asyncrat | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
364s
max time network
772s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 15:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

meduza

62.60.217.159

Attributes

anti_dbg
true
anti_vm
true
build_name
xss
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
1.048576e+06
port
15666
self_destruct
true

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Neverlose Loader.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

heo.ddns.net:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Extracted

Family

metasploit

Version

windows/reverse_tcp

89.197.154.116:7810

Extracted

Family

quasar

Version

1.4.1

Botnet

kys

192.168.100.2:4444

Mutex

87964754-44e1-4ed3-a66e-f8de30cfe006

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
Panel.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Panel
subdirectory
SubDir

Extracted

Family

xworm

HITROL-60505.portmap.host:60505

26.185.184.104:942

26.185.184.104:0942

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

dynu

borc.gleeze.com:2425

memoki.gleeze.com:2426

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
losts.dat
keylog_flag
false
keylog_folder
look
keylog_path
%AppData%
mouse_option
false
mutex
-8YFPV2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes

encryption_key
aGPuRaDerdUDJPrAfXtB
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Framework
subdirectory
SubDir

Signatures

An open source browser data exporter written in golang. 1 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-484.dat	family_hackbrowserdata

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 13 IoCs

resource	yara_rule
behavioral1/files/0x0005000000005b4a-443.dat	family_xworm
behavioral1/memory/2060-447-0x00000000009F0000-0x0000000000A0C000-memory.dmp	family_xworm
behavioral1/memory/2868-480-0x0000000001290000-0x00000000012AC000-memory.dmp	family_xworm
behavioral1/memory/1068-502-0x00000000013E0000-0x00000000013FC000-memory.dmp	family_xworm
behavioral1/memory/2748-512-0x0000000000160000-0x000000000017C000-memory.dmp	family_xworm
behavioral1/files/0x000700000001a2fc-586.dat	family_xworm
behavioral1/memory/2212-590-0x00000000000B0000-0x00000000000C6000-memory.dmp	family_xworm
behavioral1/memory/1728-625-0x0000000000AE0000-0x0000000000AFC000-memory.dmp	family_xworm
behavioral1/memory/292-646-0x0000000000B20000-0x0000000000B3C000-memory.dmp	family_xworm
behavioral1/memory/1136-659-0x0000000000C50000-0x0000000000C6C000-memory.dmp	family_xworm
behavioral1/memory/2088-672-0x0000000000CE0000-0x0000000000CFC000-memory.dmp	family_xworm
behavioral1/memory/404-685-0x00000000002E0000-0x00000000002FC000-memory.dmp	family_xworm
behavioral1/memory/2796-698-0x0000000000B70000-0x0000000000B8C000-memory.dmp	family_xworm

HackBrowserData
An open source golang web browser extractor.
infostealer hackbrowserdata
Hackbrowserdata family
hackbrowserdata
Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000121f8-269.dat	family_meduza

Meduza family
meduza
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0013000000015cca-276.dat	family_quasar
behavioral1/memory/2296-282-0x0000000000BA0000-0x0000000000C24000-memory.dmp	family_quasar
behavioral1/files/0x000a0000000120ea-423.dat	family_quasar
behavioral1/memory/2380-427-0x0000000000FA0000-0x00000000012C4000-memory.dmp	family_quasar
behavioral1/memory/1668-433-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/files/0x0005000000003f26-636.dat	family_quasar
behavioral1/memory/2064-640-0x0000000000210000-0x000000000025E000-memory.dmp	family_quasar
behavioral1/files/0x00030000000054a1-774.dat	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000e0000000120eb-495.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1068	powershell.exe
1860	powershell.exe
2484	powershell.exe
2816	powershell.exe
2564	powershell.exe
2748	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	jhnykawfkth.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	heo.exe

Executes dropped EXE 13 IoCs

pid	Process
2812	jhnykawfkth.exe
2296	Neverlose%20Loader.exe
2316	heo.exe
2220	Macro2.exe
3052	KeePassRDP_v2.2.2.exe
2380	Client-built.exe
1668	Panel.exe
2060	svchost.exe
2868	svchost.exe
2676	opyhjdase.exe
2900	svchost.exe
2640	aaa%20(3).exe
1068	svchost.exe

Loads dropped DLL 14 IoCs

pid	Process
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
1940	taskmgr.exe
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
1204	Process not Found
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
2308	4363463463464363463463463.exe
984	Process not Found
2308	4363463463464363463463463.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
160	6.tcp.eu.ngrok.io
198	6.tcp.eu.ngrok.io
214	6.tcp.eu.ngrok.io
144	raw.githubusercontent.com
242	6.tcp.eu.ngrok.io
266	6.tcp.eu.ngrok.io
291	raw.githubusercontent.com
41	raw.githubusercontent.com
108	6.tcp.eu.ngrok.io
126	6.tcp.eu.ngrok.io
143	raw.githubusercontent.com
292	raw.githubusercontent.com
297	6.tcp.eu.ngrok.io

