asyncrat | 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

761KB
MD5

c6040234ee8eaedbe618632818c3b1b3
SHA1

68115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256

bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512

a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
SSDEEP

12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mWej:mnsJ39LyjbJkQFMhmC+6GD9I

Score

10^/10

asyncrat metasploit quasar xred xworm default office04 school backdoor discovery execution macro persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

0.tcp.in.ngrok.io:14296

193.161.193.99:20466

Mutex

cc827307-beb6-456e-b5dd-e28a204ebd45

Attributes

encryption_key
93486CAE624EBAD6626412E4A7DC6221B139DAA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

XukSoXxFQFDQJQvq

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

2.tcp.eu.ngrok.io:19695

Mutex

gonq3XlXWgiz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193c4-348.dat	family_xworm
behavioral1/memory/2620-350-0x0000000001130000-0x0000000001140000-memory.dmp	family_xworm
behavioral1/memory/2576-552-0x0000000000D20000-0x0000000000D30000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Quasar RAT 4 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
	25	ip-api.com	Process not Found
	92	ip-api.com	Process not Found
	158	ip-api.com	Process not Found

Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/files/0x001300000001749c-166.dat	family_quasar
behavioral1/memory/1856-177-0x0000000001130000-0x00000000011B6000-memory.dmp	family_quasar
behavioral1/files/0x000800000001755b-243.dat	family_quasar
behavioral1/memory/1240-245-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/memory/1420-253-0x0000000000970000-0x00000000009F6000-memory.dmp	family_quasar
behavioral1/files/0x0005000000019297-319.dat	family_quasar
behavioral1/memory/1944-321-0x0000000000D40000-0x0000000001064000-memory.dmp	family_quasar
behavioral1/memory/1996-323-0x0000000000D90000-0x0000000000E16000-memory.dmp	family_quasar
behavioral1/memory/1656-341-0x00000000010C0000-0x00000000013E4000-memory.dmp	family_quasar
behavioral1/memory/1728-529-0x00000000010E0000-0x0000000001166000-memory.dmp	family_quasar
behavioral1/memory/1336-554-0x00000000013C0000-0x0000000001446000-memory.dmp	family_quasar
behavioral1/memory/2708-658-0x00000000013E0000-0x0000000001466000-memory.dmp	family_quasar

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000019509-500.dat	family_asyncrat

Downloads MZ/PE file

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0005000000019269-307.dat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Loader.exe

Executes dropped EXE 29 IoCs

pid	Process
1796	._cache_New Text Document mod.exe
780	Synaptics.exe
2848	._cache_Synaptics.exe
1856	ogpayload.exe
1240	Client-base.exe
1420	comctl32.exe
1944	Servers.exe
1996	comctl32.exe
896	FXServer.exe
1656	Windows Defender SmartScreen (32 bit).exe
1692	mac.exe
2620	Loader.exe
1672	win.exe
2120	ciscotest.exe
868	Discord.exe
2476	comctl32.exe
1728	comctl32.exe
2156	comctl32.exe
2576	System.exe
1336	comctl32.exe
2436	comctl32.exe
1548	comctl32.exe
2708	comctl32.exe
1416	comctl32.exe
1708	comctl32.exe
320	System.exe
2704	comctl32.exe
2708	comctl32.exe
2008	comctl32.exe

Loads dropped DLL 64 IoCs

pid	Process
1956	New Text Document mod.exe
1956	New Text Document mod.exe
1956	New Text Document mod.exe
780	Synaptics.exe
780	Synaptics.exe
1856	ogpayload.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
1796	._cache_New Text Document mod.exe
1796	._cache_New Text Document mod.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
448	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
2428	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
2304	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
2004	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
2336	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Text Document mod.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com
29	0.tcp.in.ngrok.io
54	2.tcp.eu.ngrok.io
90	0.tcp.in.ngrok.io
118	2.tcp.eu.ngrok.io
151	0.tcp.in.ngrok.io

