asyncrat | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Resubmissions

16-12-2024 05:27

241216-f5kx6awmh1 10

14-12-2024 20:23

14-12-2024 20:22

14-12-2024 20:13

14-12-2024 13:14

14-12-2024 13:12

12-12-2024 18:19

12-12-2024 18:16

Analysis

max time kernel
44s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat mercurialgrabber njrat quasar umbral default zjeb discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

asyncrat

Botnet

Default

technical-southwest.gl.at.ply.gg:58694

forums-appliances.gl.at.ply.gg:1962

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

mercurialgrabber

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1310580388070031360/HcT5cAwFckSLk1OKu346uVDw7gzPyJJvcWmU8BKJrBQSUsE3Q1GCqDtVn5MK3JlldJBn

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002abc3-67.dat	family_umbral
behavioral2/memory/244-68-0x000001DDEE460000-0x000001DDEE4A0000-memory.dmp	family_umbral

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Mercurialgrabber family
mercurialgrabber
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002abb6-7.dat	family_quasar
behavioral2/memory/2676-15-0x0000000000080000-0x00000000003A4000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/files/0x001c00000002abbd-29.dat	family_asyncrat
behavioral2/files/0x001900000002abc5-73.dat	family_asyncrat
behavioral2/files/0x001a00000002abcb-144.dat	family_asyncrat
behavioral2/files/0x001a00000002abce-158.dat	family_asyncrat
behavioral2/files/0x001900000002abd6-200.dat	family_asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	output.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3808	powershell.exe
4520	powershell.exe
4100	powershell.exe
4672	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	saloader.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	output.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1236	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	output.exe

Executes dropped EXE 21 IoCs

pid	Process
2676	seksiak.exe
1120	dsd.exe
3296	Loader.exe
232	output.exe
244	saloader.exe
2140	aidans.dont.run.exe
5076	handeltest.exe
3420	xs.exe
3040	Tutorial.exe
2504	aa.exe
4264	nobody.exe
1820	ataturk.exe
4776	start.exe
4728	svchost.exe
1516	windows.exe
400	aspnet_regbrowsers.exe
4952	atat.exe
4024	seksiak.exe
3676	System32.exe
3124	seksiak.exe
3800	seksiak.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
7	raw.githubusercontent.com
13	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip4.seeip.org
5	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	output.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	output.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1972	PING.EXE
1984	cmd.exe
1924	PING.EXE
2124	PING.EXE
908	PING.EXE
5012	PING.EXE