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
46	api.ipify.org
81	ip-api.com
154	ip-api.com
192	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Panel.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Panel.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Panel.exe	Panel.exe
File opened for modification	C:\Windows\system32\SubDir	Panel.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Macro2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa%20(3).exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3064	cmd.exe
2368	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1552	taskkill.exe
1452	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
1920	schtasks.exe
2600	schtasks.exe
1544	schtasks.exe
1068	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
2812	jhnykawfkth.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
3036	chrome.exe
3036	chrome.exe
2484	powershell.exe
2816	powershell.exe
2564	powershell.exe
2748	powershell.exe
2060	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	4363463463464363463463463.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeDebugPrivilege	1940	taskmgr.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe
Token: SeShutdownPrivilege	3036	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
3036	chrome.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe
1940	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	Panel.exe
2060	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2168	3036	chrome.exe	30
PID 3036 wrote to memory of 2168	3036	chrome.exe	30
PID 3036 wrote to memory of 2168	3036	chrome.exe	30
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2748	3036	chrome.exe	32
PID 3036 wrote to memory of 2412	3036	chrome.exe	33
PID 3036 wrote to memory of 2412	3036	chrome.exe	33
PID 3036 wrote to memory of 2412	3036	chrome.exe	33
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34
PID 3036 wrote to memory of 2808	3036	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jhnykawfkth.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2308
- C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:2812
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3064
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2368
- C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\Files\Macro2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Macro2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\Files\KeePassRDP_v2.2.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\KeePassRDP_v2.2.2.exe"
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2380
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Panel" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Panel.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3048
- - C:\Windows\system32\SubDir\Panel.exe
    "C:\Windows\system32\SubDir\Panel.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1668
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Panel" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Panel.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1920
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
  "C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1860
- C:\Users\Admin\AppData\Local\Temp\Files\Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Host.exe"
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe"
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
  2⤵
  PID:3032
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1068
- - C:\Users\Admin\AppData\Roaming\Onedrive\Onedrive.exe
    "C:\Users\Admin\AppData\Roaming\Onedrive\Onedrive.exe"
    3⤵
    PID:948
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Microsoft OneDrive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Onedrive\Onedrive.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2220
- C:\Users\Admin\AppData\Local\Temp\Files\ExSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ExSync.exe"
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\ExSync.exe
    "C:\Users\Admin\AppData\Local\Temp\ExSync.exe" -l "C:\Users\Admin\AppData\Local\Temp\Files\ExSync.exe"
    3⤵
    PID:1804
- C:\Users\Admin\AppData\Local\Temp\Files\000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\000.exe"
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1452
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:1704
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5549758,0x7fef5549768,0x7fef5549778
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:2
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1680 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1168 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3448 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1372,i,15734869634326432188,12989567710319006724,131072 /prefetch:8
  2⤵
  PID:1664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2780

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "563542819-20990728832122925684-201956525717265599061782283940-3684977312011396144"
1⤵
PID:3064

C:\Windows\system32\taskeng.exe
taskeng.exe {60DB1DE4-8588-4DD7-BF87-E832DCB64601} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:2104
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:292
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:1136
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:404
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:2796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9081bbdd90f525ad5088cebe122f748a

SHA1
565a996d5d837f192233ac3a90572292a4d94d9c

SHA256
6451e286dc641d8b69c8d6519a95cbabbf23ae72e5be180496e02191bd3b1ced

SHA512
38eb20b629f32078f4fc7df11e45bc875099c465b72ff4bf45b9078b7f85b2080fd8d74c7672e5bac72781b14c230368d4cd62e830437057e96d64bc9ece2888

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f7cd4ea59f7b84bb820c97fa3c00a4b

SHA1
58a4fce1339f454772d92b160b703be0088ec5ff

SHA256
d8860ba475898c5f90189a0be075ed3cb41c17acff04cf3381d961737d1b8c56

SHA512
134a0c23863f4799641411ad268d16f0d49bf665b9d27dbbb2335c5d90cfefa989a3cf2a1152f7b34987c19ab1c0d0fcf240fd4ab2a3113621163b72b8f26766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9df996b5890b9f1b20a6d99cae3cc26c

