0c7765593b0576f6aa16f676b786c4d59da82dbd9840fa2cd86972722208780b

Analysis

max time kernel
118s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a458c9dd995ecbd8c329fd9b4018a5f0N.exe
Size

6.2MB
MD5

a458c9dd995ecbd8c329fd9b4018a5f0
SHA1

08a4b9c7238f14c11f896a6b99ad5bc6eadc4345
SHA256

0c7765593b0576f6aa16f676b786c4d59da82dbd9840fa2cd86972722208780b
SHA512

9c854fff02a9b8f5e1110a748f2cf5c3b8301fdc51570ebadad36b588d1c4625d14bcb2aa795fcaf963b1c34bdaa09e2227ef8f3e87f9e6c0366e36a3a93eadb
SSDEEP

196608:6WWjrx+kYfj+uwyzYRUlh+vzWnoHavRfuOzk:6Noi+z2UlQzWoHMduOQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	a458c9dd995ecbd8c329fd9b4018a5f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
4748	Rar.exe
2156	7z.exe
2320	Rar.exe
3048	7z.exe
1052	Rar.exe
3596	7z.exe
4492	Rar.exe
1436	7z.exe
4944	Rar.exe
1232	7z.exe
3524	Rar.exe
1052	7z.exe
3596	Rar.exe
3944	7z.exe
4492	Rar.exe
4984	7z.exe
1360	Rar.exe
3952	7z.exe
3580	Rar.exe
3600	7z.exe
2996	Rar.exe
2828	7z.exe
4088	Rar.exe
2648	7z.exe
2908	Rar.exe
2432	7z.exe
2364	Rar.exe
3548	7z.exe
2068	Rar.exe
1344	7z.exe
4748	Rar.exe
5088	7z.exe
3644	Rar.exe
4464	7z.exe
3172	Rar.exe
2420	7z.exe
3264	Rar.exe
888	7z.exe
2508	Rar.exe
2008	7z.exe
4624	Rar.exe
1272	7z.exe
1624	Rar.exe
2732	7z.exe
1612	Rar.exe
404	7z.exe
4908	Rar.exe
428	7z.exe
4200	Rar.exe
3928	7z.exe
888	Rar.exe
1612	7z.exe
3548	Rar.exe
2748	7z.exe
640	Rar.exe
2272	7z.exe
1052	Rar.exe
4596	7z.exe
2452	Rar.exe
2000	7z.exe
1744	Rar.exe
3080	7z.exe
2404	Rar.exe
2060	7z.exe

Loads dropped DLL 56 IoCs

pid	Process
2156	7z.exe
3048	7z.exe
3596	7z.exe
1436	7z.exe
1232	7z.exe
1052	7z.exe
3944	7z.exe
4984	7z.exe
3952	7z.exe
3600	7z.exe
2828	7z.exe
2648	7z.exe
2432	7z.exe
3548	7z.exe
1344	7z.exe
5088	7z.exe
4464	7z.exe
2420	7z.exe
888	7z.exe
2008	7z.exe
1272	7z.exe
2732	7z.exe
404	7z.exe
428	7z.exe
3928	7z.exe
1612	7z.exe
2748	7z.exe
2272	7z.exe
4596	7z.exe
2000	7z.exe
3080	7z.exe
2060	7z.exe
5116	7z.exe
3440	7z.exe
4660	7z.exe
2624	7z.exe
2100	7z.exe
1236	7z.exe
3264	7z.exe
1124	7z.exe
4624	7z.exe
4512	7z.exe
2320	7z.exe
1700	7z.exe
3132	7z.exe
4260	7z.exe
1360	7z.exe
1228	7z.exe
888	7z.exe
3048	7z.exe
4964	7z.exe
4536	7z.exe
3988	7z.exe
3516	7z.exe
2076	7z.exe
2480	7z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	a458c9dd995ecbd8c329fd9b4018a5f0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 816	5032	a458c9dd995ecbd8c329fd9b4018a5f0N.exe	93
PID 5032 wrote to memory of 816	5032	a458c9dd995ecbd8c329fd9b4018a5f0N.exe	93
PID 5032 wrote to memory of 816	5032	a458c9dd995ecbd8c329fd9b4018a5f0N.exe	93
PID 816 wrote to memory of 3864	816	WScript.exe	94
PID 816 wrote to memory of 3864	816	WScript.exe	94
PID 816 wrote to memory of 3864	816	WScript.exe	94
PID 3864 wrote to memory of 4748	3864	cmd.exe	106
PID 3864 wrote to memory of 4748	3864	cmd.exe	106
PID 3864 wrote to memory of 4748	3864	cmd.exe	106
PID 3864 wrote to memory of 2156	3864	cmd.exe	107
PID 3864 wrote to memory of 2156	3864	cmd.exe	107
PID 3864 wrote to memory of 2156	3864	cmd.exe	107
PID 3864 wrote to memory of 2320	3864	cmd.exe	108
PID 3864 wrote to memory of 2320	3864	cmd.exe	108
PID 3864 wrote to memory of 2320	3864	cmd.exe	108
PID 3864 wrote to memory of 3048	3864	cmd.exe	109
PID 3864 wrote to memory of 3048	3864	cmd.exe	109
PID 3864 wrote to memory of 3048	3864	cmd.exe	109
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 1436	3864	cmd.exe	113
PID 3864 wrote to memory of 1436	3864	cmd.exe	113
PID 3864 wrote to memory of 1436	3864	cmd.exe	113
PID 3864 wrote to memory of 4944	3864	cmd.exe	114
PID 3864 wrote to memory of 4944	3864	cmd.exe	114
PID 3864 wrote to memory of 4944	3864	cmd.exe	114
PID 3864 wrote to memory of 1232	3864	cmd.exe	115
PID 3864 wrote to memory of 1232	3864	cmd.exe	115
PID 3864 wrote to memory of 1232	3864	cmd.exe	115
PID 3864 wrote to memory of 3524	3864	cmd.exe	116
PID 3864 wrote to memory of 3524	3864	cmd.exe	116
PID 3864 wrote to memory of 3524	3864	cmd.exe	116
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 1052	3864	cmd.exe	117
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 3596	3864	cmd.exe	118
PID 3864 wrote to memory of 3944	3864	cmd.exe	119
PID 3864 wrote to memory of 3944	3864	cmd.exe	119
PID 3864 wrote to memory of 3944	3864	cmd.exe	119
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 4492	3864	cmd.exe	120
PID 3864 wrote to memory of 4984	3864	cmd.exe	121
PID 3864 wrote to memory of 4984	3864	cmd.exe	121
PID 3864 wrote to memory of 4984	3864	cmd.exe	121
PID 3864 wrote to memory of 1360	3864	cmd.exe	122
PID 3864 wrote to memory of 1360	3864	cmd.exe	122
PID 3864 wrote to memory of 1360	3864	cmd.exe	122
PID 3864 wrote to memory of 3952	3864	cmd.exe	123
PID 3864 wrote to memory of 3952	3864	cmd.exe	123
PID 3864 wrote to memory of 3952	3864	cmd.exe	123
PID 3864 wrote to memory of 3580	3864	cmd.exe	124
PID 3864 wrote to memory of 3580	3864	cmd.exe	124
PID 3864 wrote to memory of 3580	3864	cmd.exe	124
PID 3864 wrote to memory of 3600	3864	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\a458c9dd995ecbd8c329fd9b4018a5f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a458c9dd995ecbd8c329fd9b4018a5f0N.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "msasxpress".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "msasxpress".zip "msasxpress".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "msasxpress".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "msasxpress".zip "msasxpress".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMCCPHR".exe #\*
      4⤵
      Executes dropped EXE
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMCCPHR".zip "IMCCPHR".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEAPIS".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEAPIS".zip "IMEAPIS".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "ImeBrokerps".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "ImeBrokerps".zip "ImeBrokerps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfm".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfm".zip "imecfm".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmps".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmps".zip "imecfmps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmui".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmui".zip "imecfmui".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEDICAPICCPS".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEDICAPICCPS".zip "IMEDICAPICCPS".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEFILES".exe #\*
      4⤵
      Executes dropped EXE
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEFILES".zip "IMEFILES".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMELM".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMELM".zip "IMELM".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSM".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSM".zip "IMEPADSM".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSV".exe #\*
      4⤵
      Executes dropped EXE
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSV".zip "IMEPADSV".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCH".exe #\*
      4⤵
      Executes dropped EXE
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCH".zip "IMESEARCH".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHDLL".exe #\*
      4⤵
      Executes dropped EXE
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHDLL".zip "IMESEARCHDLL".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHPS".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHPS".zip "IMESEARCHPS".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMETIP".exe #\*
      4⤵
      Executes dropped EXE
      PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMETIP".zip "IMETIP".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEWDBLD".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEWDBLD".zip "IMEWDBLD".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMJKAPI".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMJKAPI".zip "IMJKAPI".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "MSCAND20".exe #\*
      4⤵
      Executes dropped EXE
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "MSCAND20".zip "MSCAND20".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMCCPHR".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMCCPHR".zip "IMCCPHR".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMCCPHR".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMCCPHR".zip "IMCCPHR".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEAPIS".exe #\*
      4⤵
      Executes dropped EXE
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEAPIS".zip "IMEAPIS".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEAPIS".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEAPIS".zip "IMEAPIS".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:428
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "ImeBrokerps".exe #\*
      4⤵
      Executes dropped EXE
      PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "ImeBrokerps".zip "ImeBrokerps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "ImeBrokerps".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "ImeBrokerps".zip "ImeBrokerps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfm".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfm".zip "imecfm".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfm".exe #\*
      4⤵
      Executes dropped EXE
      PID:640
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfm".zip "imecfm".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmps".exe #\*
      4⤵
      Executes dropped EXE
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmps".zip "imecfmps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmps".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmps".zip "imecfmps".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmui".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmui".zip "imecfmui".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "imecfmui".exe #\*
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "imecfmui".zip "imecfmui".exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEDICAPICCPS".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEDICAPICCPS".zip "IMEDICAPICCPS".exe
      4⤵
      Loads dropped DLL
      PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEDICAPICCPS".exe #\*
      4⤵
      PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEDICAPICCPS".zip "IMEDICAPICCPS".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEFILES".exe #\*
      4⤵
      PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEFILES".zip "IMEFILES".exe
      4⤵
      Loads dropped DLL
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEFILES".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEFILES".zip "IMEFILES".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMELM".exe #\*
      4⤵
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMELM".zip "IMELM".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMELM".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMELM".zip "IMELM".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSM".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSM".zip "IMEPADSM".exe
      4⤵
      Loads dropped DLL
      PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSM".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSM".zip "IMEPADSM".exe
      4⤵
      Loads dropped DLL
      PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSV".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSV".zip "IMEPADSV".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEPADSV".exe #\*
      4⤵
      PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEPADSV".zip "IMEPADSV".exe
      4⤵
      Loads dropped DLL
      PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCH".exe #\*
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCH".zip "IMESEARCH".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCH".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCH".zip "IMESEARCH".exe
      4⤵
      Loads dropped DLL
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHDLL".exe #\*
      4⤵
      PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHDLL".zip "IMESEARCHDLL".exe
      4⤵
      Loads dropped DLL
      PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHDLL".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHDLL".zip "IMESEARCHDLL".exe
      4⤵
      Loads dropped DLL
      PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHPS".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHPS".zip "IMESEARCHPS".exe
      4⤵
      Loads dropped DLL
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMESEARCHPS".exe #\*
      4⤵
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMESEARCHPS".zip "IMESEARCHPS".exe
      4⤵
      Loads dropped DLL
      PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMETIP".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMETIP".zip "IMETIP".exe
      4⤵
      Loads dropped DLL
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMETIP".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMETIP".zip "IMETIP".exe
      4⤵
      Loads dropped DLL
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEWDBLD".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEWDBLD".zip "IMEWDBLD".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMEWDBLD".exe #\*
      4⤵
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMEWDBLD".zip "IMEWDBLD".exe
      4⤵
      Loads dropped DLL
      PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMJKAPI".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMJKAPI".zip "IMJKAPI".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "IMJKAPI".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:740
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "IMJKAPI".zip "IMJKAPI".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "MSCAND20".exe #\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "MSCAND20".zip "MSCAND20".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rar.exe
      rar a -r -sfx -m5 -ep1 -zsfx.conf "MSCAND20".exe #\*
      4⤵
      PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
      7z a -tzip -mx=0 "MSCAND20".zip "MSCAND20".exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\#\setup