Checks SCSI registry key(s) 3 TTPs 1 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	output.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
3776	timeout.exe
3324	timeout.exe
1548	timeout.exe
4680	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
408	wmic.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	output.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2124	PING.EXE
908	PING.EXE
5012	PING.EXE
1972	PING.EXE
1924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1812	schtasks.exe
3116	schtasks.exe
3124	schtasks.exe
4716	schtasks.exe
2424	schtasks.exe
4156	schtasks.exe
2508	schtasks.exe
4372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	powershell.exe
3808	powershell.exe
4520	powershell.exe
4520	powershell.exe
3040	Tutorial.exe
3040	Tutorial.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
4100	powershell.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
3420	xs.exe
3420	xs.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
2504	aa.exe
4264	nobody.exe
4264	nobody.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
4100	powershell.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
3420	xs.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe
2140	aidans.dont.run.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	New Text Document mod.exe
Token: SeDebugPrivilege	2676	seksiak.exe
Token: SeDebugPrivilege	232	output.exe
Token: SeDebugPrivilege	244	saloader.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3296	Loader.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	3040	Tutorial.exe
Token: SeDebugPrivilege	2504	aa.exe
Token: SeDebugPrivilege	4264	nobody.exe
Token: SeDebugPrivilege	2140	aidans.dont.run.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	2140	aidans.dont.run.exe
Token: SeDebugPrivilege	3420	xs.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeIncreaseQuotaPrivilege	3820	wmic.exe
Token: SeSecurityPrivilege	3820	wmic.exe
Token: SeTakeOwnershipPrivilege	3820	wmic.exe
Token: SeLoadDriverPrivilege	3820	wmic.exe
Token: SeSystemProfilePrivilege	3820	wmic.exe
Token: SeSystemtimePrivilege	3820	wmic.exe
Token: SeProfSingleProcessPrivilege	3820	wmic.exe
Token: SeIncBasePriorityPrivilege	3820	wmic.exe
Token: SeCreatePagefilePrivilege	3820	wmic.exe
Token: SeBackupPrivilege	3820	wmic.exe
Token: SeRestorePrivilege	3820	wmic.exe
Token: SeShutdownPrivilege	3820	wmic.exe
Token: SeDebugPrivilege	3820	wmic.exe
Token: SeSystemEnvironmentPrivilege	3820	wmic.exe
Token: SeRemoteShutdownPrivilege	3820	wmic.exe
Token: SeUndockPrivilege	3820	wmic.exe
Token: SeManageVolumePrivilege	3820	wmic.exe
Token: 33	3820	wmic.exe
Token: 34	3820	wmic.exe
Token: 35	3820	wmic.exe
Token: 36	3820	wmic.exe
Token: SeIncreaseQuotaPrivilege	3820	wmic.exe
Token: SeSecurityPrivilege	3820	wmic.exe
Token: SeTakeOwnershipPrivilege	3820	wmic.exe
Token: SeLoadDriverPrivilege	3820	wmic.exe
Token: SeSystemProfilePrivilege	3820	wmic.exe
Token: SeSystemtimePrivilege	3820	wmic.exe
Token: SeProfSingleProcessPrivilege	3820	wmic.exe
Token: SeIncBasePriorityPrivilege	3820	wmic.exe
Token: SeCreatePagefilePrivilege	3820	wmic.exe
Token: SeBackupPrivilege	3820	wmic.exe
Token: SeRestorePrivilege	3820	wmic.exe
Token: SeShutdownPrivilege	3820	wmic.exe
Token: SeDebugPrivilege	3820	wmic.exe
Token: SeSystemEnvironmentPrivilege	3820	wmic.exe
Token: SeRemoteShutdownPrivilege	3820	wmic.exe
Token: SeUndockPrivilege	3820	wmic.exe
Token: SeManageVolumePrivilege	3820	wmic.exe
Token: 33	3820	wmic.exe
Token: 34	3820	wmic.exe
Token: 35	3820	wmic.exe
Token: 36	3820	wmic.exe
Token: SeIncreaseQuotaPrivilege	112	wmic.exe
Token: SeSecurityPrivilege	112	wmic.exe
Token: SeTakeOwnershipPrivilege	112	wmic.exe
Token: SeLoadDriverPrivilege	112	wmic.exe
Token: SeSystemProfilePrivilege	112	wmic.exe
Token: SeSystemtimePrivilege	112	wmic.exe
Token: SeProfSingleProcessPrivilege	112	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4264	nobody.exe
4952	atat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2676	2940	New Text Document mod.exe	78
PID 2940 wrote to memory of 2676	2940	New Text Document mod.exe	78
PID 2940 wrote to memory of 1120	2940	New Text Document mod.exe	79
PID 2940 wrote to memory of 1120	2940	New Text Document mod.exe	79
PID 2940 wrote to memory of 1120	2940	New Text Document mod.exe	79
PID 2940 wrote to memory of 3296	2940	New Text Document mod.exe	80
PID 2940 wrote to memory of 3296	2940	New Text Document mod.exe	80
PID 2676 wrote to memory of 4372	2676	seksiak.exe	81
PID 2676 wrote to memory of 4372	2676	seksiak.exe	81
PID 2940 wrote to memory of 232	2940	New Text Document mod.exe	83
PID 2940 wrote to memory of 232	2940	New Text Document mod.exe	83
PID 2676 wrote to memory of 3580	2676	seksiak.exe	85
PID 2676 wrote to memory of 3580	2676	seksiak.exe	85
PID 3580 wrote to memory of 1468	3580	cmd.exe	87
PID 3580 wrote to memory of 1468	3580	cmd.exe	87
PID 3580 wrote to memory of 1972	3580	cmd.exe	88
PID 3580 wrote to memory of 1972	3580	cmd.exe	88
PID 2940 wrote to memory of 244	2940	New Text Document mod.exe	89
PID 2940 wrote to memory of 244	2940	New Text Document mod.exe	89
PID 244 wrote to memory of 4684	244	saloader.exe	90
PID 244 wrote to memory of 4684	244	saloader.exe	90
PID 244 wrote to memory of 3808	244	saloader.exe	92
PID 244 wrote to memory of 3808	244	saloader.exe	92
PID 2940 wrote to memory of 2140	2940	New Text Document mod.exe	94
PID 2940 wrote to memory of 2140	2940	New Text Document mod.exe	94
PID 2940 wrote to memory of 5076	2940	New Text Document mod.exe	95
PID 2940 wrote to memory of 5076	2940	New Text Document mod.exe	95
PID 2940 wrote to memory of 5076	2940	New Text Document mod.exe	95
PID 244 wrote to memory of 4520	244	saloader.exe	134
PID 244 wrote to memory of 4520	244	saloader.exe	134
PID 2940 wrote to memory of 3420	2940	New Text Document mod.exe	98
PID 2940 wrote to memory of 3420	2940	New Text Document mod.exe	98
PID 2940 wrote to memory of 3040	2940	New Text Document mod.exe	99
PID 2940 wrote to memory of 3040	2940	New Text Document mod.exe	99
PID 2940 wrote to memory of 3040	2940	New Text Document mod.exe	99
PID 2940 wrote to memory of 2504	2940	New Text Document mod.exe	100
PID 2940 wrote to memory of 2504	2940	New Text Document mod.exe	100
PID 2940 wrote to memory of 4264	2940	New Text Document mod.exe	101
PID 2940 wrote to memory of 4264	2940	New Text Document mod.exe	101
PID 2940 wrote to memory of 1820	2940	New Text Document mod.exe	102
PID 2940 wrote to memory of 1820	2940	New Text Document mod.exe	102
PID 244 wrote to memory of 4100	244	saloader.exe	103
PID 244 wrote to memory of 4100	244	saloader.exe	103
PID 3040 wrote to memory of 3144	3040	Tutorial.exe	105
PID 3040 wrote to memory of 3144	3040	Tutorial.exe	105
PID 3040 wrote to memory of 3144	3040	Tutorial.exe	105
PID 2940 wrote to memory of 4776	2940	New Text Document mod.exe	106
PID 2940 wrote to memory of 4776	2940	New Text Document mod.exe	106
PID 2940 wrote to memory of 4776	2940	New Text Document mod.exe	106
PID 244 wrote to memory of 1668	244	saloader.exe	107
PID 244 wrote to memory of 1668	244	saloader.exe	107
PID 2140 wrote to memory of 2248	2140	aidans.dont.run.exe	109
PID 2140 wrote to memory of 2248	2140	aidans.dont.run.exe	109
PID 2140 wrote to memory of 1928	2140	aidans.dont.run.exe	111
PID 2140 wrote to memory of 1928	2140	aidans.dont.run.exe	111
PID 2248 wrote to memory of 1812	2248	cmd.exe	113
PID 2248 wrote to memory of 1812	2248	cmd.exe	113
PID 3420 wrote to memory of 2356	3420	xs.exe	114
PID 3420 wrote to memory of 2356	3420	xs.exe	114
PID 1928 wrote to memory of 3776	1928	cmd.exe	115
PID 1928 wrote to memory of 3776	1928	cmd.exe	115
PID 3420 wrote to memory of 4888	3420	xs.exe	116
PID 3420 wrote to memory of 4888	3420	xs.exe	116
PID 2356 wrote to memory of 3116	2356	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
  "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K345rAW6lkXB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1468
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
      "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
      4⤵
      Executes dropped EXE
      PID:4024
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7hNcI51lBwg.bat" "
        5⤵
        