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
92	ip-api.com
158	ip-api.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
964	1420	WerFault.exe	41
448	1996	WerFault.exe	53
2144	1672	WerFault.exe	72
2428	2476	WerFault.exe	81
1480	1728	WerFault.exe	89
2304	2156	WerFault.exe	97
1420	1336	WerFault.exe	107
880	2436	WerFault.exe	115
2336	1548	WerFault.exe	123
2004	2708	WerFault.exe	131
1092	1416	WerFault.exe	139
2336	1708	WerFault.exe	147
2392	2704	WerFault.exe	156
2796	2708	WerFault.exe	164
2744	2008	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ciscotest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2868	PING.EXE
1548	PING.EXE
1856	PING.EXE
2128	PING.EXE
1480	PING.EXE
2072	PING.EXE
2080	PING.EXE
448	PING.EXE
764	PING.EXE
2504	PING.EXE
2500	PING.EXE
2564	PING.EXE
2084	PING.EXE
1396	PING.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	win.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE
2868	PING.EXE
1548	PING.EXE
1856	PING.EXE
2128	PING.EXE
2500	PING.EXE
2564	PING.EXE
448	PING.EXE
1396	PING.EXE
2504	PING.EXE
1480	PING.EXE
2072	PING.EXE
2084	PING.EXE
2080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
2932	schtasks.exe
1952	schtasks.exe
1064	schtasks.exe
960	schtasks.exe
2932	schtasks.exe
1620	schtasks.exe
1292	schtasks.exe
3036	schtasks.exe
2368	schtasks.exe
1280	schtasks.exe
2096	schtasks.exe
1684	schtasks.exe
2796	schtasks.exe
2016	schtasks.exe
2240	schtasks.exe
2464	schtasks.exe
1752	schtasks.exe
2220	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1552	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	._cache_Synaptics.exe
Token: SeDebugPrivilege	1796	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	1856	ogpayload.exe
Token: SeDebugPrivilege	1240	Client-base.exe
Token: SeDebugPrivilege	1420	comctl32.exe
Token: SeDebugPrivilege	1944	Servers.exe
Token: SeDebugPrivilege	1656	Windows Defender SmartScreen (32 bit).exe
Token: SeDebugPrivilege	2620	Loader.exe
Token: SeDebugPrivilege	1996	comctl32.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1672	win.exe
Token: SeDebugPrivilege	2620	Loader.exe
Token: SeDebugPrivilege	2476	comctl32.exe
Token: SeDebugPrivilege	1728	comctl32.exe
Token: SeDebugPrivilege	2156	comctl32.exe
Token: SeDebugPrivilege	2576	System.exe
Token: SeDebugPrivilege	1336	comctl32.exe
Token: SeDebugPrivilege	2436	comctl32.exe
Token: SeDebugPrivilege	1548	comctl32.exe
Token: SeDebugPrivilege	2708	comctl32.exe
Token: SeDebugPrivilege	1416	comctl32.exe
Token: SeDebugPrivilege	320	System.exe
Token: SeDebugPrivilege	1708	comctl32.exe
Token: SeDebugPrivilege	2704	comctl32.exe
Token: SeDebugPrivilege	2708	comctl32.exe
Token: SeDebugPrivilege	2008	comctl32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1240	Client-base.exe
1420	comctl32.exe
1552	EXCEL.EXE
1996	comctl32.exe
1656	Windows Defender SmartScreen (32 bit).exe
2476	comctl32.exe
1728	comctl32.exe
2156	comctl32.exe
1336	comctl32.exe
2436	comctl32.exe
1548	comctl32.exe
2708	comctl32.exe
1416	comctl32.exe
1708	comctl32.exe
2704	comctl32.exe
2708	comctl32.exe
2008	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1796	1956	New Text Document mod.exe	30
PID 1956 wrote to memory of 1796	1956	New Text Document mod.exe	30
PID 1956 wrote to memory of 1796	1956	New Text Document mod.exe	30
PID 1956 wrote to memory of 1796	1956	New Text Document mod.exe	30
PID 1956 wrote to memory of 780	1956	New Text Document mod.exe	32
PID 1956 wrote to memory of 780	1956	New Text Document mod.exe	32
PID 1956 wrote to memory of 780	1956	New Text Document mod.exe	32
PID 1956 wrote to memory of 780	1956	New Text Document mod.exe	32
PID 780 wrote to memory of 2848	780	Synaptics.exe	33
PID 780 wrote to memory of 2848	780	Synaptics.exe	33
PID 780 wrote to memory of 2848	780	Synaptics.exe	33
PID 780 wrote to memory of 2848	780	Synaptics.exe	33
PID 2848 wrote to memory of 1856	2848	._cache_Synaptics.exe	36
PID 2848 wrote to memory of 1856	2848	._cache_Synaptics.exe	36
PID 2848 wrote to memory of 1856	2848	._cache_Synaptics.exe	36
PID 2848 wrote to memory of 1856	2848	._cache_Synaptics.exe	36
PID 1796 wrote to memory of 1240	1796	._cache_New Text Document mod.exe	38
PID 1796 wrote to memory of 1240	1796	._cache_New Text Document mod.exe	38
PID 1796 wrote to memory of 1240	1796	._cache_New Text Document mod.exe	38
PID 1856 wrote to memory of 2368	1856	ogpayload.exe	39
PID 1856 wrote to memory of 2368	1856	ogpayload.exe	39
PID 1856 wrote to memory of 2368	1856	ogpayload.exe	39
PID 1856 wrote to memory of 2368	1856	ogpayload.exe	39
PID 1856 wrote to memory of 1420	1856	ogpayload.exe	41
PID 1856 wrote to memory of 1420	1856	ogpayload.exe	41
PID 1856 wrote to memory of 1420	1856	ogpayload.exe	41
PID 1856 wrote to memory of 1420	1856	ogpayload.exe	41
PID 1240 wrote to memory of 2796	1240	Client-base.exe	42
