asyncrat | d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

Resubmissions

09/03/2025, 01:58

250309-cdv29swybs 10

08/03/2025, 06:55

250308-hp35xatjt9 10

08/03/2025, 04:53

250308-fh1ebssky5 10

Analysis

max time kernel
300s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My-Skidded-malwares-main/AnaRAT.exe
Size

6.0MB
MD5

b300d99faf11ac3c6d3609c34f39ad5b
SHA1

039310584b1e8fb43a08a865f3ab1b64610c8013
SHA256

b8af724789e01cb47a661d40a22a5ec93a2f1499d0ace4cd5e1d7d9fffa89246
SHA512

2158ca82f753258c4abee3bf425f91bd26a79fcf7c53cbb98fd5980a53d678613258367a5f10117547f3d900456d78a0e4a7c85b0f1806948e8e5b767ccb26d0
SSDEEP

49152:xqU/dfDJH/bKaPMNNteROzxRwF0UCLhCkpMn8HmWIos0/Noyos5rQLiMCPSsAm6o:x1dfDy

Malware Config

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

FFF

tibiaserver.ddns.net:2323

Mutex

64805e9b9efcd75e104b05fad0cb2a4c

Attributes

reg_key
64805e9b9efcd75e104b05fad0cb2a4c
splitter
boolLove

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2 MONEY

twart.myfirewall.org:14143

Mutex

udn3BZ1Fqt3jtiZx

Attributes

delay
30
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Extracted

Family

remcos

Botnet

GOLAZO

agosto14.con-ip.com:7772

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KKPQTN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral3/memory/3580-123-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral3/memory/3580-122-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral3/memory/3580-124-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral3/memory/3580-123-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral3/memory/3580-122-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral3/memory/3580-124-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe"	Client.exe

Njrat family
njrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3284	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3284	schtasks.exe	98

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000500000001e769-318.dat	family_stormkitty
behavioral3/memory/1092-332-0x00000000003B0000-0x0000000000406000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4520	powershell.exe
4176	powershell.exe
1972	powershell.exe
3032	powershell.exe
3060	powershell.exe
404	powershell.exe
5028	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
824	netsh.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	690c1b65a6267d6d0b201ba46089aabc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	AnaRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe

Executes dropped EXE 36 IoCs

pid	Process
3580	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
1316	690c1b65a6267d6d0b201ba46089aabc.exe
2344	62264.exe
528	SCRIPT~1.EXE
2104	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
2400	1231234.exe
3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
708	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
3720	651654794161616171771852588547475885414152526396369965885471452525258.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
4756	svchost.exe
4724	chargeable.exe
2916	Client.exe
1268	Launcher.exe
4284	690c1b65a6267d6d0b201ba46089aabc.exe
2124	690c1b65a6267d6d0b201ba46089aabc.exe
1500	690c1b65a6267d6d0b201ba46089aabc.exe
2568	svchost.exe
4624	chargeable.exe
1092	zzzz.exe
1612	651654794161616171771852588547475885414152526396369965885471452525258.exe
3920	taskhostw.exe
1812	$77Microsoft To Do.exe
428	svchost.exe
2796	taskhostw.exe
3628	svchost.exe
1280	svchost.exe
2708	taskhostw.exe
4264	taskhostw.exe
4012	taskhostw.exe
5040	taskhostw.exe
2844	taskhostw.exe
376	taskhostw.exe
2192	taskhostw.exe
4404	taskhostw.exe
1768	taskhostw.exe

