asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
99s
max time network
100s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat phorphiex quasar xworm default office04 zjeb discovery loader persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

2.tcp.eu.ngrok.io:19695

Mutex

gonq3XlXWgiz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.77:4782

Mutex

e819f327-90a2-4d90-a826-8b38a9c4f3d5

Attributes

encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2008-547-0x0000000000C40000-0x0000000000C5A000-memory.dmp	family_xworm

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019db8-455.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019d20-222.dat	family_quasar
behavioral1/memory/2096-226-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/memory/2744-237-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/files/0x000500000001a067-349.dat	family_quasar
behavioral1/memory/2552-353-0x0000000000890000-0x0000000000BB4000-memory.dmp	family_quasar
behavioral1/memory/1812-499-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/2448-548-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000019fb9-262.dat	family_asyncrat

Downloads MZ/PE file 11 IoCs

flow	pid	Process
10	788	4363463463464363463463463.exe
10	788	4363463463464363463463463.exe
10	788	4363463463464363463463463.exe
18	788	4363463463464363463463463.exe
18	788	4363463463464363463463463.exe
18	788	4363463463464363463463463.exe
18	788	4363463463464363463463463.exe
35	788	4363463463464363463463463.exe
53	788	4363463463464363463463463.exe
61	788	4363463463464363463463463.exe
75	2968	227935216.exe

Executes dropped EXE 20 IoCs

pid	Process
1004	octus.exe
2372	handeltest.exe
2236	123.exe
1264	Pichon.exe
2096	sharpmonoinjector.exe
2744	sharpmonoinjector.exe
684	Opolis.exe
1260	Discord.exe
1536	sharpmonoinjector.exe
2552	Client-built.exe
580	OSM-Client.exe
2896	r.exe
2364	sharpmonoinjector.exe
3032	sysnldcvmr.exe
1812	sharpmonoinjector.exe
2968	227935216.exe
1016	995620604.exe
956	S%D0%B5tu%D1%80111.exe
2008	svchost.exe
2448	sharpmonoinjector.exe

Loads dropped DLL 49 IoCs

pid	Process
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
2236	123.exe
788	4363463463464363463463463.exe
1560	Process not Found
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
684	Opolis.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
580	OSM-Client.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
3032	sysnldcvmr.exe
2968	227935216.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe
788	4363463463464363463463463.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	r.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
50	2.tcp.eu.ngrok.io

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	r.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opolis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSM-Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	227935216.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	octus.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2632	PING.EXE
1384	PING.EXE
1640	PING.EXE
2464	PING.EXE
1864	PING.EXE
2896	PING.EXE

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	octus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSerialNumber	octus.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1384	PING.EXE
1640	PING.EXE
2464	PING.EXE
1864	PING.EXE
2896	PING.EXE
2632	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1484	schtasks.exe
2736	schtasks.exe
2000	schtasks.exe
756	schtasks.exe
1612	schtasks.exe
2736	schtasks.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	4363463463464363463463463.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeDebugPrivilege	2096	sharpmonoinjector.exe
Token: SeDebugPrivilege	2744	sharpmonoinjector.exe
Token: SeDebugPrivilege	1536	sharpmonoinjector.exe
Token: SeDebugPrivilege	2552	Client-built.exe
Token: SeDebugPrivilege	2364	sharpmonoinjector.exe
Token: SeDebugPrivilege	1812	sharpmonoinjector.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	2448	sharpmonoinjector.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
684	Opolis.exe
2552	Client-built.exe
684	Opolis.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2552	Client-built.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2552	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1004	788	4363463463464363463463463.exe	32
PID 788 wrote to memory of 1004	788	4363463463464363463463463.exe	32
PID 788 wrote to memory of 1004	788	4363463463464363463463463.exe	32
PID 788 wrote to memory of 1004	788	4363463463464363463463463.exe	32
PID 788 wrote to memory of 2372	788	4363463463464363463463463.exe	33
PID 788 wrote to memory of 2372	788	4363463463464363463463463.exe	33
PID 788 wrote to memory of 2372	788	4363463463464363463463463.exe	33
PID 788 wrote to memory of 2372	788	4363463463464363463463463.exe	33
PID 788 wrote to memory of 2236	788	4363463463464363463463463.exe	34
PID 788 wrote to memory of 2236	788	4363463463464363463463463.exe	34
PID 788 wrote to memory of 2236	788	4363463463464363463463463.exe	34
PID 788 wrote to memory of 2236	788	4363463463464363463463463.exe	34
PID 788 wrote to memory of 1264	788	4363463463464363463463463.exe	37
PID 788 wrote to memory of 1264	788	4363463463464363463463463.exe	37
PID 788 wrote to memory of 1264	788	4363463463464363463463463.exe	37
PID 788 wrote to memory of 1264	788	4363463463464363463463463.exe	37
PID 1264 wrote to memory of 2072	1264	Pichon.exe	39
PID 1264 wrote to memory of 2072	1264	Pichon.exe	39
PID 1264 wrote to memory of 2072	1264	Pichon.exe	39
PID 2072 wrote to memory of 2572	2072	cmd.exe	41
PID 2072 wrote to memory of 2572	2072	cmd.exe	41
PID 2072 wrote to memory of 2572	2072	cmd.exe	41
PID 2072 wrote to memory of 560	2072	cmd.exe	42
PID 2072 wrote to memory of 560	2072	cmd.exe	42
PID 2072 wrote to memory of 560	2072	cmd.exe	42
PID 788 wrote to memory of 2096	788	4363463463464363463463463.exe	44
PID 788 wrote to memory of 2096	788	4363463463464363463463463.exe	44
PID 788 wrote to memory of 2096	788	4363463463464363463463463.exe	44
PID 788 wrote to memory of 2096	788	4363463463464363463463463.exe	44
PID 2096 wrote to memory of 1612	2096	sharpmonoinjector.exe	45
PID 2096 wrote to memory of 1612	2096	sharpmonoinjector.exe	45
PID 2096 wrote to memory of 1612	2096	sharpmonoinjector.exe	45
PID 2096 wrote to memory of 2764	2096	sharpmonoinjector.exe	47
PID 2096 wrote to memory of 2764	2096	sharpmonoinjector.exe	47
PID 2096 wrote to memory of 2764	2096	sharpmonoinjector.exe	47
PID 2764 wrote to memory of 2880	2764	cmd.exe	49
PID 2764 wrote to memory of 2880	2764	cmd.exe	49
PID 2764 wrote to memory of 2880	2764	cmd.exe	49
PID 2764 wrote to memory of 2896	2764	cmd.exe	50
PID 2764 wrote to memory of 2896	2764	cmd.exe	50
PID 2764 wrote to memory of 2896	2764	cmd.exe	50
PID 2764 wrote to memory of 2744	2764	cmd.exe	51
PID 2764 wrote to memory of 2744	2764	cmd.exe	51
PID 2764 wrote to memory of 2744	2764	cmd.exe	51
PID 2744 wrote to memory of 2736	2744	sharpmonoinjector.exe	52
PID 2744 wrote to memory of 2736	2744	sharpmonoinjector.exe	52
PID 2744 wrote to memory of 2736	2744	sharpmonoinjector.exe	52
PID 2744 wrote to memory of 2344	2744	sharpmonoinjector.exe	54
PID 2744 wrote to memory of 2344	2744	sharpmonoinjector.exe	54
PID 2744 wrote to memory of 2344	2744	sharpmonoinjector.exe	54
PID 2344 wrote to memory of 2612	2344	cmd.exe	56
PID 2344 wrote to memory of 2612	2344	cmd.exe	56
PID 2344 wrote to memory of 2612	2344	cmd.exe	56
PID 2344 wrote to memory of 2632	2344	cmd.exe	57
PID 2344 wrote to memory of 2632	2344	cmd.exe	57
PID 2344 wrote to memory of 2632	2344	cmd.exe	57
PID 788 wrote to memory of 684	788	4363463463464363463463463.exe	58
PID 788 wrote to memory of 684	788	4363463463464363463463463.exe	58
PID 788 wrote to memory of 684	788	4363463463464363463463463.exe	58
PID 788 wrote to memory of 684	788	4363463463464363463463463.exe	58
PID 788 wrote to memory of 1260	788	4363463463464363463463463.exe	59
PID 788 wrote to memory of 1260	788	4363463463464363463463463.exe	59
PID 788 wrote to memory of 1260	788	4363463463464363463463463.exe	59
PID 788 wrote to memory of 1260	788	4363463463464363463463463.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\Files\octus.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\octus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\Files\handeltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\handeltest.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\Files\123.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\123.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get Model
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\system32\findstr.exe
      findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
      4⤵
      PID:560
- C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1612
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\kq3H85VWnBp3.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2880
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsFQDevV11gq.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2612
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
      - C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\umxZK7NNcH0E.bat" "
        7⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqxEUp6KoDqJ.bat" "
        9⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mC2zuaOPDQQS.bat" "
        11⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aQhcS1zBJQUI.bat" "
        13⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1864
- C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:580
- C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\Files\r.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2896
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\227935216.exe
      C:\Users\Admin\AppData\Local\Temp\227935216.exe
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\995620604.exe
        
