asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/02/2025, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat gcleaner njrat quasar remcos bot crypt default dock.exe bootkit defense_evasion discovery loader persistence privilege_escalation rat spyware trojan

Malware Config

Extracted

Family

remcos

Botnet

Crypt

185.225.73.67:1050

Attributes

audio_folder
576ruythg6534trewf
audio_path
%WinDir%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
76y5trfed675ytg.exe
copy_folder
kjhgfdc
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
654ytrf654trf654ytgref.dat
keylog_flag
false
keylog_folder
67yrtg564tr6754yter
mouse_option
false
mutex
89765y4tergfw6587ryute-80UMP1
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
67y4htergf65trgewfd654tyrfg
screenshot_path
%Temp%
screenshot_time
10
startup_value
6754ytr756ytr7654yretg8765uyt
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Extracted

Family

njrat

Version

im523

Botnet

dock.exe

pool-tournaments.gl.at.ply.gg:7445

Mutex

ec1d783eda90ea4f1a73218af4fd58aa

Attributes

reg_key
ec1d783eda90ea4f1a73218af4fd58aa
splitter
|'|'|

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

lmk8StbxTzvz

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

bot

wexos47815-61484.portmap.host:61484

Mutex

06e2bb33-968c-4ca7-97dc-f23fbd5c3092

Attributes

encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
install_name
msinfo32.exe
log_directory
Update
reconnect_delay
3000
startup_key
Discordupdate
subdirectory
dll32

Extracted

Family

gcleaner

80.66.75.114

45.91.200.135

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195b1-273.dat	family_quasar
behavioral1/memory/2840-277-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/memory/2960-298-0x0000000000330000-0x0000000000654000-memory.dmp	family_quasar
behavioral1/memory/1772-316-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00060000000195af-263.dat	family_asyncrat

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 7 IoCs

flow	pid	Process
12	2368	4363463463464363463463463.exe
12	2368	4363463463464363463463463.exe
16	2368	4363463463464363463463463.exe
16	2368	4363463463464363463463463.exe
16	2368	4363463463464363463463463.exe
16	2368	4363463463464363463463463.exe
35	2368	4363463463464363463463463.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2452	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec1d783eda90ea4f1a73218af4fd58aa.exe	dlscord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec1d783eda90ea4f1a73218af4fd58aa.exe	dlscord.exe

Executes dropped EXE 19 IoCs

pid	Process
2728	random.exe
896	NOTallowedtocrypt.exe
1584	cnct.exe
1736	76y5trfed675ytg.exe
2448	dlscord.exe
2948	alex12344.exe
2408	Discord.exe
2840	discordupdate.exe
1152	VOLATUS0.5.exe
2960	msinfo32.exe
2072	Discord.exe
1772	msinfo32.exe
2804	Yellow%20Pages%20Scraper.exe
2932	univ.exe
2812	msinfo32.exe
2196	msinfo32.exe
1984	msinfo32.exe
1924	msinfo32.exe
1920	msinfo32.exe

Loads dropped DLL 21 IoCs

pid	Process
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
896	NOTallowedtocrypt.exe
896	NOTallowedtocrypt.exe
1584	cnct.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
1148	cmd.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2368	4363463463464363463463463.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ec1d783eda90ea4f1a73218af4fd58aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlscord.exe\" .."	dlscord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec1d783eda90ea4f1a73218af4fd58aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlscord.exe\" .."	dlscord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	VOLATUS0.5.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	dlscord.exe
File opened for modification	F:\autorun.inf	dlscord.exe
File created	C:\autorun.inf	dlscord.exe
File opened for modification	C:\autorun.inf	dlscord.exe
File created	D:\autorun.inf	dlscord.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 1688	1736	76y5trfed675ytg.exe	40
PID 1688 set thread context of 276	1688	iexplore.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2992	1152	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yellow%20Pages%20Scraper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VOLATUS0.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	univ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTallowedtocrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cnct.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlscord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76y5trfed675ytg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1256	PING.EXE
2056	PING.EXE
2576	PING.EXE
2828	PING.EXE
684	PING.EXE
2016	PING.EXE
2892	PING.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3004	timeout.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1248	reg.exe
1788	reg.exe
864	reg.exe
1520	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2056	PING.EXE
2576	PING.EXE
2828	PING.EXE
684	PING.EXE
2016	PING.EXE
2892	PING.EXE
1256	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe
2880	schtasks.exe
2992	schtasks.exe
1980	schtasks.exe
2672	schtasks.exe
2284	schtasks.exe
2252	schtasks.exe
1536	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	76y5trfed675ytg.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe
2448	dlscord.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2448	dlscord.exe
1688	iexplore.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1736	76y5trfed675ytg.exe
1688	iexplore.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	4363463463464363463463463.exe
Token: SeDebugPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	2840	discordupdate.exe
Token: SeDebugPrivilege	2408	Discord.exe
Token: SeDebugPrivilege	2960	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	2072	Discord.exe
Token: SeDebugPrivilege	2728	random.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	1772	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	2812	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	2196	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	1984	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	1924	msinfo32.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: 33	2448	dlscord.exe
Token: SeIncBasePriorityPrivilege	2448	dlscord.exe
Token: SeDebugPrivilege	1920	msinfo32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2728	2368	4363463463464363463463463.exe	32
PID 2368 wrote to memory of 2728	2368	4363463463464363463463463.exe	32
PID 2368 wrote to memory of 2728	2368	4363463463464363463463463.exe	32
PID 2368 wrote to memory of 2728	2368	4363463463464363463463463.exe	32
PID 2368 wrote to memory of 896	2368	4363463463464363463463463.exe	33
PID 2368 wrote to memory of 896	2368	4363463463464363463463463.exe	33
PID 2368 wrote to memory of 896	2368	4363463463464363463463463.exe	33
PID 2368 wrote to memory of 896	2368	4363463463464363463463463.exe	33
PID 896 wrote to memory of 3016	896	NOTallowedtocrypt.exe	34
PID 896 wrote to memory of 3016	896	NOTallowedtocrypt.exe	34
PID 896 wrote to memory of 3016	896	NOTallowedtocrypt.exe	34
PID 896 wrote to memory of 3016	896	NOTallowedtocrypt.exe	34
PID 3016 wrote to memory of 1788	3016	cmd.exe	36
PID 3016 wrote to memory of 1788	3016	cmd.exe	36
PID 3016 wrote to memory of 1788	3016	cmd.exe	36
PID 3016 wrote to memory of 1788	3016	cmd.exe	36
PID 2368 wrote to memory of 1584	2368	4363463463464363463463463.exe	37
PID 2368 wrote to memory of 1584	2368	4363463463464363463463463.exe	37
PID 2368 wrote to memory of 1584	2368	4363463463464363463463463.exe	37
PID 2368 wrote to memory of 1584	2368	4363463463464363463463463.exe	37
PID 896 wrote to memory of 1736	896	NOTallowedtocrypt.exe	38
PID 896 wrote to memory of 1736	896	NOTallowedtocrypt.exe	38
PID 896 wrote to memory of 1736	896	NOTallowedtocrypt.exe	38
PID 896 wrote to memory of 1736	896	NOTallowedtocrypt.exe	38
PID 1736 wrote to memory of 580	1736	76y5trfed675ytg.exe	39
PID 1736 wrote to memory of 580	1736	76y5trfed675ytg.exe	39
PID 1736 wrote to memory of 580	1736	76y5trfed675ytg.exe	39
PID 1736 wrote to memory of 580	1736	76y5trfed675ytg.exe	39
PID 1736 wrote to memory of 1688	1736	76y5trfed675ytg.exe	40
PID 1736 wrote to memory of 1688	1736	76y5trfed675ytg.exe	40
PID 1736 wrote to memory of 1688	1736	76y5trfed675ytg.exe	40
PID 1736 wrote to memory of 1688	1736	76y5trfed675ytg.exe	40
PID 1736 wrote to memory of 1688	1736	76y5trfed675ytg.exe	40
PID 1688 wrote to memory of 1504	1688	iexplore.exe	42
PID 1688 wrote to memory of 1504	1688	iexplore.exe	42
PID 1688 wrote to memory of 1504	1688	iexplore.exe	42
PID 1688 wrote to memory of 1504	1688	iexplore.exe	42
PID 580 wrote to memory of 1520	580	cmd.exe	43
PID 580 wrote to memory of 1520	580	cmd.exe	43
PID 580 wrote to memory of 1520	580	cmd.exe	43
PID 580 wrote to memory of 1520	580	cmd.exe	43
PID 1504 wrote to memory of 864	1504	cmd.exe	45
PID 1504 wrote to memory of 864	1504	cmd.exe	45
PID 1504 wrote to memory of 864	1504	cmd.exe	45
PID 1504 wrote to memory of 864	1504	cmd.exe	45
PID 1688 wrote to memory of 276	1688	iexplore.exe	46
PID 1688 wrote to memory of 276	1688	iexplore.exe	46
PID 1688 wrote to memory of 276	1688	iexplore.exe	46
PID 1688 wrote to memory of 276	1688	iexplore.exe	46
PID 1688 wrote to memory of 276	1688	iexplore.exe	46
PID 1584 wrote to memory of 2448	1584	cnct.exe	47
PID 1584 wrote to memory of 2448	1584	cnct.exe	47
PID 1584 wrote to memory of 2448	1584	cnct.exe	47
PID 1584 wrote to memory of 2448	1584	cnct.exe	47
PID 2448 wrote to memory of 2452	2448	dlscord.exe	48
PID 2448 wrote to memory of 2452	2448	dlscord.exe	48
PID 2448 wrote to memory of 2452	2448	dlscord.exe	48
PID 2448 wrote to memory of 2452	2448	dlscord.exe	48
PID 2368 wrote to memory of 2948	2368	4363463463464363463463463.exe	50
PID 2368 wrote to memory of 2948	2368	4363463463464363463463463.exe	50
PID 2368 wrote to memory of 2948	2368	4363463463464363463463463.exe	50
PID 2368 wrote to memory of 2948	2368	4363463463464363463463463.exe	50
PID 2368 wrote to memory of 2408	2368	4363463463464363463463463.exe	52
PID 2368 wrote to memory of 2408	2368	4363463463464363463463463.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:3008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:1356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"
    3⤵
    PID:2744
- C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1788
- - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
    "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1520
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:864
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:276
- C:\Users\Admin\AppData\Local\Temp\Files\cnct.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cnct.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\dlscord.exe
    "C:\Users\Admin\AppData\Local\Temp\dlscord.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dlscord.exe" "dlscord.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2452
- C:\Users\Admin\AppData\Local\Temp\Files\alex12344.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\alex12344.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:660
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF4DA.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1148
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3004
  - - C:\Users\Admin\AppData\Roaming\Discord.exe
      "C:\Users\Admin\AppData\Roaming\Discord.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2072
- C:\Users\Admin\AppData\Local\Temp\Files\discordupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\discordupdate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- - C:\Windows\system32\dll32\msinfo32.exe
    "C:\Windows\system32\dll32\msinfo32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2284
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yovk0IAzMYcd.bat" "
      4⤵
      PID:2088
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1788
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:684
    - - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiS2TE9PQJks.bat" "
        6⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lag2mApo00Ak.bat" "
        8⤵
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bodAuK3y59me.bat" "
        10⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1256
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K5kXW8x7eAhx.bat" "
        12⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2056
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4q34xggYclor.bat" "
        14⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2576
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4aLiG0k3tg1J.bat" "
        16⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
- C:\Users\Admin\AppData\Local\Temp\Files\VOLATUS0.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VOLATUS0.5.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /delete {current}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eefaa15dcdb527cfd5d9ecdfa18d4532

SHA1
777b4e4fe22156c7b14ca027f38839ed70aa5703

SHA256
dd6b9beba46a4692177c858c9dad3a50766e4b2698692de510d6b92e7c378f4f

SHA512
1c270caca7a0b8fea50d06111807da5f255253d95b729919de1bc42f12850cef9b8ef4262b3a260505c3afc23380605a2e193df49855c9f16353e64eccfd8114

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aLiG0k3tg1J.bat

Filesize
197B

MD5
6fcd95bdc48ed49f4477634160e4cb28

SHA1
b9e5e6ea460bec771a608a37a98cc6edef4478d1

SHA256
221727ae4fd5180404479f2a3d0acbf4e4c6d9987bd62aa03df02f47b9fb6f65

SHA512
e43d4a4eaa58003baa45b73461c5ba89b222a343bf9b2f6f2100dc6e8f4d9461d7408a937ba4397d2e54a01ff0c926270970b2d210d5938dd1a87ee56792ce01

Download Submit
C:\Users\Admin\AppData\Local\Temp\4q34xggYclor.bat

Filesize
197B

MD5
c866b19193c43e105e893c94e8faca4f

SHA1
6006740fc7e943be42cf13f2f418e75999c83687

SHA256
4e9433f4b1f602c7febf47450ef9e4725ae04ffa2d1345921519f8342fa086f7

SHA512
8d270a2a0ebf4d051746200fbc12d10767bf0e35bc2dd0e8127982cefee8db9ac5fe56de724fb9e37f2284e6328b86fa8624e5dbbeb4b2623d01ee2232f7e2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiS2TE9PQJks.bat

Filesize
197B

MD5
36fa3f08c7ef3ecb50a8e7f89666122c

SHA1
b519296d8b81144e27f3ca91797ffec7965930fb

SHA256
1f0373eeff65735acd0b16ec38631bb3f2afd1aebf3d39ecbd168ef7423e2ff5

SHA512
19d7681297e3782bf395a5d856f2b2accfeeaa89de0fd5fa0d516111932e6ea2d21d8800fc66970de3c22bbf90a175480e577054a5c04eef4c664adcce111499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe

Filesize
475KB

MD5
2b8f487213f3da1f42779e22d7b02d1a

SHA1
77c96429d6facbd1900290c9cbfed378103b8e01

SHA256
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0

SHA512
2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
734KB

MD5
98e538d63ec5a23a3acc374236ae20b6

SHA1
f3fec38f80199e346cac912bf8b65249988a2a7e

SHA256
4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91

SHA512
951a750998448cd3653153bdf24705101136305ff4744ee2092952d773121817fa36347cb797586c58d0f3efc9cfa40ae6d9ce6ea5d2e8ec41acf8d9a03b0827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe

Filesize
320KB

MD5
2245fb9cf8f7d806e0ba7a89da969ec2

SHA1
c3ab3a50e4082b0f20f6ba0ce27b4d155847570b

SHA256
f15fdff76520846b2c01e246d8de9fc24cba9b0162cc0de15e2cf1c24172ee30

SHA512
cc1474cfbd9ffc7a4f92773b2f251b9f1ec9813f73a9be9d0241b502dda516b306d463cc7f8003935e74bc44c3964f6af79a7e4bcf12816ac903b88a77a5a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\K5kXW8x7eAhx.bat

Filesize
197B

MD5
9f8591c727a0b938bcfdf6d811a8f452

SHA1
9a70a4fbfb5d11301f61c1667435452925838dc9

SHA256
6240a1d5b537ee775ddfc0fb7afc1b41188805c23bac228f3453b0db17eeec8c

SHA512
e5fabbf7791eccf8bbf4fedfc011a3b0ce02af29ff355611f9b49c9a4459759cf60735f200818776b7141322b98a189f5ea4f6c998ed7b5b7fa38fd54e617803

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lag2mApo00Ak.bat

Filesize
197B

MD5
e412059d4a043249ae6d6d720cf3ca45

SHA1
d09c3b2f567e57cd30a234d10d94a6a76c93c57d

SHA256
8323527a45a2bf0d5c203ece2076152f4c2876d27771b3e87a4231138bea50bd

SHA512
633ef793ba6ae9b46ca34768ba89db5707dd4ed8369c1304c57638673c99057e18a2c0c06de74bba9aaf09d252b749943c03f3dc0e999bbba4512157bc8eb49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD698.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yovk0IAzMYcd.bat

Filesize
197B

MD5
74f562dd9755b7467357e7d122b8b7c0

SHA1
132e4df5321c3405881600aa7eed655315ea1232

SHA256
6471a14a6609762f4f0e342b9d9cab074665e5960d6a9c84a669cd7214ebc51f

SHA512
157464a55d235bbf705709b343742686a6c405f7530ea733447bb8b45d0c242cc48b612cc505e86a2d0e38cf0f68ac7b1a719d1b2e5bf1bfeeeeb4b6e1062599

Download Submit
C:\Users\Admin\AppData\Local\Temp\bodAuK3y59me.bat

Filesize
197B

MD5
90d6d1974418354bcb9f4ec9333fe7dd

SHA1
787aff70b3bb65909f58b66969192d47911097c2

SHA256
144348d197ad36ff3d04a50883debf459f88c1a3a30d982a2f042b5340c8eda8

SHA512
6807ff73c4d847d704bbb4f0426942f8f92b5dc7143b110f9b4966d1e2ff1ea598622539955bd054f65cd0764a8699411f94d8c41992cc068a93cef49bbee894