SHA1
d842d87cd6349d4751c621fde0891c429f37d0a9

SHA256
6763ea18622ab17be4b8838f50c0719e9ecc843ed405f0e74cd67897a2bf2f1d

SHA512
af9e59058b730ab7d8844e5cf9f5f57697208ced06d1c9406dbfdfcec1efba370d7225ad3bdc17510d07ebf66be8dea4a90a55ceac368226a61370753f4df5ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d6c7458c76484f37b7b4ba66fa9b6e81

SHA1
2b5763ad26e3f8347fd5891919a7d3e0f78f0e5b

SHA256
f54403161d4773f7f3113b99aea188765585b3e144ed9c323431112c01bac19c

SHA512
2d30636d511a190257b527e2c47fc10163bd6db74e3a820dc2eb8a266731248183a04d3b13d743ad5da81dd47aaebc4c63bbf0ebb59429531886380bdc9bbdb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
53c66e63de54b7bc5c059f25f770f3cc

SHA1
f03aac0f3e66b1bcdb14540f6abd572e5345f46a

SHA256
ae254e5a0b8bbf0db307711df027415c08278be9ab7b807ad99bae5f31df5adc

SHA512
4059b448e12183c4ab4150cf5b73d62f8f6f389afeff580e4f978483f4ff660825e18f354bc4d6c198e823b06c78ba95cfb995e5f9a02e0b974a0a718a15a914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
509fd6e7630d3ad2d5cfdb5e261f0af9

SHA1
ba892289704e2251318a758f21ec1167888e615d

SHA256
742dd12cd273a7c280489e4de2f966f8353d3ac4bcf8a4e11d97c36afafee8db

SHA512
fc88b1a17a9d73adc5da12d2219fe2b0c7611e9396964f37048af63a2830c450d63ea3aeb3d591bebff9f3ecc8296e89da1b448d51afa3e7cdeb800d32a558ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
768bc7b1aee8279b6c37dc0d02e09869

SHA1
896957e4298689d36a08136bd635bc184b815def

SHA256
0a1a95f365ccf1d21267fe0cdcdf6529ca60e1a8908dcec4dc4548622878776a

SHA512
6de4edb5605ba974840ed9f0d708539f116f4a1fc1c2d4452f48bfa53856bac72a1eccec2623ea0c01e29a3ee9a37cc127d6014dba462c819520147f09eabc32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
848dda704b8119bdde398b4090928737

SHA1
7d11504936cbfaae82d16a5a8334152a83293487

SHA256
4ec8c5a636dc0604bf2b344cfffe959896519aeba50a4b602e30ac380fb6be5a

SHA512
6c0a106024c61f5843e82c0e21f985d1ddf531eb0ea97f27d2d01fdf35c242754b3623e4952d31370e6fe4f317d8454a4d0e36932569ad2274059e043c54908c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
447a7060ce1693db55c0907393fc6566

SHA1
e98dad51ddfb9c58e539b214a0d3521f849e1798

SHA256
3407aa51628df74b6917a7e58cd96246436c8dc5d31ebbdc2e79865056a5fde5

SHA512
95b835f3d6fff58b840bf9596374e9b19be1a0c8b02b9eda00be366e4c2ed8a5223aa14f2a350fb972236bf70ba2eeba49dd0cf00542f1abb20562b7c8b641bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e5939fb689a9c9a07172ce87e8a2e1fe

SHA1
15bf77dfc3b0c4041e982c388871491f33c4af07

SHA256
0a216f0dd4349c9b91998e6d3bb980e373f51df860a1820eedaeea1986384e17

SHA512
23464aacc4a5b9d7de899b9e86c594e86d97dfe53df8b3e27608aaf496abe5fb2b9993a59b3671126c0eedfa679598659eb269980b85e7d72ccb7afe558d47ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
330KB

MD5
c7b6b5e8eeb60a15e1f5d322ee7f4c07

SHA1
4519c83fe04d1ca78e2d2b13116cc5021e92916d

SHA256
a046356d1aa50a0c0b7b32299d7cacc843a1d532a3044bc8e45cd0692754f7b2

SHA512
d691b240f6a40a3937e1437ecff8169ebc0b9f252f1004fa46c58474a41b825f392ab548217f8686fa4c353c080aa84cb6b58c815d55cf895e24072cba1bef89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB53.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB95.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38a261f46e2edf9e8bfd17ba16cf2c84

SHA1
60fd73212a0d292a3167c7011b5dec152504f26d

SHA256
148eabe1431cc34b41098efee3349ecfe0ebff7d5c941cb1baec004326989710

SHA512
2adf8f2f0428274a88cdf6fde09e2e3a666ea2c57cdc665d18e56907326d0b2c06d94639df9817b4485b347b319afb69ece66bc797d131b94e259eb260e22570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F43BVT9LVPESB42YC0WK.temp

