d7ce1bf5da0b64ad323

SHA256
79dbcb252341e7cb550e8422d34680b99088c793a42031b7514855fb2459d45a

SHA512
cafce09b180ca06303707d792ae09dbc73731bdfce029fb71a2d6f8c90f5ae9a2be38d3ae6e70ea6ef2bd76ec1717247eaf88ebfd48674f5c05d9f49eb228f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vessel

Filesize
72KB

MD5
b6ae190cea9f3a9e29f4960403a7f7ca

SHA1
e19fe24efd7654e80ef30a596c740c3ee36e291c

SHA256
a9cffeb1c1e01b94b58e231b999a999cd11ff4c94b291729e834f4bb1ef634f5

SHA512
71316b44b1677d9425940695d703c4b445a5f58f326f80b8e3c25e9f21921f6cc5a68bb6c3e03fc2783c56ae560bccad1db85c1f5f6df5e9d220f31a67a497cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor

Filesize
12KB

MD5
d408e0ef8dd484a8f9a112b893fbffdb

SHA1
d68f7ffa349d0b890700500b03f509a7174e7cab

SHA256
9c9c019eac63490fc3a41b75c2a0d338612f50294d7f280bede6d1b3218be40f

SHA512
38a6ed207c7f05810b80cce69e3de071bcd451a56c9997f40a71586eab866093d74162e01155729c3fd0f089a17c4958b1a2752e58fabc840e01dc99365b095b

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\AF7011DB9BA75DE3E4434379E8037F31\32\sqlite.interop.dll

Filesize
1.3MB

MD5
e962a1987ddf83d7050ad3752bb56cb6

SHA1
378cd57c7afeeb030f7a93cec7af50526123886e

SHA256
77b3eadbc24d7bafdb5ffbea389fad9722db7b563e849388510002cb759e2c00

SHA512
cf58268c3cdeb4ad98892e46a8615c690b2c66d15c13cd815c8c1f98386eceecc120769936e87ace212fd0fc0716dc497691f4b7c123890823473ff328bfd68e

Download Submit
memory/1012-96-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-66-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-68-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-72-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-118-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-116-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-112-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-110-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-108-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-106-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-104-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-102-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-100-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-55-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1012-94-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-92-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-90-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-88-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-86-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-82-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-80-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-78-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-76-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-74-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-70-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-56-0x0000000004EB0000-0x0000000004F92000-memory.dmp

Filesize
904KB

Download
memory/1012-64-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-62-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-60-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-114-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-99-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-84-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-58-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-57-0x0000000004EB0000-0x0000000004F8B000-memory.dmp

Filesize
876KB

Download
memory/1012-2913-0x0000000005100000-0x0000000005172000-memory.dmp

Filesize
456KB

Download
memory/1012-2914-0x0000000005170000-0x00000000051BC000-memory.dmp

Filesize
304KB

Download
memory/1012-2915-0x00000000064C0000-0x000000000671E000-memory.dmp

Filesize
2.4MB

Download
memory/1012-2916-0x0000000006720000-0x0000000006A4C000-memory.dmp

Filesize
3.2MB

Download
memory/1012-2930-0x0000000008580000-0x00000000085A0000-memory.dmp

Filesize
128KB

Download
memory/1012-2921-0x0000000007430000-0x000000000792E000-memory.dmp

Filesize
5.0MB

Download
memory/1012-2922-0x0000000007010000-0x00000000070A2000-memory.dmp

Filesize
584KB

Download
memory/1012-2923-0x00000000071B0000-0x000000000722A000-memory.dmp

Filesize
488KB

Download
memory/1012-2924-0x00000000073A0000-0x0000000007404000-memory.dmp

Filesize
400KB

Download
memory/1012-2925-0x0000000007AD0000-0x0000000007E20000-memory.dmp

Filesize
3.3MB

Download
memory/1012-2926-0x0000000007A30000-0x0000000007A7B000-memory.dmp

Filesize
300KB

Download
memory/1012-2928-0x00000000085D0000-0x0000000008620000-memory.dmp

Filesize
320KB

Download
memory/1012-2929-0x0000000009210000-0x000000000924C000-memory.dmp

Filesize
240KB

Download
memory/1604-54-0x00000000063D0000-0x00000000064BE000-memory.dmp

Filesize
952KB

Download
memory/1604-51-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/1604-50-0x0000000005170000-0x000000000522A000-memory.dmp

Filesize
744KB

Download
memory/1604-47-0x0000000000D70000-0x0000000000DCC000-memory.dmp

Filesize
368KB

Download