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4DA.tmp.bat

Filesize
151B

MD5
3ec615206e1160c8dfc2bbc554120bb0

SHA1
fbc9d06b3824df9fbd7f336bbe3bcfe3af033c1e

SHA256
37f5912abf7c39612da5bd88db342be0e7ebbf916584b75cb6716fd3a932b6d7

SHA512
9f93659c91660323378c71aa0ceac9dbf9f8f332a0fc2b74242db8355eb9d4d5270c377564d3cc77e83f94924dd02b73a2cc7f05220b1b214a8b4aca3d3c4b1a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Discord.exe

Filesize
45KB

MD5
05b54deb0e3e6a3fb9155a14642b50ba

SHA1
77bf6744502a5946861baf104c1cf4babc171b9c

SHA256
c759cde09cf057c2430ceb74bd7f15427d2ad27f0b77dcc8630c8a148486cf27

SHA512
3668e77850acfb0c42f1d15de08fcd737f0c6d7087f25f6404b1f378aea94ca34ab0d85f2bea1c8a9d11692a039d0fa42aeec4876bb802ae2c192608e5bc5a9b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\VOLATUS0.5.exe

Filesize
303KB

MD5
5f8971a358caf5571e82e62e86d430a8

SHA1
bbac59536ed78a0ea26aa6c4a4cf9b25ed6ead62

SHA256
b2ebfb991c6803798482f08850d4b4dd81ceb787b3445bf71bec0bf0c8dc5e5b

SHA512
a898614fb569123ea69e715e36561804dbb8b20ebbe480bee3ee166ec2132172c270a177d6eab10a83768b61b0adf205189609e0efc5433ffdb1c2d614e53876

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe

Filesize
684KB

MD5
60ee968291e60900894fc9d914a48a80

SHA1
2c26edf35ac813a2f83148f62676e30b45f171a9

SHA256
52d5d347126a7a686f2da37c2e8868f4bcec2e5affabd850ad45f2b81b21b664

SHA512
9ea212bb0eb25f5309a8717218693306b18fb092d0910015fe4ef569f35377a73647507cb5629266f55550cc2fcc8d73a30d4f4e3c2d2ddd7ba22b575106cfd0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\alex12344.exe

Filesize
809KB

MD5
9821fa45714f3b4538cc017320f6f7e5

SHA1
5bf0752889cefd64dab0317067d5e593ba32e507

SHA256
fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72

SHA512
90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

Download Submit
\Users\Admin\AppData\Local\Temp\Files\cnct.exe

Filesize
37KB

MD5
cbc4f2b569739e02f228eb0b3552e6d4

SHA1
16311eee886788bf935b1cc262677c911720dd67

SHA256
d4b85844f374cf0fc56326afea865c2b9c773c60bfffe0870795a7a4e8b0201f

SHA512
abb9bb78ded6dd5f2583466628b4c64515ff1941d6f39f232a380bb207358fcb99c50e019614bd8d95ca152442fcd8796605d1aa5db365e168645804c1e58ab7

Download Submit
\Users\Admin\AppData\Local\Temp\Files\discordupdate.exe

Filesize
3.1MB

MD5
25befffc195ce47401f74afbe942f3ff

SHA1
287aacd0350f05308e08c6b4b8b88baf56f56160

SHA256
b67121c19394013d4e3fec0fcb138471e5ee51ebfafb296cc597afc0d256799f

SHA512
a28796538d64edaf7d4ba4d19e705211c779230a58b462793dab86ed5f51408feab998cf78ffe808819b4dc27cbaa981cd107887e0d5c7b0fb0f2bbca630973e

Download Submit
memory/276-226-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/276-227-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download
memory/276-225-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1152-314-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1688-221-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-250-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-230-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-260-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-403-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-402-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-269-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-270-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-372-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-220-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-370-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-224-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-328-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-327-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-215-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-212-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-214-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1688-213-0x00000000000C0000-0x0000000000140000-memory.dmp

Filesize
512KB

Download
memory/1772-316-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/2072-302-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2368-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2368-63-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-1-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2368-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-62-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2408-268-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2728-103-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2728-240-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2728-114-0x0000000000FD0000-0x000000000108E000-memory.dmp

Filesize
760KB

Download
memory/2728-229-0x0000000000190000-0x0000000000212000-memory.dmp

Filesize
520KB

Download
memory/2804-337-0x00000000008E0000-0x0000000000990000-memory.dmp

Filesize
704KB

Download
memory/2840-277-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/2932-359-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/2960-298-0x0000000000330000-0x0000000000654000-memory.dmp

Filesize
3.1MB

Download