Filesize
7KB

MD5
78e9ce7133cebcf09f7a3a720d9f99dd

SHA1
a4c9fd16367d874e115eaa5b25b04e285abd4c76

SHA256
83ba252ec90c817fe164a6fc05646786e2e8977a5f83eb28624b7d538d374158

SHA512
dc396d47f2f17dd07e4b7bf511e8a9f4fb646ecc57584e88c7a60b7106a16972965486cb43eee2e554f475fa36f4716f03037353b8628da92774c2256e8af243

Download Submit
C:\Users\Admin\AppData\Roaming\Onedrive\Onedrive.exe

Filesize
3.2MB

MD5
7056e050ebbfca6ae325797d51eb2d0a

SHA1
055cd6e4bde3449d72f7061620647ecb73d6b9cd

SHA256
c316b0b818125541a90d7110af8c0908a8d6c73d3b846a27aed647fab6b38e00

SHA512
0c54802ad35f5a00c5db1195df2d566bc18a384f486cc3ca00dc63bb86e3fc5d105192cfe5efe9ed62bdedb441877486ec7aedbd7a6bf59fcda2f772308b150e

Download Submit
C:\Users\Admin\AppData\Roaming\look\losts.dat

Filesize
102B

MD5
c7b69cb328a7f8e43de06683234b61fa

SHA1
a2ce6c0ecb4d48e3565e50130db21677d168b5fd

SHA256
971c13904b520ff552aa039d0a0874a4af920930d94fb456dcf9091c3364bf5b

SHA512
32c37eb539a76f1c4e5c062d103b471e7468e2cf6076db746d4c24c3b3b849efa9106eed8d0297cc18918225165e900588079ce73d5629c51d71a15d9a348748

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
3c8875bb8a38b7b3a8ae874e24461da5

SHA1
c2cbcf60e8c3639ec777fbdd614c97a5ae854117

SHA256
fdb43a2f99ffb4ac9cd2a2a0eeffa531de224b45f4b8cce0bd700a89f1f54e01

SHA512
23c8975c12f5d88bbb3845b0154f3bb3ea4e24bdc98f571a3ecb61cfbbc0aa25cbbb0176d2ab990c811c1d15ff7ba1fb92a185bad2c52114e7d0fdf721009f53

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Host.exe

Filesize
481KB

MD5
41b61fec0cf85f2c46e803003580f7c3

SHA1
ce2f606e9d6585df4ebf1627e9e206ad5809951a

SHA256
48f6e705944c626cca75bb3dd1f46befd40ab4eae243f6f8be9dd142a2106ac2

SHA512
702a338ad0254a25a197166de4868b89b6ed5f133f1052473af923918c147d6e61418b662514219b1d04f753deddb1c19be12810b398073fbc8bacd92b13f826

Download Submit
\Users\Admin\AppData\Local\Temp\Files\KeePassRDP_v2.2.2.exe

Filesize
593KB

MD5
732746a9415c27e9c017ac948875cfcb

SHA1
95d5e92135a8a530814439bd3abf4f5cc13891f4

SHA256
e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6

SHA512
1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Macro2.exe

Filesize
72KB

MD5
e0dbf63fbaba9fd87d48a9a0f1147c18

SHA1
28fc4efb669a4198234b55e0cfb6bdd39b500692

SHA256
7f03382b370fbe1864dd6a4e488c0c35366aa83542916cce18fa7785b454025c

SHA512
3a4f86ac97c06b0bc420552f42537c6451fbb4137c3e6cb2589551d72733b2021ee491a041ed77c01e2dcc95ec70090732fcea6b952f26323cef85d9d157300e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Neverlose%20Loader.exe

Filesize
502KB

MD5
f5b150d54a0ba2d902974cbfd6249c56

SHA1
92e28c3d9ff4392eed379d816dda6939113830bd

SHA256
1ba41fb95f728823e54159eb05c34a545ddb09cb2d942b8d7b6de29537204a80

SHA512
57aade72ad0b45fdf1a6fdfa99e0d72165a9d3a77efd48c0fb5976ab605f6a395ab9817ea45f1f63994c772529b6b0c6448fa446d68c9859235ce43bf22cb688

Download Submit
\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
66KB

MD5
40a811802a354889f950014cf3228c2d

SHA1
d078ed020a3183b8923d5f6dfc93020ce46b71c1

SHA256
01d0ab8bbc0c166a46a3424dda8716614b7605ea04d7254d3200ecf1a2131caf

SHA512
45e9b7de2757415d7a76744103a7a39f6158da73cb73637818a9172895de3714544c603f0f955f2e83a70d2c287c8161ba6af155bbee38e1fcb3a06ca6fa125b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe

Filesize
45KB

MD5
8123d15bb6100a19ac103b4ec3d592bf

SHA1
713d2344beb28d34864768e7b2c0463044bdc014

SHA256
68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d

SHA512
ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351

Download Submit
\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe

Filesize
288KB

MD5
2b3a191ee1f6d3b21d03ee54aa40b604

SHA1
8ecae557c2735105cc573d86820e81fcff0139c4

SHA256
f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8

SHA512
31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393

Download Submit
\Users\Admin\AppData\Local\Temp\Files\heo.exe

Filesize
27KB

MD5
feaca07182c6be327551ba4402a338c7

SHA1
5c699eb735def4473b9b02de282ccead84af1061

SHA256
26e9813dd9d80e2b2441d799608214697d7262e24c739bcc11563756c22d3efc

SHA512
0ada77bc81af9b5d865f06cd6f91457281bdebbf07183367b7d3d0bd598ad7d3ce081b0d1f0741efbbe6c3839620bb17b637ff9727cb3440d5b96b3eab70dda1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\jhnykawfkth.exe

Filesize
2.0MB

MD5
d3435ebfc26894fe8b895267ca8712b4

SHA1
60bcea02905c09e691043d05837e4942b8c4ae25

SHA256
9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

SHA512
8e884c0dcb76ca08c9674fb430b89e1bb9a3f999ac2c0078d2cefedfe72283d3249c5b9851064449294f8e39096f95c760d4c991238ed6338bb9409394872849

Download Submit
\Users\Admin\AppData\Local\Temp\Files\opyhjdase.exe

Filesize
14.6MB

MD5
0d53256905411410fcfbbbcda13abdbb

SHA1
cdea834f452864559cf7471614948cbc575e0fcb

SHA256
d336273cee697dec1b8f9e1643005a2cd8b80305e9f8dc257ab69d2322f38927

SHA512
d6d2f8973cfda896edd0869a76773d14dc9a866be31fd1629c8cc9139ff18f1c7d84a6321cac1369d254eb64edb6bc7f7ba3d905c0622a6e5dc84faa813122f9

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
87KB

MD5
49e8233c88a22e4dd05dc1daa1433264

SHA1
154327c7a89a3d6277d9fb355a8040b878c7b12b

SHA256
47169c00735dc8287955be416ea9f3ba9b6d8a8586b25b789370a96531883d8d

SHA512
7679f8bb2868a840560b71fd9b1ffc6b1758870381161171d09c0db7179b13b71ff4cff8d1119e44283f1415424ffc491e959fb1216c4861ad0f0578fdf8e4d6

Download Submit
memory/292-646-0x0000000000B20000-0x0000000000B3C000-memory.dmp

Filesize
112KB

Download
memory/404-685-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1068-502-0x00000000013E0000-0x00000000013FC000-memory.dmp

Filesize
112KB

Download
memory/1068-606-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/1068-605-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1136-659-0x0000000000C50000-0x0000000000C6C000-memory.dmp

Filesize
112KB

Download
memory/1668-433-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/1728-625-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/1800-802-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/1800-1619-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/1800-1620-0x0000000000B70000-0x0000000000B75000-memory.dmp

Filesize
20KB

Download
memory/1800-811-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1800-813-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1800-814-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1800-812-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1800-810-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1860-612-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/1860-613-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1940-204-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1940-161-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1940-203-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1940-202-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1940-324-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1940-160-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2060-447-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2064-640-0x0000000000210000-0x000000000025E000-memory.dmp

Filesize
312KB

Download
memory/2088-672-0x0000000000CE0000-0x0000000000CFC000-memory.dmp

Filesize
112KB

Download
memory/2212-590-0x00000000000B0000-0x00000000000C6000-memory.dmp

Filesize
88KB

Download
memory/2296-282-0x0000000000BA0000-0x0000000000C24000-memory.dmp

Filesize
528KB

Download
memory/2308-3-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-0-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2308-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-1-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/2380-427-0x0000000000FA0000-0x00000000012C4000-memory.dmp

Filesize
3.1MB

Download
memory/2484-453-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2484-452-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-500-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2748-512-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/2796-698-0x0000000000B70000-0x0000000000B8C000-memory.dmp

Filesize
112KB

Download
memory/2816-459-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2816-460-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2868-480-0x0000000001290000-0x00000000012AC000-memory.dmp

Filesize
112KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads