njrat | ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe
Size

2.9MB
MD5

01fc40917e3e56267e23bbcc3225d6d0
SHA1

68a8782da431eddcf7ad88699580a7f034fffbe7
SHA256

ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f
SHA512

33d394bc795b96f815d47df8a382d720bfbb8b2d5e9288c868d83ff25712cd32737f1bf868f9ba238e72112b0cc425af538d3bc226267b38213fb364998b344c
SSDEEP

49152:cu3XPRmBGiOoYcCeQE7Wq58ctIgktXub5PnyzMezAvKjGM76bfvgAz3:NXPR5JCyq5ptktgdn2RAvKjV767vgAz

Score

10^/10

njrat redline sectoprat 544363603 hacked discovery evasion execution infostealer persistence privilege_escalation rat themida trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

91.193.4.201:58287

Mutex

344a7b760874a7de0ff245bf58f8fa0d

Attributes

reg_key
344a7b760874a7de0ff245bf58f8fa0d
splitter
|'|'|

Extracted

Family

redline

Botnet

544363603

91.142.79.35:13400

Signatures

Njrat family
njrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/1824-53-0x0000000002BB0000-0x0000000002C02000-memory.dmp	family_redline
behavioral1/memory/1824-58-0x0000000002C50000-0x0000000002CA0000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1824-53-0x0000000002BB0000-0x0000000002C02000-memory.dmp	family_sectoprat
behavioral1/memory/1824-58-0x0000000002C50000-0x0000000002CA0000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BittyHack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1780	powershell.exe
2636	powershell.exe
1616	powershell.exe
2956	powershell.exe
320	powershell.exe
2148	powershell.exe
2540	powershell.exe
2564	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1076	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BittyHack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BittyHack.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\344a7b760874a7de0ff245bf58f8fa0d.exe	sys32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\344a7b760874a7de0ff245bf58f8fa0d.exe	sys32.exe

Executes dropped EXE 14 IoCs

pid	Process
1824	BittyHack.exe
2364	WindowsHost.exe
2824	WinUpdates.exe
2868	Explorer.exe
2780	WindowsCrashHandler.exe
2732	Win10.exe
1928	sys32.exe
564	svchost32.exe
1720	services64.exe
1384	services32.exe
2808	sihost64.exe
1300	svchost32.exe
1480	sihost32.exe
2492	services64.exe