        PID:4372
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:912
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        6⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RvqkGuL7iUVX.bat" "
        7⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"
        8⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yfa8Ukw7VO0P.bat" "
        9⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5012
- C:\Users\Admin\AppData\Local\Temp\a\dsd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dsd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1120
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4728
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1236
- C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Users\Admin\AppData\Local\Temp\a\output.exe
  "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Users\Admin\AppData\Local\Temp\a\saloader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"
    3⤵
    - Views/modifies file attributes
    PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:408
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1984
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1924
- C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3776
  - - C:\Users\Admin\AppData\Roaming\windows.exe
      "C:\Users\Admin\AppData\Roaming\windows.exe"
      4⤵
      Executes dropped EXE
      PID:1516
- C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe
  "C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\a\xs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5C1.tmp.bat""
    3⤵
    PID:4888
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3324
  - - C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe
      "C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"
      4⤵
      Executes dropped EXE
      PID:400
- C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\a\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
    3⤵
    PID:4916
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp.bat""
    3⤵
    PID:2932
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1548
  - - C:\Users\Admin\AppData\Roaming\atat.exe
      "C:\Users\Admin\AppData\Roaming\atat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4952
- C:\Users\Admin\AppData\Local\Temp\a\nobody.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\a\start.exe
  "C:\Users\Admin\AppData\Local\Temp\a\start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4680
  - - C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\seksiak.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
afb713845839b94cf11694f6fb6539cf