        C:\Users\Admin\AppData\Local\Temp\995620604.exe
        5⤵
        Executes dropped EXE
        
        PID:1016
- C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tu%D1%80111.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tu%D1%80111.exe"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1862a5f4a4e1585458b121882f717c2

SHA1
34b623cffdec8ffa3a9f90e4164cb55cf73d9a0b

SHA256
74389381855226f988f62752c25f37d7ec243cbf63e73c953ffb3fe5b3969b89

SHA512
e6b23772b5a710beb1eca2d417a1046f1e3c25e2bd94c8fed628195a258155bf91b1e54708158aef76e527aca08d2adfe78b607b91f1758aa6ff8230445cd41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe

Filesize
45KB

MD5
9dcd35fe3cafec7a25aa3cdd08ded1f4

SHA1
13f199bfd3f8b2925536144a1b42424675d7c8e4

SHA256
ce4f85d935fe68a1c92469367b945f26c40c71feb656ef844c30a5483dc5c0be

SHA512
9a4293b2f2d0f1b86f116c5560a238ea5910454d5235aedb60695254d7cc2c3b1cd9dd1b890b9f94249ee0ca25a9fb457a66ca52398907a6d5775b0d2e2b70d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSImagePlugin16490.dll

Filesize
514KB

MD5
0f11262e13c0bb56a207288a20b9d56e

SHA1
e3d88ec008497e79d6558518b688d13963a11863

SHA256
8328fdc5ba479e77a2838dacc729883760d512a0d19e5fd5c3a759d812ef76aa

SHA512
cea5147e29fb7ed13083a1edf95dd0e46f2b2e42b16aacbd68f4f92e81bbdb70cb20aa9d985fe5429cccb4ed9a0bd9138b99c8dd12fee30bb0d9d1458f896576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGDecompressionPlugin16490.dll

Filesize
164KB

MD5
ee55ba30b0266aa8e063e9275468e457

SHA1
354fb35ee2cceba7c7f8d75fb54915dd36d56908

SHA256
e52751c52a5c8f48b85a75df65bb4bafe7e1cf4499a7979880f6cc6455227e5b

SHA512
1e253bdf3c041194c127934355664704b40d12d266e4ec56a74087c42aeafa7f19c613bb9afbe95ee64910632e316b9b394c6b3b9df33ec271aed649f7217785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSMacTTPlugin16490.dll

Filesize
27KB

MD5
4bbe6d545c9f869a6f02f5f8617dca6d

SHA1
2f527e1d55b50accc8b4162b474337c83bf3c382

SHA256
2b28979e485f2896e1a68fdcec215c8f99724b4387c2e2bb3209efe6882fafe1

SHA512
aec5d72615839c88390b4100efa9115a4aaa32c12991a1e04e73016df7cb1104674901f072a8d2edcca1feb3c235f0ae1a502bd31fb322392d4ab81feec33faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSRegistrationPlugin16490.dll

Filesize
38KB

MD5
5740e4279852346f866508d3a06624f8

SHA1
2de596423d619183d7e032b1ee2a764fd3f216b8

SHA256
d28dcc372a2d9c7c112bc6f042ae303523dd4dabd157276d00c1795bd8133e00

SHA512
12efcd990656cf09fb41f3f1c6948522774c0e2685e0356c8865b8981bab06b64f83e7720397ab1db8a2be66c3a34ea79abf3644af0c9770c97ae3a8157c9e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSStringHandlePlugin16490.dll

Filesize
40KB

MD5
fd4d8ef77febb71c05d412ca4a9a3a2c

SHA1
faad08e5f921f037e11aa8b2370de11b5d2051c9

SHA256
0c42df25621bb49d96715d086b8e6d5a2735d31f9c8cad96db3c3daa815cb10e

SHA512
0d266ff1fe8e8ca942a56bdabae9510f8e76be136acdfc5a623c53af46bc727b4541ff391c4f55e4b18507cda491da037b586b8579a09122c0d93afd762ba958