Loads dropped DLL 14 IoCs

pid	Process
2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe
2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe
2364	WindowsHost.exe
2364	WindowsHost.exe
2868	Explorer.exe
2868	Explorer.exe
2732	Win10.exe
3024	cmd.exe
2824	WinUpdates.exe
564	svchost32.exe
1720	services64.exe
2044	cmd.exe
1300	svchost32.exe
2808	sihost64.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c000000012263-5.dat	themida
behavioral1/memory/1824-17-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-37-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-36-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-35-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-86-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-317-0x0000000000400000-0x0000000000B07000-memory.dmp	themida
behavioral1/memory/1824-318-0x0000000000400000-0x0000000000B07000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\344a7b760874a7de0ff245bf58f8fa0d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sys32.exe\" .."	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\344a7b760874a7de0ff245bf58f8fa0d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sys32.exe\" .."	sys32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BittyHack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	sys32.exe
File opened for modification	F:\autorun.inf	sys32.exe
File created	C:\autorun.inf	sys32.exe
File opened for modification	C:\autorun.inf	sys32.exe
File created	D:\autorun.inf	sys32.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services64.exe	WinUpdates.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services64.exe	sihost64.exe
File created	C:\Windows\system32\services64.exe	WinUpdates.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	services64.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	services64.exe
File opened for modification	C:\Windows\system32\Microsoft\Libs\WR64.sys	services64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1824	BittyHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BittyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Win10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
1564	schtasks.exe
2556	schtasks.exe
2672	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	powershell.exe
2956	powershell.exe
320	powershell.exe
2148	powershell.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
2824	WinUpdates.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
564	svchost32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe
1928	sys32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	sys32.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1824	BittyHack.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1928	sys32.exe
Token: SeDebugPrivilege	2824	WinUpdates.exe
Token: SeDebugPrivilege	564	svchost32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: SeDebugPrivilege	1720	services64.exe
Token: SeDebugPrivilege	1300	svchost32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: SeDebugPrivilege	2492	services64.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe
Token: 33	1928	sys32.exe
Token: SeIncBasePriorityPrivilege	1928	sys32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1824	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	31
PID 2528 wrote to memory of 1824	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	31
PID 2528 wrote to memory of 1824	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	31
PID 2528 wrote to memory of 1824	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	31
PID 2528 wrote to memory of 2364	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	32
PID 2528 wrote to memory of 2364	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	32
PID 2528 wrote to memory of 2364	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	32
PID 2528 wrote to memory of 2364	2528	ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe	32
PID 2364 wrote to memory of 2824	2364	WindowsHost.exe	34
PID 2364 wrote to memory of 2824	2364	WindowsHost.exe	34
PID 2364 wrote to memory of 2824	2364	WindowsHost.exe	34
PID 2364 wrote to memory of 2824	2364	WindowsHost.exe	34
PID 2364 wrote to memory of 2868	2364	WindowsHost.exe	35
PID 2364 wrote to memory of 2868	2364	WindowsHost.exe	35
PID 2364 wrote to memory of 2868	2364	WindowsHost.exe	35
PID 2364 wrote to memory of 2868	2364	WindowsHost.exe	35
PID 2868 wrote to memory of 2780	2868	Explorer.exe	36
PID 2868 wrote to memory of 2780	2868	Explorer.exe	36
PID 2868 wrote to memory of 2780	2868	Explorer.exe	36
PID 2868 wrote to memory of 2780	2868	Explorer.exe	36
PID 2868 wrote to memory of 2732	2868	Explorer.exe	37
PID 2868 wrote to memory of 2732	2868	Explorer.exe	37
PID 2868 wrote to memory of 2732	2868	Explorer.exe	37
PID 2868 wrote to memory of 2732	2868	Explorer.exe	37
PID 2780 wrote to memory of 1608	2780	WindowsCrashHandler.exe	38
PID 2780 wrote to memory of 1608	2780	WindowsCrashHandler.exe	38
PID 2780 wrote to memory of 1608	2780	WindowsCrashHandler.exe	38
PID 1608 wrote to memory of 1616	1608	cmd.exe	40
PID 1608 wrote to memory of 1616	1608	cmd.exe	40
PID 1608 wrote to memory of 1616	1608	cmd.exe	40
PID 1608 wrote to memory of 2956	1608	cmd.exe	41
PID 1608 wrote to memory of 2956	1608	cmd.exe	41
PID 1608 wrote to memory of 2956	1608	cmd.exe	41
PID 1608 wrote to memory of 320	1608	cmd.exe	42
PID 1608 wrote to memory of 320	1608	cmd.exe	42
PID 1608 wrote to memory of 320	1608	cmd.exe	42
PID 1608 wrote to memory of 2148	1608	cmd.exe	43
PID 1608 wrote to memory of 2148	1608	cmd.exe	43
PID 1608 wrote to memory of 2148	1608	cmd.exe	43
PID 2732 wrote to memory of 1928	2732	Win10.exe	44
PID 2732 wrote to memory of 1928	2732	Win10.exe	44
PID 2732 wrote to memory of 1928	2732	Win10.exe	44
PID 2732 wrote to memory of 1928	2732	Win10.exe	44
PID 1928 wrote to memory of 1076	1928	sys32.exe	45
PID 1928 wrote to memory of 1076	1928	sys32.exe	45
PID 1928 wrote to memory of 1076	1928	sys32.exe	45
PID 1928 wrote to memory of 1076	1928	sys32.exe	45
PID 2824 wrote to memory of 1748	2824	WinUpdates.exe	47
PID 2824 wrote to memory of 1748	2824	WinUpdates.exe	47
PID 2824 wrote to memory of 1748	2824	WinUpdates.exe	47
PID 1748 wrote to memory of 1564	1748	cmd.exe	49
PID 1748 wrote to memory of 1564	1748	cmd.exe	49
PID 1748 wrote to memory of 1564	1748	cmd.exe	49
PID 2780 wrote to memory of 3024	2780	WindowsCrashHandler.exe	50
PID 2780 wrote to memory of 3024	2780	WindowsCrashHandler.exe	50
PID 2780 wrote to memory of 3024	2780	WindowsCrashHandler.exe	50
PID 3024 wrote to memory of 564	3024	cmd.exe	52
PID 3024 wrote to memory of 564	3024	cmd.exe	52
PID 3024 wrote to memory of 564	3024	cmd.exe	52
PID 564 wrote to memory of 680	564	svchost32.exe	53
PID 564 wrote to memory of 680	564	svchost32.exe	53
PID 564 wrote to memory of 680	564	svchost32.exe	53
PID 680 wrote to memory of 2556	680	cmd.exe	55
PID 680 wrote to memory of 2556	680	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe
"C:\Users\Admin\AppData\Local\Temp\ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Roaming\BittyHack.exe
  "C:\Users\Admin\AppData\Roaming\BittyHack.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Users\Admin\AppData\Roaming\WindowsHost.exe
  "C:\Users\Admin\AppData\Roaming\WindowsHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Roaming\WinUpdates.exe
    "C:\Users\Admin\AppData\Roaming\WinUpdates.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
  - - C:\Windows\system32\services64.exe
      "C:\Windows\system32\services64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
        5⤵
        
        PID:2344
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
    - - C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2808
      - C:\Windows\system32\services64.exe
        
        "C:\Windows\system32\services64.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
        7⤵
        
        PID:744
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2544
- - C:\Users\Admin\AppData\Roaming\Explorer.exe
    "C:\Users\Admin\AppData\Roaming\Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe
      "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        7⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        8⤵
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        8⤵
        Loads dropped DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        10⤵
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        10⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        10⤵
        
        PID:2740
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        
        PID:884
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2324
  - - C:\Users\Admin\AppData\Roaming\Win10.exe
      "C:\Users\Admin\AppData\Roaming\Win10.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\sys32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sys32.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sys32.exe" "sys32.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeee3d162376f1e66481f7cbd5f5ecc3

SHA1
94ed87de460e07cf7b2f35fcb75b64fe8d9691a5

SHA256
7d9dcfb5b894a138dfacea3d41813e409f8f7781d825a122dbdb090d45e0ace8

SHA512
f447bc26017f13f15a7509550dfbc84b16011f8dd0b298c414952c4c1c30212bda04ea2acd4066a68d9f8aac077273a855d88fe96bed11ac3d97fd9ded869846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
009127d85c63a9fd042d3f87ec95e3cf

SHA1
ef3ff46c918d213a32c8f4977dd43ab70a1069b8

SHA256
6d713bd7e4d573bdb56093ee16b929767137032dfbc0da9b6ef3d448563896d7

SHA512
25f2974d5e7dc90681e97f7f0d4a7a8e1642b764147256fa5d09fad7c07278dc889a74f41e6ce70d8e81ea4376c7725b799e1de9082bdaa7e0a1a7cbcdb1d54c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef395377b68e3b11dc1e764d78710a92

SHA1
904e803a2fabf7ab9f7b0cc7ca16745dabbd5c92

SHA256
e93ae82d9bf7568eca2561d8e67e30c9ec65f4a1b59a265de9e160993d802aaf

SHA512
27f9d9f2dc801f957a26602e84136d1295d30dff07ecb271defc9f4138132e32a79d8742a7416db6344da4cf67e5e345cbbabe99ed47f4313cd09c50d15995dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C63.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C85.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe

Filesize
66KB

MD5
52404bfacf116c18911d577b06b4caae

SHA1
baa105e8d868d345a10d8824c2ce0b74c0dd6547

SHA256
e3fd5c1710b4cbfe3954a2e6b68b3060ebcdb38eca23dfaec2d183b917336445

SHA512
b3bcfada74ef97def3b6298d5ba85505bd01792d6a3f277a59883aa23fcafd13f286f5919616ab0da43bbc8cbe88916fe5425b00bd0c4c349ad422a8b38be4be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a64008e2cb3df2e626f27dbd24826ce4

SHA1
6dbfd538e76176cb6d6f6eae8751bfab7b5b5037

SHA256
57441425f9344ba96c9f695189b3fa455228e910560ca0065168c40ff1692427

SHA512
b5cda2394f9808fa3bae3c7a9503f664f7137a0ba9abea8e59371291e5ca9bb5069f8e5bdcccd643688413dde942acb26d6c27d12dcf4346cb4467cacb7abbe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07e33d4b358ffbf3da909bdf2405b78d

SHA1
2a713e59c50ec350aedaefa65bf9020248d0b3bd

SHA256
93b546ee39f9bd2d4b71cdead78b68dc66239425085eb55bf8c1716b3311a7e2

SHA512
8a3a82e78969e0d8d5192f16c94f27256c54ac4ed70caf5780078a79a1d6b91c0a2887a0c7dcc6a58a29b4477f34b5aa50a318153d274b140afaba01a4bb1db4

Download Submit
C:\Users\Admin\AppData\Roaming\Win10.exe

Filesize
37KB

MD5
929bf03d3683885aa9563f1409c1a952

SHA1
38a241f8146a00bf9643599689cff8d4d1500c0b

SHA256
5750d2673d5761d8a9682c326520ef2d4a5a18099dfd28a66b3a0ee5c0103a39

SHA512
9f0afc7fbda30fd82cd45aefdfbb3174c68047b2814c94c4191f2a12944e164dbd4d6b6f293cb2e94933df152ece30ee24a31cd67c90a781e8a7d248e3757023

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe

Filesize
32KB

MD5
c4a9e3f79e55227fa8544d08e502f1a8

SHA1
fb8090265164991e1e3a98e09a4d4f8795516dae

SHA256
c7421524f43f2c3292f68ffde94e3b78284493a3e43d66a5062f2c0826eff120

SHA512
057abcbc6f84bba7d3425866dd8606387322f7351b396dd0dc48c513dab77d7662681aed8ab7bfe65074771507c72cc9b78f5b00a875dd7880495826f3264a5b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsHost.exe

Filesize
168KB

MD5
58cd65979ea6a99f2e0ea173c8337731

SHA1
5b4a2d5a36697aa214717786eb04b3cd494d5c54

SHA256
7e92ea343aaecf6a5e62dee72ec3dc93c48158781e55538d2e346ae5f30489d4

SHA512
d63982207cdd9d094c66db9ff9a1d08285f9f04e7053cb2f33675b12ab2bc97f1291564e84852aed1067a097322213323a601497addb3fd0d7602f57d3916e84

Download Submit
C:\Windows\system32\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
25KB

MD5
0c0a17b9ae220d337693c257a74031d4

SHA1
970f54dd9c02a3fd5e242f62d98a00779ebc1aee

SHA256
50acbb9a157e979f08fe1bfd920a2c6d0385bd3f0aee4c4865ecad555c06defa

SHA512
ac0076f94bffd774a9c8d30e5e1ee74b0b46cec12ee3fd4b5e1a0fc8e638eb3cb1349ac30e4a0fce2281bba7421fc50ff2bc5d6987a50116716e96e0c19f9c49

Download Submit
\Users\Admin\AppData\Roaming\BittyHack.exe

Filesize
2.7MB

MD5
b11d0aa406489018391c281d5bc7f64d

SHA1
1959bb5279bdf14998d40e69e370d3dc4bd10fcc

SHA256
9789f312707fa3ab30aea641abbca424b27abb8043221c335247c958c52fc449

SHA512
d9787391662b5643382a9d10ffe01d74a28f49580586bedec4f67dd7eb1fd8a2d74e1e1735bcb0e91c2bfc9babd6de968d07c9a203746d5d5e51db7547f95f68

Download Submit
\Users\Admin\AppData\Roaming\WinUpdates.exe

Filesize
43KB

MD5
92028f98bfbb9b4db77a212f74ba6d54

SHA1
a282dbcf99a67e11d83a215f8d36793fc9bca979

SHA256
f55537eae7103d810796940652bc773cde36f28de6430fc9e3913404bfc319d2

SHA512
e37efd800e7fc6b3fbad1b604c177bcc69925d294ad79eda3951a0e5a3c819609a8e268a09db613cde3b2f9d59d0845ba9a8829298a776737b35ffb96f120d42

Download Submit
\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
4d4f293bfa7b5943bb487ce57875c67d

SHA1
52a0cf3d23291d4bc7a9ff13ff59333b024d7ea7

SHA256
a27ff2a2e0ecf8cbb77a3fedf293ee7b552696dba33fba01402758dec3a544c1

SHA512
c3f7360e97bd060b713fdede7977ad60f0dd32e4180a954b0a576223719ee24bb2896429949990263cade7f1d47ab6434668cff816b46fad0a13db34d74037e2

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
1cd58eb4ab60df57796ca644b7a7236b

SHA1
e1cac63b2ef39bee0a24b73c16d723897a1c4355

SHA256
224c48cf2b88a912a4166c340508acf2f7a59066bf0ec80b5ccc0ca720ba0885

SHA512
17f0c49768f5cae80f4f08f9f57e922026c0b64c7bf2568574dc0e35e7ca9db9f8cbd0da4537dbc313f80d006733333a7b1caaf7c938fbc1acaf2018068bbbc9

Download Submit
memory/564-104-0x000000013F780000-0x000000013F78A000-memory.dmp

Filesize
40KB

Download
memory/1300-158-0x000000013FB70000-0x000000013FB7A000-memory.dmp

Filesize
40KB

Download
memory/1384-117-0x000000013FCB0000-0x000000013FCBC000-memory.dmp

Filesize
48KB

Download
memory/1480-165-0x000000013FC10000-0x000000013FC16000-memory.dmp

Filesize
24KB

Download
memory/1616-59-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1616-60-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/1720-111-0x000000013FF50000-0x000000013FF60000-memory.dmp

Filesize
64KB

Download
memory/1824-86-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-17-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-318-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-317-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-37-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-58-0x0000000002C50000-0x0000000002CA0000-memory.dmp

Filesize
320KB

Download
memory/1824-53-0x0000000002BB0000-0x0000000002C02000-memory.dmp

Filesize
328KB

Download
memory/1824-36-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1824-35-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/2364-41-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-18-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-327-0x000000013F990000-0x000000013F9A0000-memory.dmp

Filesize
64KB

Download
memory/2528-13-0x0000000005A00000-0x0000000006107000-memory.dmp

Filesize
7.0MB

Download
memory/2528-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/2528-28-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-124-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2540-123-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2564-132-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2564-131-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2780-47-0x000000013F630000-0x000000013F63C000-memory.dmp

Filesize
48KB

Download
memory/2808-152-0x000000013FF20000-0x000000013FF26000-memory.dmp

Filesize
24KB

Download
memory/2824-97-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2824-33-0x000000013FBC0000-0x000000013FBD0000-memory.dmp

Filesize
64KB

Download
memory/2956-67-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2956-66-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download