Loads dropped DLL 30 IoCs

pid	Process
3416	Process not Found
1748	Process not Found
828	Process not Found
3060	Process not Found
1308	timeout.exe
1812	$77Microsoft To Do.exe
2200	Process not Found
4176	Process not Found
4772	Process not Found
1404	Process not Found
2796	taskhostw.exe
408	Process not Found
2708	taskhostw.exe
1724	Process not Found
4264	taskhostw.exe
2052	Process not Found
4012	taskhostw.exe
2324	Process not Found
5040	taskhostw.exe
1964	Process not Found
2844	taskhostw.exe
3256	Process not Found
376	taskhostw.exe
1996	Process not Found
2192	taskhostw.exe
4404	taskhostw.exe
3800	Process not Found
4636	Process not Found
548	Process not Found
1768	taskhostw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzzz.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cisco = "C:\\Users\\Admin\\Pictures\\Cisco\\VPNManager.exe"	651654794161616171771852588547475885414152526396369965885471452525258.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DriverrHub\\$77Microsoft To Do.exe\""	1231234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62264.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\EDZOBJMV\FileGrabber\Downloads\desktop.ini	zzzz.exe
File created	C:\ProgramData\EDZOBJMV\FileGrabber\Pictures\desktop.ini	zzzz.exe
File created	C:\ProgramData\EDZOBJMV\FileGrabber\Desktop\desktop.ini	zzzz.exe
File created	C:\ProgramData\EDZOBJMV\FileGrabber\Documents\desktop.ini	zzzz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	freegeoip.app

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 1500	1316	690c1b65a6267d6d0b201ba46089aabc.exe	138
PID 4724 set thread context of 4624	4724	chargeable.exe	140
PID 428 set thread context of 1280	428	svchost.exe	176