Filesize
56B

MD5
1f4e3e93cbabc2c0d299ac0cb7d5ee6f

SHA1
4a9d2abc52f1ead5966fb5d2d15bf2359cb4799a

SHA256
301ad15820c7a4cce8275a500362996f363fd8cc5a4a8b584ce1eb47d0c21027

SHA512
aab863e1348661fd4ff9d244bd0b726228f6db96c1b62cfeb69dc609b79e15bcdb8fe78633284f14ae3536502fdc3838dcfa62cea9dca784f9fc3d49a1be9681

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.tmp

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\003.tmp

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\005.tmp

Filesize
491KB

MD5
53a60793bf8a3f8c4335232bf98613b8

SHA1
e4b6e2848db9efa43dc844cf0e1b4a35d4356435

SHA256
936e44d41edeff6c009c53cf476c9d9f0fa4986817f912943cf47842f60ad878

SHA512
b2017ba3f2cba5d50864fdd6eb91e1c177ebea21f32a243b66d936959bc741f1b3568a277139c83146fb919ed09464aaf53ac79d0fe30eac627d13f6a0024847

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\007.tmp

Filesize
58KB

MD5
596b9dcd1bcd23d29d1a83c194591119

SHA1
b65d92538a01e235b976dd28c7f3d0824394124d

SHA256
368792a61f159179269f1497a667c93ad3ca688feb5f02e0dc4bd52ec7e9ac8f

SHA512
3ec75e08fcbd458e5e36c4ebee37a7085ad8fde71dea1b3a36faf862baac30b9b23c1e162855504495d3684ebf120466fc6e0c8f5607f7039b3bcbcdb057f618

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\010.tmp

Filesize
178KB

MD5
9470e3dd09e6635ac7b7f7ddfc93eeb4

SHA1
6b0089e07e78a61bfab54740c8fa2c383ff6e3b3

SHA256
eb8a6aab2554a946e7e0d340c2f44e9b0e75a14a93e33a0dca754c9c037436bf

SHA512
467305377a30d8fcff710474914686f61e8fd29d8245b1593d27bb4ef96256b0b57c7ab2efbfc2ea59d023e6ea1d4eeecb12bbb06a408383d2512435945843c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\013.tmp

Filesize
2.1MB

MD5
3d597678765359281e4bc1c66ac4002b

SHA1
b8d93579269a9bdf6773d227861c753dbf0904cf

SHA256
f6c23885384bf52a52ff48d718bf7a4825d1ff9708fbae35ff1a35c153aec1fc

SHA512
606ca2f6776e47082b4299a6a72b8f570fe6692effd8151d15197081a29d60fb111218d07cb4b65d89ebeac8807b1fab9ec6b655f8f95324a9e04c93c486f47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\014.tmp

Filesize
83B

MD5
ef29134d5abb8d5676b6e5ad42469fbd

SHA1
c2705afa4180a812df522602e06836f2e04d60c9

SHA256
4ba286a2580a2a2b7ee696b13b0a04b59f82b04d5441b50d715a1c5f860e5253

SHA512
073989a74f1dd1b15e4298edd8b94c1733da8096997b8055c294789e671f11de07ade856fc15b66614f526975dc7b18994e151a37b9b257002046c43baf2f206

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\016.tmp

Filesize
3.0MB

MD5
de575cee9140c865351b211827600e1f

SHA1
095252d5671444ae500b784450f8a4c5f04ba253

SHA256
b25151d12185d3a7944c379c8841ecc66820b881643a7e34848bbc998cc9be72

SHA512
134aa49b22af125cd9ff90646aa0336989c77705d92ae673d0bfa417e3ef067cced7309a59d4103350481026ca1dd4702b860d44c7608627896092a5ae0056a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Default.SFX

Filesize
207KB

MD5
b4001b514ed843ab0b52e129ffb54205

SHA1
f4e038fecce8bf46654657648a96ee5a257cfe7c

SHA256
d8ff4748434faf78ecab0b36763729afa770f2fa7347cee54438cf306c063b53

SHA512
c413b342efd91885614727a787ff670975397bf020494c074dc9008b305c65d967adaa6aa5667607343a673914439b2ceb28748229115122abfb77fd0c14f477

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMCCPHR.exe

Filesize
6.2MB

MD5
0a3fc6a0b06a19bf7009894054c20ac8

SHA1
baa62e0957ca07e91646cb1449dc0dde0d4544dc

SHA256
5606d83745826566b016434a7eb20ae451ca23d0c36c3cec7c55e3e6b4bdb271

SHA512
fcada51654f803fe8c1203a442cbd89ca3b868bef35bff9f7b3dfa1f08472e62b0fae1c3e78ec11dfa7a1a6e66414559fbdd82cb36a918cd37791e04de763d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMCCPHR.zip

Filesize
6.2MB

MD5
c86438ee428b891132dceeee74687b81

SHA1
afdd9c4723fe9bd92a45c83f53d88e126051589a

SHA256
0c7fec6ba82101004e6473ddb08101207df434ecfe20ffd83499ef2cede9ad82

SHA512
3b998191879e6d2f1962f0185386b1f2dc987408557fe8c585b4bdfcc5813e540342cddd7be5d68e5eebe5658deed4fbc1853c4e2bb788933df7a75985b0e45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMEAPIS.exe

Filesize
6.2MB

MD5
49943f27ce20c346159048b0e6075606

SHA1
64b9fa122f945e8211d3d51c80a32d1c384a0ceb

SHA256
263bec4732e7ab53857d34edc7b3fec06307f37effef2cde295d03d8450079ff

SHA512
0c60069140e5347e42bb588407a9540eab74f31095ae5880c36f707b53dbf2ded6e284a8a8786d372686f89dba51c13386ee55d38dedb7fa7a3e1b7418b8b5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IMEAPIS.zip

Filesize
6.2MB

MD5
bef42e24e4719eb8b9e133862f956b14

SHA1
af3cc3370ea5aea0c6cc1288fd56564af3bb852c

SHA256
54129cfcce89b029c33c52e460d787aafac663895446ffbd0f2039b6d36f957c

SHA512
a7d564bddb499c07687e99dea2857b5f99dd4629e70edb7e52f183c7ce80fe49e7316ef6d886f0d8f54bdc6b409430d4de99baf811fb3ea17187f0ec5e2c80cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ImeBrokerps.exe

Filesize
6.2MB

MD5
80b3e76349865ab21471ee8844d12b81

SHA1
6bf43056fdfcbd992ac004c85dfbead9f7679c01

SHA256
dd31dd3627d4cf34c0089a75ac546e6367efd9d82693f7990edb308a48c13120

SHA512
572a1ca8483e31faf603ad78f587a2a82b58a4103242e8ba03f4113c5d13f5c491d910a2e110dc0ff048b272e1982b8e9ca1ab6c41d434aee3a16062c3888985

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ImeBrokerps.zip

Filesize
6.2MB

MD5
ee3a0d9e2c498db06fcfd8eaa6229d48

SHA1
ad1ce078e9c7829e8b4f0db11c170d3e46512051

SHA256
78ac4c91e8b860fa5829461812f3b6aaa6ef8ef095c70f36ff4080f88210e622

SHA512
18e0dc42fea0a06eceef3691631e6090f6ffca30c7cec62824ce7680d264108ab7f14947b02c4bc9a5bcdbdd14855224c7a16e204e3a1400bada77f058d25646

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.bat

Filesize
133B

MD5
d4ccfb17eb96faa61e610331702be48e

SHA1
6cd206ad95e1747797853790113697eaacabcd7a

SHA256
aba97f7dfc9e9b7106d70d05bb385ebb1e6fcf111b290608fb54d2d18879f450

SHA512
a2d650c0b920de3b054dae4502683d45b65e6482e79e3451b44185e144c2e027c21246245ae914d065a4bedb462efbe99a7a2a704bf13a3e6561d02a87bef310

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msasxpress.exe

Filesize
6.2MB

MD5
bd397086be5c63e152605ac72b2a55ec

SHA1
1ab73217c126014a0421fd4787b2656b4b4f5c4d

SHA256
de2dcc74bb34eb1451f70dc8829432226a6077a345b41fafed8490331e5177e1

SHA512
2141979b59ab5ebaaf4e4d2294dd11b500eb5a81865b9ac2f387eec235e7fcd94c9a46354b4ba672554f50150d7b8cb33b3da03de0bb9a991e38523d27044182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msasxpress.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msasxpress.zip

Filesize
6.2MB

MD5
3d2c87a32b6df9d725e0612ecea65d47

SHA1
beb0d6b550eb78a30e64df3ebb93cbd49df031dd

SHA256
38965122871d32a2a5311291e87d0cb0a37865b1365b4dc5e65a2cb8aada293d

SHA512
36bf54e69f9999e02f8fab0716ac9e384e373a08517db1f9cca3c7870bc00b05b03480032b108889c16ee370b2e3d7a71bce83a6920ff1450e78e9f41dd6f0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
81B

MD5
9b0a98146b081c9359c91be85c61e6d0

SHA1
a9bbdd5f048f35f83af31ffad76dfad444039706

SHA256
6a6e408a620e9281d17967a4a5d34548d090831cbea463aabf0f66f68b623dd5

SHA512
2dd70246f91d5d8254e10200342a1460f22731e8343ccdd1d807e39a51f191629bd1b8dce9b91c22f444a533624e81876437df10632d41d2762ad8e9f9854067

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx.conf

Filesize
46B

MD5
707889e7678a187f86817cf34dccec0a

SHA1
7a9f57eb24d9702c54e542a25211afdf4f908ecd

SHA256
950dbb768a6230af688907c22a147f6b01ad147002a3eb75f50649f6d2c4fffc

SHA512
b702499e539e74b9b5faf1e4947ba6b797bf1fdaa27adb81041639c0ee024c2bf62adbb11ef370cc7b34baf169fdd5873d5f64bcec0f319d7067762a348b9117

Download Submit