PID 1240 wrote to memory of 2796	1240	Client-base.exe	42
PID 1240 wrote to memory of 2796	1240	Client-base.exe	42
PID 1420 wrote to memory of 1280	1420	comctl32.exe	44
PID 1420 wrote to memory of 1280	1420	comctl32.exe	44
PID 1420 wrote to memory of 1280	1420	comctl32.exe	44
PID 1420 wrote to memory of 1280	1420	comctl32.exe	44
PID 1420 wrote to memory of 2780	1420	comctl32.exe	46
PID 1420 wrote to memory of 2780	1420	comctl32.exe	46
PID 1420 wrote to memory of 2780	1420	comctl32.exe	46
PID 1420 wrote to memory of 2780	1420	comctl32.exe	46
PID 1420 wrote to memory of 964	1420	comctl32.exe	48
PID 1420 wrote to memory of 964	1420	comctl32.exe	48
PID 1420 wrote to memory of 964	1420	comctl32.exe	48
PID 1420 wrote to memory of 964	1420	comctl32.exe	48
PID 2780 wrote to memory of 840	2780	cmd.exe	49
PID 2780 wrote to memory of 840	2780	cmd.exe	49
PID 2780 wrote to memory of 840	2780	cmd.exe	49
PID 2780 wrote to memory of 840	2780	cmd.exe	49
PID 2780 wrote to memory of 2868	2780	cmd.exe	50
PID 2780 wrote to memory of 2868	2780	cmd.exe	50
PID 2780 wrote to memory of 2868	2780	cmd.exe	50
PID 2780 wrote to memory of 2868	2780	cmd.exe	50
PID 1796 wrote to memory of 1944	1796	._cache_New Text Document mod.exe	52
PID 1796 wrote to memory of 1944	1796	._cache_New Text Document mod.exe	52
PID 1796 wrote to memory of 1944	1796	._cache_New Text Document mod.exe	52
PID 2780 wrote to memory of 1996	2780	cmd.exe	53
PID 2780 wrote to memory of 1996	2780	cmd.exe	53
PID 2780 wrote to memory of 1996	2780	cmd.exe	53
PID 2780 wrote to memory of 1996	2780	cmd.exe	53
PID 1944 wrote to memory of 2464	1944	Servers.exe	54
PID 1944 wrote to memory of 2464	1944	Servers.exe	54
PID 1944 wrote to memory of 2464	1944	Servers.exe	54
PID 1796 wrote to memory of 896	1796	._cache_New Text Document mod.exe	57
PID 1796 wrote to memory of 896	1796	._cache_New Text Document mod.exe	57
PID 1796 wrote to memory of 896	1796	._cache_New Text Document mod.exe	57
PID 1944 wrote to memory of 1656	1944	Servers.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Quasar RAT
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\a\Servers.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2464
  - - C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe
      "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1656
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
- - C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"
    3⤵
    - Executes dropped EXE
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\a\mac.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mac.exe"
    3⤵
    - Executes dropped EXE
    PID:1692
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1692 -s 532
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2932
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\run.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1400
      4⤵
      Loads dropped DLL
      Program crash
      PID:2144
- - C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
    3⤵
    - Executes dropped EXE
    PID:868
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
    - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\sm3PcMPvaYxR.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JFwpv32QzhY7.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Huhdy4RGYES.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wnjlZfUOqR1s.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        14⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ai11HUcsHrr0.bat" "
        14⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        16⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pSz207zF2Q1j.bat" "
        16⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        18⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1A9Kw0BIIBVY.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        20⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FNSRd6zQEurI.bat" "
        20⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        22⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9QE38kBl1ZEX.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        24⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2S0edPN6oEcl.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        26⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XJS18smLv1Jb.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        28⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oXZscilnOYMF.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        30⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oh88QArpPvrR.bat" "
        30⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9U9JZOn6yITZ.bat" "
        32⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1416
        32⤵
        Program crash
        
        PID:2744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1424
        30⤵
        Program crash
        
        PID:2796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1384
        28⤵
        Program crash
        
        PID:2392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1452
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1436
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1456
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 1460
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1352
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1440
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:1420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1408
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1436
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 1452
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1436
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1452
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:964

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {8E23BBB2-19B0-4328-93E4-3976BAE52AD6} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:2176
- C:\ProgramData\System.exe
  C:\ProgramData\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\ProgramData\System.exe
  C:\ProgramData\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
761KB

MD5
c6040234ee8eaedbe618632818c3b1b3

SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75

SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0

SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11f07d9c900c29a8157a5902d246eb85

SHA1
8abaf60405488cf7a0ea8f64ca0f7bdc5ea85030

SHA256
5222448450092c4709af7242e1b1ef106e6324069ce7f9a1a76f74e74da1e8f6

SHA512
2bff055b11f9bb7cfa64a159bd6117f799504b8df09367bca27f5ce6e8f6dc61d218d4fde0c85980551482381934476e0b15ce7eecd11e98b03433ecdf23c56f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cc31d954d5bb5f155f035b606d61e01

SHA1
08336cb814f4ffc30ee66c605a22ed424444b741

SHA256
5314991c180b19d902dccea98d2639cb1cc79df391e49e564f6a46e6dda3a37e

SHA512
f44d1beed6c46301131a6ac442f266fd20661977644780cb8ba793fb699ec5ff36afc7c1f14f232fa563363da78b1b104c603b07db2f50cd0df0e38715af75f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f65d5338837c46181e9111255f93dd

SHA1
1eced8a86bef57579fc9d69d29701a0cdba077e6

SHA256
57f615b2d16403940fc382c05f6d45f41a2a21a82868b93bfbfff43673c1d2e7

SHA512
0ecf7d7f2ee2a0131f5c79d0bdf928090abeebfcd8c6a6916e48475630210f63b4eda3038f081f8c3b618956f988d0ce5564918cdf0ea40cd0b48eaefa346ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8927810a609a252152bb91dd0b20504d

SHA1
b5a69733f95fbe75b460e402ec97c037ec40b262

SHA256
9a5014fbf725248ee1dcc5990f1c372f3a335dedd816c8b37f86e6dcc851e1a9

SHA512
1bc098cfe85cdd9ead09303c21ab102a29435f2721f091cf2e6475ddbac6a9d148cdd11e5cbbc5b75bb3ab3ff47e318952334b0510319e8b9bb7924766bc5a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
284ce3f0a8903e18619259bcae69006f

SHA1
c458cd8901103e403e187790d286c1302e039af3

SHA256
33f0dff40b2bf454882587fbbf0723e61850b0415551da318be90995587d51ef

SHA512
462ec4b1196478736ca0bda41a623a1a6a2adac7f971e679f707ef8d826ba0ec8abb70265b77408d1316a45e6b95e8166a4f68637fef3f3adbf073744058d216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ae38f8586e9f396835b8642b00c4ecbd

SHA1
aa2a3eb25ce5fa1d14a3803f7bd5bd40473372ba

SHA256
825f7ba73bba99f852365b2c8252b783c9fb46fe161bb71b33322a087c9814d1

SHA512
d65261574d408549e41f7e1f85ee3d3b8a0c7aa1b2a303bd0600618dbfa96c9261afe2d7b41149e495c62e6bc6aefbe1f7f5da08abdaccbba0d6ad690203e2be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
a79dadc7efe6b1b701d1fefbcecef3e1

SHA1
e28e009d41c10e7bf6750dbc0f65d98878fa3a6a

SHA256
2ed0b9851d335f90752be08f030e1cacb334a5a29895a830dfc8e0e8d39f076f

SHA512
38e441bc5b581bc336f76efe4477e3e0ce9491fd9e6d70b95fd197ab58ad333eb8878663cf1fefb467ab9aa0560d5e694f4bb1bc51a919c2180c2cd656f48794

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A9Kw0BIIBVY.bat

Filesize
219B

MD5
0911efd109ccba666825fafa3a9fbde1

SHA1
213913708e608807ac5ab8f5bef817475a4ba8cb

SHA256
4e110fab6f5cb78300dc22d9841f1dc32dfecc0127f03c6202f650a3ca0581af

SHA512
2d0bf4a4ec1aec6f78b292389a12701c2e94625444ee6ce206d27c422df83bd96bcbc5fe0b5b78f7c43f55a6c6dd4bb0ffa2b7ec422f5220fcbcd86492d5d6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2S0edPN6oEcl.bat

Filesize
219B

MD5
a68f815d7b66e16a88e729892146239f

SHA1
c84826071b4ceb72c7f92326894703b906262a9f

SHA256
a38508d92cfb30edc923a6c58dceb98b9795896d3219d33174fbdb78685c89a4

SHA512
407d83a1a8dc6b390cfbc087685b82eb535e553d05a029e69d51801dfe4cfa675cd6fb17ced0b98eb2a5e6262e702af01cca84e6c30e7b3293deed81fb32d743

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Huhdy4RGYES.bat

Filesize
219B

MD5
f4432e4b99188fdceb438774da5f61fc

SHA1
4baeb1853bb827a622dc849e7a96cdaaf5651cf4

SHA256
e108a43a524578380dbce5d7e7bf80ecdc7d432b26ae7817ead169297899bb3b

SHA512
ec097c35d9358adeebf28d553860b05a8a7f4974db1a2f61f690812980558dd7b73eaa9efc842348930797a3e523102b03e129a3f415de8896c4c0cfa7158337

Download Submit
C:\Users\Admin\AppData\Local\Temp\9QE38kBl1ZEX.bat

Filesize
219B

MD5
2ecf41ffb56428fdf17dff39742ea1e3

SHA1
5670f29f5541b05ff7c2f88d46c777c3c8d481c3

SHA256
b9aa508cebd8653f0a3bf5331bdb7b95e79c6a114b74d0d89a632fc102111e33

SHA512
3a41080cde09e1ce1e84360b51e70fd76e7575e7d41cc86711524c69f0e2e455ed0765ebb0ff36d0954476b7ec216d175e5b8616347e96e4cf4f4940df6bfc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\9U9JZOn6yITZ.bat

Filesize
219B

MD5
5edc1820a1141e333bebbea77e1bcd27

SHA1
9100c4a4cb0e29a99cae1221dca1a7200e26bf6e

SHA256
760b7c6ce8a347a080850e5bbf8612f07ae50c8200cd0a40181a13441db19c95

SHA512
204f26a16cfbe30094bf7b9c2680f32dda74925b65d1a51580d3a3ce3bbdb2c68b919d9134525b273ed92a06c7a9c50285c973c8a7658f6ea0dafd10578173a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNSRd6zQEurI.bat

Filesize
219B

MD5
f1f9dd32bd73605e96234211cb520fc8

SHA1
a5c3f711a1d19aca4c9435002f1d798fd9a317ee

SHA256
37eca430973060ebcaacc516be37dbe61a03e2018b143ab64d42e6a15e8b05e4

SHA512
1a0ff6d893399ec9839e5945c630523240714fc81065c324985cbb796f492e12977847d4f89ec5478894b1c75cd74666ab046704f4fa7655b19c788f462299c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFwpv32QzhY7.bat

Filesize
219B

MD5
816ea1ca7763fc5dc36bbd7651455bea

SHA1
483011175365496f6e82dd3c8f2ba5944a0e2349

SHA256
ab0db5428b974fe1b6ab40fc8d8e3facd90ab3cd4e615d4da369f8b000e56d38

SHA512
4d2e9a76ac3aabfe506e569c31ba395974e8486d4533daa5e15ca44e8c10582bcc4950bde6c8554c3f3cda34293466857b650af18841dfc6a88e89929621ca0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJS18smLv1Jb.bat

Filesize
219B

MD5
c5388e845df3d581c21e82a3ec3eeaca

SHA1
8821def018fff4dbc0449b978a7ac85d1fd01a7a

SHA256
c32dbdee164c80b85ad25987114e1326255168c8ff294b3b5b961db6b4b9d432

SHA512
dca6c33983f57c57624058d009e193b303121a00f4ae3493528bb935ccef09d89bc99d339c91d22a8f58276087ddf8715289fd332a84ec620f020eec56e6fb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe

Filesize
3.1MB

MD5
21ce4cd2ce246c86222b57b93cdc92bd

SHA1
9dc24ad846b2d9db64e5bbea1977e23bb185d224

SHA256
273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678

SHA512
ff43fe890e30d6766f51922cfd1e9c36d312fd305620954fae8c61829f58d7361ae442bf9145339904eb6a88c2629c1e83f5b8a1d78ab0d13554cf6053d194f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe

Filesize
45KB

MD5
9dcd35fe3cafec7a25aa3cdd08ded1f4

SHA1
13f199bfd3f8b2925536144a1b42424675d7c8e4

SHA256
ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be

SHA512
9a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe

Filesize
35KB

MD5
c95261eab6c76d4e65624919ccb13cd7

SHA1
9daad5cc07c35f96061ffec077454c99508f2532

SHA256
6a8a6457a46f87a5d42d578b4807bee42305920cbf1bfb0402d8f3ae0c91ae30

SHA512
92acd72ccee4ed8d7f66abb2e1b0520f76310d13634578aa46ce28229316ecbd6603bc6b9febe0fa91852c589f043fc3870229a921ac27020feb79f6b0dc4417

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Servers.exe

Filesize
3.1MB

MD5
ff8c68c60f122eb7f8473106d4bcf26c

SHA1
0efa03e7412e7e15868c93604372d2b2e6b80662

SHA256
5ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642

SHA512
ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe

Filesize
72KB

MD5
0076324b407d0783137badc7600327a1

SHA1
29e6cb1f18a43b8e293539d50272898a8befa341

SHA256
55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583

SHA512
96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mac.exe

Filesize
28KB

MD5
2d3c280f66396febc80ee3024da80f8e

SHA1
70bda33b1a7521800a2c620cda4cf4b27487fa28

SHA256
a7e4b2fd9cdb85f383f78ffe973776d40262d53727d0c58ea92c200ec1a7bd6d

SHA512
26b38d618238336e36fd79f1e63b7c59490ca3e5616306da3ae3e0907415a1746aac638930e01f93529b16f3fe7968d48f5557d6bf32385f82a7bf1f944cf4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win.exe

Filesize
6KB

MD5
f391621b64e5287aa53ba37dfc327138

SHA1
5b82777d9cba4567dc1a111fd93e3ef7639ac7af

SHA256
7f7488259f1de363018c36626ad42f8d2f9671f91542cb21eb5f1d7fbf5c20f6

SHA512
b26f78c81db0ae7f7e294b56416ff136d747b76d1009df928401b0e4eebc6774acc4cb5ff8dd55c52edd8370ab154ce60fa9bb0bac2752cc769f47c83b4eb254

Download Submit
C:\Users\Admin\AppData\Local\Temp\ai11HUcsHrr0.bat

Filesize
219B

MD5
2a8da92915cc2c82fb43612d6ae15449

SHA1
ab0351a6628c238c22a41b94169d9a047440b2c9

SHA256
76ccd7bae8098b54e67a99a433e7a0c247662be9bcc2a678c119d88ea0a27e81

SHA512
7fc32a07e09568652c236a219acf8f79a3b68681def3925470c3a783720ce7608aeec1df6a006c87637d7b9e83ca04d7df8916edc014c0fba3e222a74b0149b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmk7YgST.xlsm

Filesize
24KB

MD5
77b33946d33231061ac492eeb8b94c20

SHA1
f5a92a380669bde76ccd24365db808f704671203

SHA256
404a39b4d2393a2fa58ac82c5e6781ee144894a17388ede8b4d948f7b5e06a55

SHA512
375ecc115d2a7aba04597d155a901bf5b5e4db34278ea668ab80b14fe0a1166172d918641350bf98359bb7eadc12a0933cb99183cc40f3da2a9ac4f4f34e8bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmk7YgST.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\oXZscilnOYMF.bat

Filesize
219B

MD5
665b9b040903858476dba4ab44e8b29c

SHA1
0a635bf15b931c10fe6fee0a90a9ca5e07acb1a6

SHA256
5f29b029a9066abd0735a27c22baae5bbe9bbe1a4b11006e36739bb9571047d1

SHA512
1cd0848feb382fbea77d53699d4b2d652d8898d0489c437d6fa4f6a1dd814eca7b0e4900b73e314491bd99f10abec45867df29a082e0a6751cdba6839cb31df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oh88QArpPvrR.bat

Filesize
219B

MD5
ea3b55b89f402f2abfafdbfe76475853

SHA1
c513dabce05b8be914f14335720d48d893e8dae1

SHA256
27596b9c30f88fc7b2cd5eca4ad4a51d29f90a939cd183b22f69ba165bd66d50

SHA512
97e1732773382f271854444a090db456bdcb4366a2e80485bf870b4e82d4508ebbcadeae97fbb3833fd33328c89583249cfd8baa4fadb78d41fb895457c91697

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSz207zF2Q1j.bat

Filesize
219B

MD5
e399629b6fb3d5a2e03b56e4fc18605f

SHA1
2dcb7bd50388a7ccd75bd6ad924bea7f4daa1eb9

SHA256
c25d40fccf15ca6f1116b060bb5bdfbc2a66e82ff1a2fec68e4e873229e45c90

SHA512
f194ac94ca9716a8d13fba028402400b8f83d84fe691a091d5f9ff867340646a6516670853bb4cdb390a69edc5c22674ba4726f96ad80e0cd1ac1f9a7e528012

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.ps1

Filesize
165B

MD5
288c58f3580883f4312443d845fd0323

SHA1
00932e3b83213e92770f07020df5c849728a3f1a

SHA256
c942c6f38a8b4fe90b563918279596c5c0c0ae86f2283720bccb650c87dd7420

SHA512
5096c123a16ce023354561da280c44f3e53f6b702679223ec20fd6fb4586db152e85ce581d7dcc54535e2ce6c9e3e3edc6c17d61585b8431583cd099bd7fc6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sm3PcMPvaYxR.bat

Filesize
219B

MD5
f69124bcd7b65078ad4b71147585085d

SHA1
0670d8eefb10670c034f755c5df5ed4f6d50286f

SHA256
2931bfc7fe032f9f05bcb2295835b8f1e5d3adf79bd4cbad33666ecc93b41352

SHA512
9dd5411063311bbaf92f8d26108bb78d9ae388e2d24104bdec6731649a603bd454ec86157b559374a18368afd306bccb07ad8d60fbd12c8f3cdca652774b43aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnjlZfUOqR1s.bat

Filesize
219B

MD5
81003d00b56c9426e72496630bc03717

SHA1
c247a15c545d70a990683fa2092c69ede5fcbf05

SHA256
f4a59858da471d34c2202c3c7324b8edc5b8212ca701bd5ffcd658cecb028ce3

SHA512
3f6bdb476a130c8b6c3f6a66cbcbb2a98b664279d0c7b23e9c92ec452faaf79c8b2dcafe22c748d93e1c76f1e0bae25b5540a159a24b9d0e2d5767e3cfe481da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
01d372c47429b5f3033452d6d1d663a7

SHA1
8ab8f57c860dea1a495f4e0dd4b56609b0c077bd

SHA256
9633d3945a2b555e3e1dc5a7d04d784687e7df8b74db8f80f86ffa9a7b013af9

SHA512
bffd0dba72a2bb49274ae84c9c61a84064aa93d6c16289d9c2cb0182fea83866663a58409b836405334fb249ea47aa467293254a1994f4f6bfa331d1957e6929

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\01-16-2025

Filesize
224B

MD5
0c1020ac9379305f5819da2c2cd361fe

SHA1
c108554662bc9b671c9565681612910e86783e9c

SHA256
43fd768f37a51f3890cea53bbf05dfe739d888ad079c18927dc868c3ecd4bf9a

SHA512
1495462feae0860d496d99273707719317c0726bac130280be625c9ced3ee5d8849356794332b73a9e8d5447d1a6d2618ac2da6d4593aa15dc94d4e1cb0e60f3

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
\Users\Admin\AppData\Local\Temp\a\FXServer.exe

Filesize
264KB

MD5
4ed8aa9db458acc0d65765ec16bb1346

SHA1
bc3434dee8225a7b1e18ffa4654a3de098dfc11c

SHA256
c80871c2c51b513894b20774fc1da5c7c0b46fb57d5085ef08eb2ebd02c11dea

SHA512
4918ab97ef2ac6573ae5e30705c5d4b411953e71c04109f57b61ca2fdbaec180578e03f940f16cd42be2d305cad20d3a5f8451ea0940cde8288b638502ab4cfb

Download Submit
memory/780-516-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/780-491-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/780-271-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/780-606-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/868-503-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/896-333-0x000000013FF50000-0x000000013FF9C000-memory.dmp

Filesize
304KB

Download
memory/1240-245-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/1336-554-0x00000000013C0000-0x0000000001446000-memory.dmp

Filesize
536KB

Download
memory/1420-253-0x0000000000970000-0x00000000009F6000-memory.dmp

Filesize
536KB

Download
memory/1552-272-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-341-0x00000000010C0000-0x00000000013E4000-memory.dmp

Filesize
3.1MB

Download
memory/1672-485-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/1692-344-0x0000000001240000-0x000000000124E000-memory.dmp

Filesize
56KB

Download
memory/1728-529-0x00000000010E0000-0x0000000001166000-memory.dmp

Filesize
536KB

Download
memory/1796-28-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/1856-177-0x0000000001130000-0x00000000011B6000-memory.dmp

Filesize
536KB

Download
memory/1944-321-0x0000000000D40000-0x0000000001064000-memory.dmp

Filesize
3.1MB

Download
memory/1956-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1956-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1996-323-0x0000000000D90000-0x0000000000E16000-memory.dmp

Filesize
536KB

Download
memory/2576-552-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2620-528-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/2620-527-0x000000001D0C0000-0x000000001D410000-memory.dmp

Filesize
3.3MB

Download
memory/2620-350-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/2708-658-0x00000000013E0000-0x0000000001466000-memory.dmp

Filesize
536KB

Download
memory/2848-36-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download