Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
39s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04/01/2025, 12:57
Behavioral task
behavioral1
Sample
Hackus.exe
Resource
win10ltsc2021-20241211-en
General
-
Target
Hackus.exe
-
Size
3.0MB
-
MD5
9c663208365a83ec2b477cccb6467b48
-
SHA1
e7b1ade7745edb3728819e91e63cbc8150bef850
-
SHA256
28d86a07879646a56eb6540184ba97968909b23bcfd85e902ae868521c311e81
-
SHA512
a61c99646df0b701d1674534e7258e4714f7930f6220f93bdb15ea0c8351b8ea288c033cf388932d18986a0a5005c694933a94abb4f591b76a90867600302379
-
SSDEEP
24576:Fl66l+Tg33ypYcJ52Ymx35h0s5zQ+6fe05bdgBJrGrdqDwEHK2oJ8BoZecPKeNlb:FLlP3G5KT6W0/KJQdqsF5JcJ+l2VbbU
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7044437613:AAEXeS1SKGTrEjQ8F-7vSegWo8OLABeJY5k/sendMessage?chat_id=6052812018
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x0005000000045858-4.dat family_stormkitty behavioral1/memory/2912-15-0x0000000000260000-0x0000000000292000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000045858-4.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation Hackus.exe Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation HACKUS.EXE -
Executes dropped EXE 3 IoCs
pid Process 2912 LET.EXE 3784 LET.EXE 1884 LET.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hackus.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4772 cmd.exe 5292 netsh.exe 2012 netsh.exe 5364 cmd.exe 5016 cmd.exe 5604 netsh.exe 4884 netsh.exe 5784 cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4756 2116 Hackus.exe 81 PID 2116 wrote to memory of 4756 2116 Hackus.exe 81 PID 2116 wrote to memory of 4756 2116 Hackus.exe 81 PID 2116 wrote to memory of 2912 2116 Hackus.exe 82 PID 2116 wrote to memory of 2912 2116 Hackus.exe 82 PID 2116 wrote to memory of 2912 2116 Hackus.exe 82 PID 4756 wrote to memory of 2108 4756 HACKUS.EXE 83 PID 4756 wrote to memory of 2108 4756 HACKUS.EXE 83 PID 4756 wrote to memory of 2108 4756 HACKUS.EXE 83 PID 4756 wrote to memory of 3784 4756 HACKUS.EXE 84 PID 4756 wrote to memory of 3784 4756 HACKUS.EXE 84 PID 4756 wrote to memory of 3784 4756 HACKUS.EXE 84 PID 2108 wrote to memory of 2004 2108 HACKUS.EXE 85 PID 2108 wrote to memory of 2004 2108 HACKUS.EXE 85 PID 2108 wrote to memory of 2004 2108 HACKUS.EXE 85 PID 2108 wrote to memory of 1884 2108 HACKUS.EXE 86 PID 2108 wrote to memory of 1884 2108 HACKUS.EXE 86 PID 2108 wrote to memory of 1884 2108 HACKUS.EXE 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hackus.exe"C:\Users\Admin\AppData\Local\Temp\Hackus.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"4⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"5⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"6⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"7⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"8⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"9⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"10⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"11⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"12⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"13⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"14⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"15⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"16⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"17⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"18⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"19⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"20⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"21⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"22⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"23⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"24⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"25⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"26⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"27⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"28⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"29⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"30⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"31⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"32⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"33⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"34⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"35⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"36⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"37⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"38⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"39⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"40⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"41⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"42⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"43⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"44⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"45⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"46⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"47⤵PID:6296
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"48⤵PID:6500
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"49⤵PID:6788
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"50⤵PID:7076
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"51⤵PID:6188
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"52⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"53⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"54⤵PID:6580
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"55⤵PID:6792
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"56⤵PID:6384
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"57⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"58⤵PID:6292
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"59⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"60⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"61⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"62⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"63⤵PID:7200
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"64⤵PID:7428
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"65⤵PID:7712
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"66⤵PID:7860
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"67⤵PID:8036
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"68⤵PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"68⤵PID:5100
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"67⤵PID:8044
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"66⤵PID:7876
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"65⤵PID:7728
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"64⤵PID:7472
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"63⤵PID:7248
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"62⤵PID:5496
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"61⤵PID:4028
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"60⤵PID:5732
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"59⤵PID:3008
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"58⤵PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"57⤵PID:1232
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"56⤵PID:6216
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"55⤵PID:6068
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"54⤵PID:6480
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"53⤵PID:5624
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"52⤵PID:6404
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"51⤵PID:5220
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"50⤵PID:7084
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"49⤵PID:6828
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"48⤵PID:6516
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"47⤵PID:6332
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"46⤵PID:6148
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"45⤵PID:5568
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"44⤵PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"43⤵PID:3512
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"42⤵PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"41⤵PID:5516
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"40⤵PID:5768
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"39⤵PID:5584
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"38⤵PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"37⤵PID:6136
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"36⤵PID:4688
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"35⤵PID:5816
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"34⤵PID:5332
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"33⤵PID:812
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"32⤵PID:5216
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"31⤵PID:6088
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All32⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5016 -
C:\Windows\SysWOW64\chcp.comchcp 6500133⤵PID:1428
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile33⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4884
-
-
C:\Windows\SysWOW64\findstr.exefindstr All33⤵PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid32⤵PID:7816
-
C:\Windows\SysWOW64\chcp.comchcp 6500133⤵PID:8180
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"30⤵PID:5972
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"29⤵PID:5188
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All30⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5364 -
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵PID:7048
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile31⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5604
-
-
C:\Windows\SysWOW64\findstr.exefindstr All31⤵PID:6580
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid30⤵PID:7572
-
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵PID:7952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"28⤵PID:5436
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"27⤵PID:5336
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"26⤵PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"25⤵PID:864
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"24⤵PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"23⤵PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"22⤵PID:1400
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"21⤵PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"20⤵PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"19⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"18⤵PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"17⤵PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"16⤵PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"15⤵PID:4404
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"14⤵PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"13⤵PID:560
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"12⤵PID:3028
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"11⤵PID:4872
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"10⤵PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"9⤵PID:1120
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"8⤵PID:4868
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"7⤵PID:232
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"6⤵PID:1792
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All7⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5784 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:5424
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile8⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5292
-
-
C:\Windows\SysWOW64\findstr.exefindstr All8⤵PID:1020
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid7⤵PID:3992
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:5224
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid8⤵PID:5328
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"5⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4772 -
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:5296
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2012
-
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵PID:6104
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid6⤵PID:5860
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:5716
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid7⤵PID:6616
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3784
-
-
-
C:\Users\Admin\AppData\Local\Temp\LET.EXE"C:\Users\Admin\AppData\Local\Temp\LET.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\27efc20595349ac9e576f92208d7e02c\Admin@OQSYMNMI_en-US\System\Process.txt
Filesize133B
MD586916d34725809b48940497ca76904ea
SHA12be592dd9305fc0e9bb70e34e62e8d1878a003c7
SHA256308432bd159660a3dd0b0c7329c1a97e694dfd12d34e1bbba1466808992c03ef
SHA5125a8c681135c08a367684f355b61625332d8ca362bd30c6594f9c3927059e03211a2d59b62a34c027a391f316a767bb0ba627f9eb22bbc805ba7e040caee1db73
-
C:\Users\Admin\AppData\Local\55e9c959a2fa8ab9434b2c4bc2d6856c\Admin@OQSYMNMI_en-US\Browsers\Firefox\Bookmarks.txt
Filesize210B
MD51267f4be35fbe5510886cf08ddee9fdd
SHA104e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9
SHA256ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3
SHA5126f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b
-
C:\Users\Admin\AppData\Local\55e9c959a2fa8ab9434b2c4bc2d6856c\Admin@OQSYMNMI_en-US\Browsers\Firefox\Bookmarks.txt
Filesize315B
MD571227f862899452aa270d580a8b090c8
SHA113a6dc9506be2066777ec34acbe5ab62684c4929
SHA25622e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1
SHA512126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a
-
C:\Users\Admin\AppData\Local\55e9c959a2fa8ab9434b2c4bc2d6856c\Admin@OQSYMNMI_en-US\Browsers\Firefox\Bookmarks.txt
Filesize525B
MD574d90dd5a73f1679bd73fdce50983c50
SHA16f374995ce4842a9f07fc1a935833003066820bb
SHA256da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9
SHA512ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f
-
C:\Users\Admin\AppData\Local\55e9c959a2fa8ab9434b2c4bc2d6856c\Admin@OQSYMNMI_en-US\Directories\Temp.txt
Filesize4KB
MD506f61df217f0e774b1c7206110e50ca3
SHA1e31b713c82caf8e5f9a723c50a75cea017f76f32
SHA2560162b6e1e48a4216d1a0d2fde373a929b05582242ea159467efb735a39234025
SHA5121878953ce8e671d91c21d35d19c81ab81ec384ea18343f442e1fd1eff193975d5c5d576f991b2db43a348e326f5dda5c1caa678abde74fce095f93a93c9c05cb
-
C:\Users\Admin\AppData\Local\55e9c959a2fa8ab9434b2c4bc2d6856c\Admin@OQSYMNMI_en-US\Directories\Temp.txt
Filesize3KB
MD5642011a8dd296e8ffa243e7bea3af241
SHA1df38a6ffdbe35988f837a0d0ec1e0df54be76d81
SHA25625ff50d64b6f74016b023d6b3e13446ddb56e8e846e216a48ba69757780f7b96
SHA512d0f3eb064239615f1c477799587e75669e1fcabe94e6f13335c7c3e554117a5de17caf264bb513571bf226214dc3774ec7a9fa26f7be815e82832351c0523b61
-
C:\Users\Admin\AppData\Local\67e5a350f59000b99848cec0697168c6\Admin@OQSYMNMI_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Desktop.txt
Filesize414B
MD5ae131c70249dd6bd099dca8bae5d5ae7
SHA11df8505204b7f0dcc73e60b8c7a53099cda673db
SHA2561efe44845a3d4f3edebafffd99bb1128c2edeabd0f38726e2d9c76f317d0af89
SHA512824cfc2dac128c025ce16b6ac7dbcb8731dfc7142d2dabec5f480bf9abe7f40f8fb0090a5c808388311845c6db2043412f93ae3e174b131f24dee1a93bbd71b0
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Documents.txt
Filesize549B
MD5bf3fdfa935d90377bab1f326099795a8
SHA1324b6897dfcabe5992ae38e873172a8340501a8e
SHA2567e02e6d9e9977c9c8de4f6f6d5d57c075615029ceb1940a5e02e3df922f9d6e9
SHA512ad59d34c09aa529eac6ea9890df0222d6b486c039e6d361511eb645feffb54a5c83e7b059f2bcf4d2397ab12c4def522762e48ff270041b3b76bce557e0f85c9
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Downloads.txt
Filesize671B
MD5be200fe7f39387bfa880d86b883b2c53
SHA131c24361f142cdfa17260623f3b0ef4442b4b67a
SHA2561b55a56ab3e6e11419c1427af67d2c9a401469108d8f2298f3d66329ed3e3e6e
SHA51227800004c0e3a0f11dbea226c4449ed5e4014cd97476449699fa21933683e1c3610afa031fcd3c9ae02873d9ccd46f8a5de6d003616605734b41b97ceec907a4
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Pictures.txt
Filesize479B
MD50db8aced970a93d07b963a4f613aff3c
SHA173d5bd7ee4d37db1013fd2721f7253a738e3ea98
SHA256e2ecee71d91a3eba9af2eaf31a095a3ce2d7976b83f2d5180c06ae5b6a3b5cac
SHA5122cc46edd3500a3ec9884559b4d32ab3bde830c3682a5174b095f5dd67877efbd085a8e0e6ce512b74e4107f5a1510217bd40781b05cae9bb0d4d02164e7fa2d9
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\System\Process.txt
Filesize69B
MD510dea86f9fbfa18073cb91d7df93a4e9
SHA17f48610b3d0cf8b79898ed87664a298be6fd311d
SHA256da0231d7679f98df880894866d003c144359b7c5969888b2b249ac9a80cf7452
SHA51231a61a8d2dabf85fa3050ebfc23dacb3f952d175d8f3d2ab18fc8ffe68c6e50af2a62bca2d6b3418da24f7a6f9f07ba0620a57ee747e9bf5b2f7f68382e8d39a
-
C:\Users\Admin\AppData\Local\82e5461c130b1afd59be4b6063c7c5ef\Admin@OQSYMNMI_en-US\System\Process.txt
Filesize197B
MD5ef8e06c9fdf7e0e19e4f6dcf8ea8ebc6
SHA10f79787a7e06dff6919eb98295cc6ad39759a5f1
SHA2564a1ca60ee5d48a8aea467ca511bccc711a5486a52a707175e31008edae9d37fc
SHA51255de247d87dda0ceefc478a3c86d40893cbbcfc0d2ea574e19fffbf2a4451272295fbf4576b0d0ee84d2eec098ab98ae2d837e457ac0194a7774a1a96a12257c
-
Filesize
175KB
MD5c7235b3be7873e0743aba6235cd3d677
SHA12481321813caff4ded19135c86301f899fb19f66
SHA2564902c56dfa5b513df7c00f8fe5df90dcc46a03f194dca424ebbf6f03e7904486
SHA5127310beb111ca489fd6348d40cea921d8854d99858cb2b9dc7d8211009a8c958374832f585f2cb25962e7ed3a453ca11102b7fb47be0eff8d2a7bc2b564928860
-
C:\Users\Admin\AppData\Local\cb15474576638d2867e51e5d89994f99\Admin@OQSYMNMI_en-US\Directories\Temp.txt
Filesize3KB
MD58676585a04207f5fb358f9f7f6492e4d
SHA1860f3cff0fc0e05d289d018d209cf6718e4a3614
SHA256299a65b974651e1ac5c4766984669f291f3e9dc3ec40994c37cbb0d14cc0030f
SHA51276ea42ccd394f0fc07c09f240a0e34d078195e2a9b32c30a6bae050bd81340b825ec30d20865d2bd51ccf05d4a12a62be5c0a0b8aa38ef213ebd414c14282f02