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
18.9MB

MD5
ed80683776e68c6c237175c3ce9f39d5

SHA1
6bd0d39e01e74d4e7a61fd48d32e8df1861b0c34

SHA256
cbecca01a711d72f666729e0f256c2d6b808b71feb76bd0a34146cd41b7edc23

SHA512
d857b9c20896c548de1e7cf1074a3f619d01a8ecfdb578d68807d01c30662a18f8b6b07aadd5f1ce463c877df1a4bf5aa12c18ed22ed622343c38e27936fcc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip

Filesize
6.4MB

MD5
8b54e0f462da0688c6a69525da5d952b

SHA1
97ff0d8f7d9df4649839fad119d2d867cbaadd77

SHA256
39ad95c3bada4cedbe8278169e1cbac7980d7582d9b384142ffed61df0930c54

SHA512
938b6f8f52812d200834d56081f2f6fddf503704d42aa7dcd790747c840cee13eb4bc24696e6500ca80e8e1bf897bbd55abfeb7051e3e12c7d411efd3171fe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe

Filesize
4.8MB

MD5
3bb8ce6c0948f1ce43d5dc252727e41e

SHA1
98d41b40056f12a1759d6d3e56ab1fe0192a378f

SHA256
709bddb0cbd2998eb0d8ca8b103b4e3ed76ca8cdc9150a6d0e59e347a0557a47

SHA512
239b8df14d47f698acef2f7c70cbfc943fe66a25553940078b08bf60957f94d6480a8cf5d846e6b880c79ab248e83d8da033cfc6c310a5e2564678b129e7296a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tu%D1%80111.exe

Filesize
6.4MB

MD5
9436c63eb99d4933ec7ffd0661639cbe

SHA1
12da487e8e0a42a1a40ed00ee8708e8c6eed1800

SHA256
3a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e

SHA512
59bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\r.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loli169.bat

Filesize
4.8MB

MD5
dc353b173d3d42ec63f9e226b5ed9197

SHA1
f4c6712054a18a8a82837eda63499cee9295d76a

SHA256
c450ff176d648d79a983c1bdaf67d138793b7edc56e19c956e81ac1f25114789

SHA512
0af471591aa71c8ccfaf96eca4de1b7ab3ccb6d3dc0812905d01566ca93513f191430dbe41e4b0dde03d2d6aeed9057fbd80f9f57518f0cf4e4c57fa2990c013

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBC6.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQhcS1zBJQUI.bat

Filesize
220B

MD5
fd561cd4be415a5d107e9291d3bfaadf

SHA1
ba978a9a03b0194e0e3d567ad0eb4fc2fcbd02d0

SHA256
d36ad1a4c05cae0705d5f31ca047b40a2094667c587bf4d0fbdad1629f1b8afd

SHA512
2f59aeafdfd6ad2e5f3ff107204e9bc68f301d8d65ac12505af1e64da324795162827947773d1972042aa8d518e956e2f1f4850066edc67f10c0f2b410cde9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kq3H85VWnBp3.bat

Filesize
220B

MD5
72431d280a396bcb58fc41660d5f645d

SHA1
fa69982da29a1ebbe88a8a6b1f67687c852063dd

SHA256
b4ed1bbc7012c5e26b0aac2dfe79473490d4c263a57a457e3cca3e3db6dd49f9

SHA512
d48b821aeabbc7bac3647a1ce21f36fdc77abd354b85469575836b60aa44b061ca3c4cb85a1d57b7b6be728d23c494a411f6269c76f5181810e170bdf5cf1b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\mC2zuaOPDQQS.bat

Filesize
220B

MD5
7354d0c362cd4d5c30a9e721d0658b65

SHA1
66ef1ea98187ce24b7734567a2a015b01cdb6615

SHA256
4bb20621641b969bbe49c9fc9b4cd9a8332cee1464623c6ddf652fb8164b687d

SHA512
63b58ee3decf105ac7c7fffad229810d3e7df2ff252e5905e397b3606d2319aee406dcb2f8b199c4eb98c0c7b6b6f0f58397ff5d05fbcd57cedb1a2a6c681b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqxEUp6KoDqJ.bat

Filesize
220B

MD5
fa8d9d229688eda0ad475fc7226c609d

SHA1
f4e5721a9cd2eea96838a4eb99b0e67503c68d05

SHA256
391b60d17213a5ed0f5cc6cd6fec59bb18da8b1f9e7c4031569015baf70011f9

SHA512
3d3e54de38b049f8be06fae75a8ffd7819b10453f7b7aa781eda73f9e4b787e327c1cb52843599fecaa356a0dc2ee0a377a2c391ac25ac15b61898e81c727a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\umxZK7NNcH0E.bat