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/708-94-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/files/0x000300000001e7da-82.dat	upx
behavioral3/memory/3580-123-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3580-122-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3580-120-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3580-124-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/708-360-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-668-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-856-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-1022-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-1274-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-1360-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-1676-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-1850-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/708-2097-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\fontdrvhost.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File opened for modification	C:\Windows\AppReadiness\fontdrvhost.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\AppReadiness\5b884080fd4f94	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\xdwd.dll	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3700	1092	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnaRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCRIPT~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1520	PING.EXE
1628	PING.EXE
3264	PING.EXE
2684	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	zzzz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	zzzz.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1308	timeout.exe
1348	timeout.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	SCRIPT~1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Launcher.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3264	PING.EXE
2684	PING.EXE
1520	PING.EXE
1628	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3384	schtasks.exe
1404	schtasks.exe
4204	schtasks.exe
620	schtasks.exe
3044	schtasks.exe
4372	schtasks.exe
2636	schtasks.exe
4352	schtasks.exe
3500	schtasks.exe
2740	schtasks.exe
220	schtasks.exe
2420	schtasks.exe
4424	schtasks.exe
4320	schtasks.exe
4724	schtasks.exe
1988	schtasks.exe
1020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1612	651654794161616171771852588547475885414152526396369965885471452525258.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Token: SeDebugPrivilege	2400	1231234.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2916	Client.exe
Token: SeDebugPrivilege	1316	690c1b65a6267d6d0b201ba46089aabc.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1092	zzzz.exe
Token: SeDebugPrivilege	3920	taskhostw.exe
Token: SeDebugPrivilege	2568	svchost.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: SeDebugPrivilege	4624	chargeable.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: SeDebugPrivilege	1812	$77Microsoft To Do.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: SeDebugPrivilege	1500	690c1b65a6267d6d0b201ba46089aabc.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: SeDebugPrivilege	2796	taskhostw.exe
Token: SeDebugPrivilege	428	svchost.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	3580	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: SeIncBasePriorityPrivilege	3580	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: SeDebugPrivilege	2708	taskhostw.exe
Token: SeDebugPrivilege	1280	svchost.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	2568	svchost.exe
Token: SeIncBasePriorityPrivilege	2568	svchost.exe
Token: 33	4624	chargeable.exe
Token: SeIncBasePriorityPrivilege	4624	chargeable.exe
Token: 33	2568	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1268	Launcher.exe
1612	651654794161616171771852588547475885414152526396369965885471452525258.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3580	4772	AnaRAT.exe	86
PID 4772 wrote to memory of 3580	4772	AnaRAT.exe	86
PID 4772 wrote to memory of 3580	4772	AnaRAT.exe	86
PID 4772 wrote to memory of 1316	4772	AnaRAT.exe	87
PID 4772 wrote to memory of 1316	4772	AnaRAT.exe	87
PID 4772 wrote to memory of 1316	4772	AnaRAT.exe	87
PID 4772 wrote to memory of 2344	4772	AnaRAT.exe	88
PID 4772 wrote to memory of 2344	4772	AnaRAT.exe	88
PID 2344 wrote to memory of 528	2344	62264.exe	89
PID 2344 wrote to memory of 528	2344	62264.exe	89
PID 2344 wrote to memory of 528	2344	62264.exe	89
PID 4772 wrote to memory of 2104	4772	AnaRAT.exe	90
PID 4772 wrote to memory of 2104	4772	AnaRAT.exe	90
PID 4772 wrote to memory of 2104	4772	AnaRAT.exe	90
PID 4772 wrote to memory of 2400	4772	AnaRAT.exe	91
PID 4772 wrote to memory of 2400	4772	AnaRAT.exe	91
PID 4772 wrote to memory of 3276	4772	AnaRAT.exe	92
PID 4772 wrote to memory of 3276	4772	AnaRAT.exe	92
PID 4772 wrote to memory of 708	4772	AnaRAT.exe	93
PID 4772 wrote to memory of 708	4772	AnaRAT.exe	93
PID 4772 wrote to memory of 708	4772	AnaRAT.exe	93
PID 4772 wrote to memory of 3720	4772	AnaRAT.exe	94
PID 4772 wrote to memory of 3720	4772	AnaRAT.exe	94
PID 4772 wrote to memory of 3720	4772	AnaRAT.exe	94
PID 4772 wrote to memory of 2308	4772	AnaRAT.exe	95
PID 4772 wrote to memory of 2308	4772	AnaRAT.exe	95
PID 3276 wrote to memory of 3060	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	96
PID 3276 wrote to memory of 3060	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	96
PID 2344 wrote to memory of 4756	2344	62264.exe	107
PID 2344 wrote to memory of 4756	2344	62264.exe	107
PID 2344 wrote to memory of 4756	2344	62264.exe	107
PID 2308 wrote to memory of 1972	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	116
PID 2308 wrote to memory of 1972	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	116
PID 2308 wrote to memory of 4176	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	117
PID 2308 wrote to memory of 4176	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	117
PID 2308 wrote to memory of 4520	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	118
PID 2308 wrote to memory of 4520	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	118
PID 2308 wrote to memory of 5028	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	119
PID 2308 wrote to memory of 5028	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	119
PID 2308 wrote to memory of 404	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	120
PID 2308 wrote to memory of 404	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	120
PID 2308 wrote to memory of 4052	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	126
PID 2308 wrote to memory of 4052	2308	a6a1abaf12a28ea8f6553356c3bdcf57.exe	126
PID 4052 wrote to memory of 508	4052	cmd.exe	128
PID 4052 wrote to memory of 508	4052	cmd.exe	128
PID 2104 wrote to memory of 4724	2104	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	129
PID 2104 wrote to memory of 4724	2104	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	129
PID 2104 wrote to memory of 4724	2104	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	129
PID 4052 wrote to memory of 1520	4052	cmd.exe	130
PID 4052 wrote to memory of 1520	4052	cmd.exe	130
PID 3276 wrote to memory of 2916	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	131
PID 3276 wrote to memory of 2916	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	131
PID 3276 wrote to memory of 1268	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	132
PID 3276 wrote to memory of 1268	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	132
PID 3276 wrote to memory of 3032	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	134
PID 3276 wrote to memory of 3032	3276	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	134
PID 1316 wrote to memory of 4284	1316	690c1b65a6267d6d0b201ba46089aabc.exe	136
PID 1316 wrote to memory of 4284	1316	690c1b65a6267d6d0b201ba46089aabc.exe	136
PID 1316 wrote to memory of 4284	1316	690c1b65a6267d6d0b201ba46089aabc.exe	136
PID 1316 wrote to memory of 2124	1316	690c1b65a6267d6d0b201ba46089aabc.exe	137
PID 1316 wrote to memory of 2124	1316	690c1b65a6267d6d0b201ba46089aabc.exe	137
PID 1316 wrote to memory of 2124	1316	690c1b65a6267d6d0b201ba46089aabc.exe	137
PID 1316 wrote to memory of 1500	1316	690c1b65a6267d6d0b201ba46089aabc.exe	138
PID 1316 wrote to memory of 1500	1316	690c1b65a6267d6d0b201ba46089aabc.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\AnaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\AnaRAT.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
  "C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
  "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
    "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
    3⤵
    - Executes dropped EXE
    PID:4284
- - C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
    "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
    3⤵
    - Executes dropped EXE
    PID:2124
- - C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
    "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:3720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4755.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
- C:\Users\Admin\AppData\Local\62264.exe
  "C:\Users\Admin\AppData\Local\62264.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4756
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2568
- C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
  "C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4724
  - - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4624
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:824
- C:\Users\Admin\AppData\Local\1231234.exe
  "C:\Users\Admin\AppData\Local\1231234.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29CA.tmp.bat""
    3⤵
    PID:1872
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Loads dropped DLL
      Delays execution with timeout.exe
      PID:1308
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
  "C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
      4⤵
      PID:3504
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1404
- - C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\zzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1076
      4⤵
      Program crash
      PID:3700
- C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:708
- C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
  "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3720
- - C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
    "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1612
- C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
  "C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Ym9aHwiUs.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:508
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1520
  - - C:\Recovery\WindowsRE\taskhostw.exe
      "C:\Recovery\WindowsRE\taskhostw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:3920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6LEBq1ChCC.bat"
        5⤵
        
        PID:5040
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1536
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1628
      - C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kPY472Oq9b.bat"
        7⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4892
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7gOBUt9HLX.bat"
        9⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4424
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H1ASKIIFNJ.bat"
        11⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3736
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U7BGbiaqdI.bat"
        13⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3264
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uaNNDTqg5Y.bat"
        15⤵
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X74P8KQcPY.bat"
        17⤵
        
        PID:1372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2532
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dUsM3mSuDi.bat"
        19⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:428
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\npectBbsFU.bat"
        21⤵
        
        PID:4696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1960
        
        C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1092 -ip 1092
1⤵
PID:3352

C:\Recovery\WindowsRE\taskhostw.exe
C:\Recovery\WindowsRE\taskhostw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EDZOBJMV\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\EDZOBJMV\Process.txt

Filesize
4KB

MD5
afe940238186a16e38175db590e2d4b8

SHA1
ef4783fd8c88bfd2a21904c80c538b81780da9c0

SHA256
81c2f151f8f6a9d35cc6d289c2a97efef0efb833d859182dd72d7e7fe90076c4

SHA512
c2cfefadaf4de5bd0f41d253854062adfc9310f77b630442bcd28df57f190db8c2db609618323ed16d15c985becf94a92cee18169b7ef2fd34f2852f07a8be7e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
122B

MD5
a6bbf643ecc49767913f8d40ccca8c7a

SHA1
05df263977f6affa21b36dfc1808e6627b45c0f3

SHA256
3237665e5e73f0db5e2d14a9a3a5b7cf6ab762f9e9f26e728fd99b7195acb798

SHA512
b2b00907dea8288217e2008893ce8be32a75fb9b427655c6929227204b5fd33997727e4934516a99ebf0dd3c48cfe38a66872a3f0aa44ecc30a209f28731403e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
282B

MD5
2fca26d43542c8fecda959ebcc0568e5

SHA1
c6bdd4427dfff9c5c882ff370c33f1ad9acb2bea

SHA256
0c3d79d226be63310699fa1e4f89c3df45e53c59a95ac5426c38cea7490e55d5

SHA512
0df063a5947378201830f007b0bb348c2450441675f985114ea85d563eefca58e213c8309bf7461c48ec2d16d59d0c61acc192a3b4db5c7e3a4e04652a9f2c2a

Download Submit
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe

Filesize
446KB

MD5
385585748cd6feff767a913bd76c2457

SHA1
1bedac2bc0da78c4dbaaf3914816d84f5c08f005

SHA256
0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5

SHA512
80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880

Download Submit
C:\Users\Admin\AppData\Local\1231234.exe

Filesize
37KB

MD5
8f00376c7ee9fb1653dc2ae09afa5589

SHA1
0005d278c062b496628e9c2a27043e87fc05689e

SHA256
6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18

SHA512
2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9

Download Submit
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe

Filesize
227KB

MD5
1a83a244d9e90a4865aac14bc0e27052

SHA1
d2b65e7aed7657c9915f90f03d46902087479753

SHA256
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

SHA512
f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

Download Submit
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\62264.exe

Filesize
198KB

MD5
f30e9ff8706f3ec72c82a74ee6328db9

SHA1
b526d52d22600b28892f898a717eb25779ef3044

SHA256
d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489

SHA512
a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6

Download Submit
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe

Filesize
1.6MB

MD5
e2100d88aca7c0a44ba9bb988ccd3916

SHA1
ddaf17adbc769556037bb4fbf4bce7065bf57ef3

SHA256
75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688

SHA512
5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5

Download Submit
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe

Filesize
608KB

MD5
690c1b65a6267d6d0b201ba46089aabc

SHA1
9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39

SHA256
244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f

SHA512
cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a

Download Submit
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

Filesize
110KB

MD5
0dcc21bdebe05957ca2922be486abe22

SHA1
8bcbd8a839a58e0050c17221e6a1cc775f07586b

SHA256
73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3

SHA512
0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\690c1b65a6267d6d0b201ba46089aabc.exe.log

Filesize
1KB

MD5
7cad59aef5a93f093b6ba494f13f796f

SHA1
3cef97b77939bfc06dfd3946fc1a8cd159f67100

SHA256
1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55

SHA512
8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Ym9aHwiUs.bat

Filesize
163B

MD5
d306a5f998f288c6d256a111f579aa3b

SHA1
1cdda225a065278ee7f7afcfe88d0d62016029be

SHA256
4ca828a436a2d029e16b87edf81687c46a1d62523a370425547a5f7e8d59d856

SHA512
73053683cead21e541ffe4ae0506727fde0e25df01c0efbf9657b4b9e40784cd2952df978a68fc325dc0667515da9443d06e9f709d4ef128b34e20faa00d452f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE

Filesize
210KB

MD5
4ca15a71a92f90c56b53d9d03da17657

SHA1
3d610aee0423eea84ad9dc0df7865e1bed982327

SHA256
ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1

SHA512
e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.xml

Filesize
19B

MD5
fdb26e74f4d6ca3a02af55b15fcca7f2

SHA1
7d990a1a4062fc3f0ae117dc72f47bcb3ef66425

SHA256
49704e6fd30fc98988f40be963296c81b95662d7f3af605c372cd0344ab78e1b

SHA512
36a82624ee8173bacffdf978e00f9c5ffe96bd6b27ba1230f2891a11bc301908ed6ea790c75669219c7445489806f00ba67eda2ea7346396ca3304e02c6fec7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.zip

Filesize
308B

MD5
b3609673caf3522ae50fe7b2f69b46f2

SHA1
c14f39aa78398030b84ab6b3d36014483b97a520

SHA256
c2423419d653bf31077eb40ad665590445b5baac4f82948822c8ed55fc009c4d

SHA512
be15ca57e7b80049c35a37f216fb1387b89d68440494c81e7e8b21644dbab8ab161119a37475ad873d144ceae105ec2c61097f0c115f078cde961bc38e6f28b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
152KB

MD5
4b6d4727ca3c277e5af47092ec9e3ef1

SHA1
8faea131181960c1f43ccee6a2b7bcdaa23fcd81

SHA256
5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4

SHA512
8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
22KB

MD5
4c8f3a1e15f370ca8afe2992902a6e98

SHA1
dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

SHA256
dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

SHA512
b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tlq3zbd.4cd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29CA.tmp.bat

Filesize
173B

MD5
cdec9120d4d91d35e6fabe87645fe181

SHA1
22c35be9f66252b144af13b69330367f17f6f5ae

SHA256
b18a0be65a0d38bb7d176954d6dec4feee62623e2d12c7130e8f039a803f84bc

SHA512
630e18f533ed62d88a950cf116821f6dd4c90449b057eebf0cb335e0958ab0109664e364c3fbd509734507547e87f65e695be8366707d2376ed9e5654c3316e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4755.tmp.bat

Filesize
154B

MD5
00650ac9562a1a446b29e9897d21ca31

SHA1
292cd6499768060539490d3e193eced321bb870f

SHA256
dd604ad296b39f7c6d2f7d5b5f08a2289a3861b091b41a3280b2d674352aa542

SHA512
229e623a6d5bce269fd3f6b7ece7ac3474c1ab2f12d32025f611e09fd08fa388e3146fc6fb1850e7ca798f9b911bc12ded99e85b53825692c5c81f468ba133b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzzz.exe

Filesize
320KB

MD5
de4824c195cf1b2bb498511ef461e49b

SHA1
f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

SHA256
51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

SHA512
b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

Download Submit
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
110KB

MD5
bf59e3434961e889a58df70dbac7a024

SHA1
523104dfc54392eaff5f9f68cf5dcea8d8334694

SHA256
3bb925f9cd12fcf7beb1a18631d63878956cabbb9d020a5f25d5ced27f002e12

SHA512
fab117928d67cb60b025e6a1e29f57c9b829d7fcbf3ade9961e2cf5f8efea721254478556107f97e5bb151da1d4562b451461a24228054a9d5297685a11a4ad4

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/428-828-0x00000000069A0000-0x00000000069B6000-memory.dmp

Filesize
88KB

Download
memory/428-736-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/708-1676-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-1360-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-1274-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-1022-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-856-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-94-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-1850-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-668-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-2097-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/708-360-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1092-444-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/1092-332-0x00000000003B0000-0x0000000000406000-memory.dmp

Filesize
344KB

Download
memory/1316-116-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

Filesize
624KB

Download
memory/1316-246-0x0000000005610000-0x0000000005626000-memory.dmp

Filesize
88KB

Download
memory/1316-108-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-266-0x00000000091D0000-0x0000000009224000-memory.dmp

Filesize
336KB

Download
memory/1316-110-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/1316-112-0x0000000005070000-0x00000000053C4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-115-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/1316-96-0x0000000000600000-0x000000000069A000-memory.dmp

Filesize
616KB

Download
memory/1316-117-0x0000000006D30000-0x0000000006D4E000-memory.dmp

Filesize
120KB

Download
memory/1500-271-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1612-337-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1612-328-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1612-334-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/1612-333-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/2308-135-0x000000001BD80000-0x000000001BDD0000-memory.dmp

Filesize
320KB

Download
memory/2308-114-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/2308-113-0x0000000000640000-0x000000000071C000-memory.dmp

Filesize
880KB

Download
memory/2308-132-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

Filesize
56KB

Download
memory/2308-143-0x0000000000F20000-0x0000000000F2C000-memory.dmp

Filesize
48KB

Download
memory/2308-139-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/2308-119-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/2308-134-0x0000000002870000-0x000000000288C000-memory.dmp

Filesize
112KB

Download
memory/2308-147-0x00000000028B0000-0x00000000028BC000-memory.dmp

Filesize
48KB

Download
memory/2308-118-0x000000001B5B0000-0x000000001B734000-memory.dmp

Filesize
1.5MB

Download
memory/2308-137-0x0000000002890000-0x00000000028A8000-memory.dmp

Filesize
96KB

Download
memory/2308-145-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/2308-141-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/2400-73-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2916-264-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/3060-148-0x000001236BEE0000-0x000001236BF02000-memory.dmp

Filesize
136KB

Download
memory/3276-105-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/3580-123-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3580-124-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3580-122-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3580-120-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3720-322-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3720-329-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/4624-300-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4756-178-0x0000000000060000-0x000000000008C000-memory.dmp

Filesize
176KB

Download
memory/4756-179-0x0000000005390000-0x000000000539C000-memory.dmp

Filesize
48KB

Download
memory/4772-2-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4772-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4772-0-0x0000000074B22000-0x0000000074B23000-memory.dmp

Filesize
4KB

Download
memory/4772-111-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download