SHA1
45da779016082e2c77b445a6aab14b6d57dd5aec

SHA256
4ef8faba766d3e9f20341b56506209dddef98333741daf91e4f671269a5eb42e

SHA512
ec34ee0c2c75729467d415079d2f455bff7a9691483bf32c2d9f5efe6fc1bca061c952673c741ee6e8bf494b482a019d8e367a60d975dbdad9ed12f6d0035f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38ecc5b95c11e5a77558753102979c51

SHA1
c0759b08ef377df9979d8835d8a7e464cd8eaf6b

SHA256
2eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e

SHA512
9bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7hNcI51lBwg.bat

Filesize
206B

MD5
7203a50b16d85af266ff371060e8ea0a

SHA1
3707034aba664166386f1eb662a142d84acc3ab1

SHA256
bef8ad7b9d9bfec5195f5098854fd9a25fdfae7221f588d23f030f3696573c3c

SHA512
0a8264dccf4f7492a88959cf5bde2408cb4fbe339bb9fffce751643393d4300f4b48e8f85ac86941bc3e398d4014a1eddf30fa19b14be842d5fdc849fd36d0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\K345rAW6lkXB.bat

Filesize
206B

MD5
88f641be8a7dc14793479d4f182dbdcf

SHA1
d4adc49a4ad93f9e5b294743d43fe509e5a77a9a

SHA256
8d19d1f249ba7f3d1c81e2dfe121c9192c5c15db6998025fe9a980b3f048086c

SHA512
ee6d37d993047ffcaaf0c332f2231a5cf0e9800e7954de16ef56dbd84b9a9e505b7516d1e8eff64ca6be8efd02703059f2386dc6a529ee70e4105ec4d93e92b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RvqkGuL7iUVX.bat

Filesize
206B

MD5
0a9abee6e8bbd556e763ee5a17d7e974

SHA1
e8783d47fccfe956bbc6f2dc50b41a3e88396feb

SHA256
563bc09793f8955c3f3de7eed034da23802d854cc91fc0e9424c44b61073b071

SHA512
8f76b809d39ab35357e5a1ec63e6c0efbf7fd0802c12776d525556d5a610452aacbb861a8a0d6ad8419831ecc30a7c880a8e4c32102e6be864dafae79d085f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yfa8Ukw7VO0P.bat

Filesize
206B

MD5
dc5db0fb5cb8412fab008c9cc07dd8fa

SHA1
a21fb47a84ba7cf24482c7236cbede9d33ca783f

SHA256
cb4367e8db4b17e063ed539d62a0e96506a766ed2f66fbdf609aa4b82b224ef3

SHA512
5394d6e8b9c4159e2837ca785a50907b5401eb4a2e7a6756adaf7051670a7d672566193723d0bb36a5a644d37ae9ab660c33e1b0930385e3dee5045e8312054c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f04tx5ox.kws.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

Filesize
63KB

MD5
56c640c4191b4b95ba344032afd14e77

SHA1
c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9

SHA256
ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142

SHA512
617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aa.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe

Filesize
63KB

MD5
9efaf6b98fdde9df4532d1236b60619f

SHA1
5d1414d09d54de16b04cd0cd05ccfc0692588fd1

SHA256
7c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6

SHA512
eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe

Filesize
56KB

MD5
a7b36da8acc804d5dd40f9500277fea9

SHA1
5c80776335618c4ad99d1796f72ebeb53a12a40b

SHA256
b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672

SHA512
ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dsd.exe

Filesize
23KB

MD5
2697c90051b724a80526c5b8b47e5df4

SHA1
749d44fe2640504f15e9bf7b697f1017c8c2637d

SHA256
f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355

SHA512
d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nobody.exe

Filesize
74KB

MD5
4b1b45bb55ccdd4b078459ade3763e6d

SHA1
049344853c902e22e70ae231c669bf0751185716

SHA256
1f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46

SHA512
b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe

Filesize
41KB

MD5
a0e598ec98a975405420be1aadaa3c2a

SHA1
d861788839cfb78b5203686334c1104165ea0937

SHA256
e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

SHA512
e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\saloader.exe

Filesize
229KB

MD5
1e10af7811808fc24065f18535cf1220

SHA1
65995bcb862aa66988e1bb0dbff75dcac9b400c7

SHA256
e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed

SHA512
f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe

Filesize
3.1MB

MD5
239c5f964b458a0a935a4b42d74bcbda

SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce

SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xs.exe

Filesize
56KB

MD5
717f7ee9f178509f07ace113f47bb6d1

SHA1
6ce32babec7538b702d38483ac6031c18a209f96

SHA256
50f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85

SHA512
5ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp.bat

Filesize
151B

MD5
c827efd5e352b97ab33ebfbdd13dbca7

SHA1
2652921d41da6dc514f494dbe1d5b42efedd50eb

SHA256
94605e689072f41072a96762db7b351d2d00dee86adcb75226cfe609f9a99d26

SHA512
72d7f899410699b5e8dc7aa2326aedf2a47d718ef2fdafd611ce187ae81bda526eb1984c874e35d3b812b3fecfe2ad8d19e2a7b45c03c529df6c6ea0fafbbb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5C1.tmp.bat

Filesize
162B

MD5
07937a2102f65618f2bd5b4937f4388c

SHA1
f97766d00a99f35e01f8602ceb8035b8af15549f

SHA256
afcfaff1c3833dd61e91517fa35d9f39cff5acaffa4c25219248ed6b8f4993f3

SHA512
98205fd531aced0d2eb16f991abd192ee829cd71096a13a215a9a7f327510f609b40e1c6609018a39631f5cad8c744ce84f0180054d1a00e6994991b30a16f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9E7.tmp.bat

Filesize
148B

MD5
bfbfb4fb8a3a5fe8fb4788e2b7822b0e

SHA1
3c63b608c63d9d39fbd189058985feda0ad12fd3

SHA256
8fe1e541f04c4f6984bf3e87c06bc4c3d5ef5a360744523c009a155fc81289f9

SHA512
9918b0bf4c4612d5d2edc77a5b279f92899ec0eb9613823a363b112881d3bba883752e6db28a3b1c33ccef8f0541b80189be51e53e4a775238bceeeedf19d664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.bat

Filesize
152B

MD5
725b2061d6f0b144985bcb8cd79d16c1

SHA1
e1627ce45a877f9d4471482c0b9ede8170942b4b

SHA256
a7ccad9b01463a340f669e84e582d780fcd4f12f1688fb844ebc16359df5bcbc

SHA512
988b98284638e7b23ea2c2b0b9fcc73eeddc9b264526848326f7371652a60b28deb15b3fbd63183cf109f878598eebf2b44b8cf0d0e4c71fd6720191956db849

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/232-52-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/244-246-0x000001DDF0C60000-0x000001DDF0C72000-memory.dmp

Filesize
72KB

Download
memory/244-178-0x000001DDF0C90000-0x000001DDF0D06000-memory.dmp

Filesize
472KB

Download
memory/244-68-0x000001DDEE460000-0x000001DDEE4A0000-memory.dmp

Filesize
256KB

Download
memory/244-245-0x000001DDF02A0000-0x000001DDF02AA000-memory.dmp

Filesize
40KB

Download
memory/244-183-0x000001DDF0D10000-0x000001DDF0D2E000-memory.dmp

Filesize
120KB

Download
memory/1820-182-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/2140-89-0x00000000006E0000-0x00000000006F6000-memory.dmp

Filesize
88KB

Download
memory/2504-151-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/2676-37-0x000000001B0C0000-0x000000001B110000-memory.dmp

Filesize
320KB

Download
memory/2676-22-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/2676-55-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/2676-38-0x000000001B8F0000-0x000000001B9A2000-memory.dmp

Filesize
712KB

Download
memory/2676-15-0x0000000000080000-0x00000000003A4000-memory.dmp

Filesize
3.1MB

Download
memory/2676-14-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/2940-0-0x00007FFEEBF73000-0x00007FFEEBF75000-memory.dmp

Filesize
8KB

Download
memory/2940-250-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/2940-212-0x00007FFEEBF73000-0x00007FFEEBF75000-memory.dmp

Filesize
8KB

Download
memory/2940-2-0x00007FFEEBF70000-0x00007FFEECA32000-memory.dmp

Filesize
10.8MB

Download
memory/2940-1-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/3040-139-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/3040-204-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/3040-205-0x0000000005E20000-0x0000000005EBC000-memory.dmp

Filesize
624KB

Download
memory/3296-36-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/3420-116-0x0000000000980000-0x0000000000994000-memory.dmp

Filesize
80KB

Download
memory/3808-77-0x0000021438C20000-0x0000021438C42000-memory.dmp

Filesize
136KB

Download
memory/4264-165-0x0000000000B70000-0x0000000000B88000-memory.dmp

Filesize
96KB

Download
memory/4776-210-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/5076-153-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/5076-135-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/5076-125-0x0000000005760000-0x0000000005D06000-memory.dmp

Filesize
5.6MB

Download
memory/5076-111-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download