Filesize
220B

MD5
658b21da8ffee96a0732873bd6ee7eed

SHA1
f9371c831deb9f7875bc85a6ad48fa0a83d7f237

SHA256
dd1e69363e70565a4795c211220d29b3f69097842c7c95eefbb36e220169fbf7

SHA512
f9f7e98ed81382f5d2974edae544d938c0860838501e05544aa0b2644b5be177828ba14f950f9c0b119f2a487f0f632f3b92c48d6caf0b556afb4aba47f34d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsFQDevV11gq.bat

Filesize
220B

MD5
ae8087be48187c1fe769eb1b49d64ff7

SHA1
15eaf2818b033ce2a074348d0467addd7692e953

SHA256
f63767767fb0d643d00bd06ff7bb5f30a27b4ebc8f4a8720954d76f3cb17f5d8

SHA512
bd578d7d57f3b5b4262d6136722bcb03546f8bfb9685b4164568a8a7434f5e2fbdcd5c8a5d5e3e8dea430da7560b94853a56e3eb2c21415f6717b033ddd079a8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\123.exe

Filesize
144KB

MD5
57ad05a16763721af8dae3e699d93055

SHA1
32dd622b2e7d742403fe3eb83dfa84048897f21b

SHA256
c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea

SHA512
112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
7e1ed4c0bddfcd9753fa8a34369d2a09

SHA1
a72002b3e87c94524bb777fc50aadcd444597b28

SHA256
0d0646d4f062fab91f6dbcbcc5412e6ef550306b1a49e2353bc37fd24aa4660e

SHA512
cbcc8efa4d68e3e993dd0b8951d4e4fe0930d267ab99f0ad2f03a89e8f4d119210dccd4c5d4ad2b15d14125e852ef464564d6a88a41eaa936f6a6f2272123ff3

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Appearance Pak.dll

Filesize
136KB

MD5
3504e62fb3e24c13315bf2f00350d129

SHA1
fd0a37c492c4f1181351adf9e4a07c65210c1a1d

SHA256
bf1336be686769b739841b814a0373c74c9b7949c87715036d1861eef4ba518b

SHA512
b32cc106f9781894e0a42cf995252c1d29ef405cfa1c20edd7d0db67985c0c37a0a501c862c8c885109df37741a58d322bb3548bf7cab91d4ffb6e9badb8b49a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Internet Encodings.dll

Filesize
72KB

MD5
303e56a1de5fbd350241435d28d89869

SHA1
72e2d355f493b01721267e9a545bfab7e013e077

SHA256
d20b77837d0d18ecfc454a2b8d698365975c11979196f1774ac914252b84f629

SHA512
3e9a15edda7ca4cbaf4fbb609dd4e914309fe71ad7b4302e0f7f91b278f35ce6ef8e379f552f259b8b69d19f9b8e56dca1d8365d31f84ea49e325fbcdef828f5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSGIFPlugin16490.dll

Filesize
68KB

MD5
461686fd2fabca6ebf928a147bb38247

SHA1
0ea3932f275f13e04877a74e48fa8db601770eba

SHA256
7a9cfd15bd83f1a64ebb76e44a936130eed1ec66ef7663c398a2ce685ccff915

SHA512
8d241d3a02422cef41ea43cb2f21fa83e2a84152e6613a3820612195e00165a53d7d78b3cde73095989a51b50a45ec4872284257aa59650b0d65bfdb9f2584c8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGCompressionPlugin16490.dll

Filesize
139KB

MD5
e55fd7c0d18b304d15a62baa867b728b

SHA1
05b6cd876f99e9c774cbcfb283a8f4270199f4eb

SHA256
d8d94cd418edfda69eef22259bff027f077a2f47ff887adf876bfaea13ae18cb

SHA512
f6441d018c3ba06fb6a37897abca80c0c0fea9228f55e1842af07bde0053204ab3e3aad828043343f8ecae74c1add30e7a58aa0c18a48d2c5a6116c4fcab3f2d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSZipPlugin16490.dll

Filesize
88KB

MD5
f8276983703bbeaa988be78ceb1e4676

SHA1
95e457caad214917d168f0df4ceacac84b6c887d

SHA256
6dbe9356b139809706e52454305fdb4511d580d5c1d766bd31f159628ba1226d

SHA512
99e42c753f10df32ff19717077059632b8202610e8b5249d798b62fd21a399bb728b7c50bc1562f38c0a88d3e6365d936588db6dbe03b9ff6b809960fc2264f0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MD5.dll

Filesize
92KB

MD5
ddd1e9f1cd1deddd147531f643f7307e

SHA1
cc393c27c97b6fa100c63f1e13a93134aebe6f2f

SHA256
18cce1f5656f49dd9f0a215e9a91eccbf3564f13d103af886cb1187eb733d044

SHA512
e024cf08472d98c7637a786676c4348d4375511be4c752227109221f7c484066da96220e0a82528b07acd01e3243fdd8d27b14ff5c6ec71a0f2b04fbbe00d1e1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\XML.dll

Filesize
744KB

MD5
47264eb59eefe7fc87a094929a4d9b26

SHA1
a8c99544e61f1c50609ef8b596d357d45df05840

SHA256
dc28ea6d625a468c3bcd2b282ccee8d4980ceef5f554f15e87c883a6ab440bb6

SHA512
10727037895ed32075879e06c517c0afd126dd623360b2b748a6b3e520f6ee6712beeb34dbf9d0b97928442d8c0873f288815d00184f7ec560db8216eac49986

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\libExtended.DLL

Filesize
710KB

MD5
a6ccb7f96678ac87750385ff9e6bbc66

SHA1
03c8441b6dcdef88161356b4dc9536054089fc62

SHA256
4af4c7fa11d0a3f68370f3875eaeb2729fb2827b29c6a50999770c04ca65affb

SHA512
1c9937cc80c44c79115ca6fbe57478370d70052ed11270bd5506f00b4cfc98381f06201ea5a44ec85cd05d4fba09a44ae366e371b7339d3a2f82573543de3adb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
4.9MB

MD5
1dd32d1e889b77e24d14fb05f12b52b9

SHA1
1e823c643c4feba08f63325ff66131c6c06c3243

SHA256
05298f220e88f765a184d56bcbbe00f33cb22523415592450afeee3aeec48369

SHA512
dd34cf7f9443100aded0931168ec52f44978c5029b056c509335a68861fc9a4377695a48ef1e8b98a48b80154ac8d6557beb59ad3ee0a2233ad61febbbb62f2b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\handeltest.exe

Filesize
8KB

MD5
fc58aae64a21beb97e1f8eb000610801

SHA1
d377b4da7d8992b0c00455b88550515369b48c78

SHA256
a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389

SHA512
601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\octus.exe

Filesize
261KB

MD5
c3927a5d6de0e669f49d3d0477abd174

SHA1
40e21ae54cb5bbb04f5130ff0c59d3864b082763

SHA256
f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33

SHA512
20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe

Filesize
3.1MB

MD5
4522bc113a6f5b984e9ffac278f9f064

SHA1
392ec955d7b5c5da965f7af9f929b89c33409b03

SHA256
2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

SHA512
c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff

Download Submit
\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
166KB

MD5
5f12bee4a0ffc9e8d6cf4be6bd624e54

SHA1
bddd0cc23adc8b556abe6aba3323f114f8546e2f

SHA256
6e908377f3a3d96502efa18ea8b6420eea841c58bcd63bd74c6010cec0e72d8d

SHA512
1f41112219ac84f45d309981aec2e889227e21d61051c6bb25e8b5e55347da8fdbb548baf9e09ac6d4addb52781e7ee22e4df86a4c0282dd9c03dec167540b68

Download Submit
memory/684-290-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/684-314-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/684-266-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/684-274-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/684-282-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/684-322-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/684-298-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/684-306-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/788-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/788-1-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/788-202-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/788-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/788-188-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/1260-263-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1264-210-0x000000013F5A0000-0x000000013FA74000-memory.dmp

Filesize
4.8MB

Download
memory/1812-499-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/2008-547-0x0000000000C40000-0x0000000000C5A000-memory.dmp

Filesize
104KB

Download
memory/2096-226-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download
memory/2236-196-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/2236-197-0x00000000004C0000-0x00000000004C6000-memory.dmp

Filesize
24KB

Download
memory/2372-187-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/2448-548-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2552-353-0x0000000000890000-0x0000000000BB4000-memory.dmp

Filesize
3.1MB

Download
memory/2744-237-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads