asyncrat | d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

Resubmissions

11/03/2025, 00:00

250311-aaawtasr13 5

10/03/2025, 21:57

09/03/2025, 01:58

08/03/2025, 06:55

08/03/2025, 04:53

Analysis

max time kernel
900s
max time network
907s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2025, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My-Skidded-malwares-main/AnaRAT.exe
Size

6.0MB
MD5

b300d99faf11ac3c6d3609c34f39ad5b
SHA1

039310584b1e8fb43a08a865f3ab1b64610c8013
SHA256

b8af724789e01cb47a661d40a22a5ec93a2f1499d0ace4cd5e1d7d9fffa89246
SHA512

2158ca82f753258c4abee3bf425f91bd26a79fcf7c53cbb98fd5980a53d678613258367a5f10117547f3d900456d78a0e4a7c85b0f1806948e8e5b767ccb26d0
SSDEEP

49152:xqU/dfDJH/bKaPMNNteROzxRwF0UCLhCkpMn8HmWIos0/Noyos5rQLiMCPSsAm6o:x1dfDy

Malware Config

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-YFLE4M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

FFF

tibiaserver.ddns.net:2323

Mutex

64805e9b9efcd75e104b05fad0cb2a4c

Attributes

reg_key
64805e9b9efcd75e104b05fad0cb2a4c
splitter
boolLove

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2 MONEY

twart.myfirewall.org:14143

Mutex

udn3BZ1Fqt3jtiZx

Attributes

delay
30
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Extracted

Family

remcos

Botnet

GOLAZO

agosto14.con-ip.com:7772

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KKPQTN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral3/memory/3332-123-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral3/memory/3332-122-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit
behavioral3/memory/3332-124-0x0000000010000000-0x00000000101A5000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral3/memory/3332-123-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral3/memory/3332-122-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat
behavioral3/memory/3332-124-0x0000000010000000-0x00000000101A5000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe"	Client.exe

Njrat family
njrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2988	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2988	schtasks.exe	93

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral3/files/0x001c00000002af39-274.dat	family_stormkitty
behavioral3/memory/4512-282-0x0000000000120000-0x0000000000176000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
244	powershell.exe
2824	powershell.exe
4072	powershell.exe
1708	powershell.exe
3408	powershell.exe
2876	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1140	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe	svchost.exe

Executes dropped EXE 59 IoCs

pid	Process
3332	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
5088	690c1b65a6267d6d0b201ba46089aabc.exe
4244	62264.exe
2172	SCRIPT~1.EXE
2600	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
2648	1231234.exe
1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
4604	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
3476	651654794161616171771852588547475885414152526396369965885471452525258.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
2680	svchost.exe
2008	Client.exe
396	Launcher.exe
4512	zzzz.exe
3280	chargeable.exe
3732	690c1b65a6267d6d0b201ba46089aabc.exe
1728	svchost.exe
4052	winlogon.exe
1708	chargeable.exe
4148	651654794161616171771852588547475885414152526396369965885471452525258.exe
1048	$77Microsoft To Do.exe
3656	svchost.exe
488	winlogon.exe
2308	svchost.exe
2876	winlogon.exe
2504	winlogon.exe
384	winlogon.exe
2644	winlogon.exe
5076	winlogon.exe
4652	winlogon.exe
1660	winlogon.exe
4700	winlogon.exe
792	winlogon.exe
4232	winlogon.exe
3464	explorer.exe
972	StartMenuExperienceHost.exe
244	winlogon.exe
3148	winlogon.exe
3080	winlogon.exe
1448	winlogon.exe
4784	dllhost.exe
3916	winlogon.exe
3548	winlogon.exe
4784	winlogon.exe
4504	winlogon.exe
1604	winlogon.exe
2240	winlogon.exe
3800	winlogon.exe
2456	winlogon.exe
3548	explorer.exe
1184	StartMenuExperienceHost.exe
3624	winlogon.exe
572	winlogon.exe
4964	Registry.exe
1592	winlogon.exe
3548	winlogon.exe
1260	winlogon.exe
1660	winlogon.exe
4848	winlogon.exe

Loads dropped DLL 64 IoCs

pid	Process
1048	$77Microsoft To Do.exe
772	Process not Found
3380	Process not Found
3660	Process not Found
488	winlogon.exe
4284	Process not Found
2876	winlogon.exe
888	Process not Found
2504	winlogon.exe
3268	Process not Found
384	winlogon.exe
896	Process not Found
2644	winlogon.exe
1228	Process not Found
5076	winlogon.exe
2004	Process not Found
4652	winlogon.exe
4968	Process not Found
1660	winlogon.exe
1804	Process not Found
4700	winlogon.exe
1744	Process not Found
792	winlogon.exe
4992	Process not Found
4232	winlogon.exe
3464	explorer.exe
972	StartMenuExperienceHost.exe
1620	Process not Found
244	winlogon.exe
2152	Process not Found
3148	winlogon.exe
988	Process not Found
3080	winlogon.exe
3524	Process not Found
1448	winlogon.exe
4784	dllhost.exe
4344	Process not Found
3916	winlogon.exe
3292	Process not Found
3548	winlogon.exe
2252	Process not Found
4784	winlogon.exe
1460	Process not Found
4504	winlogon.exe
4004	Process not Found
1604	winlogon.exe
2280	Process not Found
2240	winlogon.exe
3136	Process not Found
3800	winlogon.exe
3004	Process not Found
2456	winlogon.exe
3548	explorer.exe
1184	StartMenuExperienceHost.exe
428	Process not Found
3624	winlogon.exe
4348	Process not Found
572	winlogon.exe
4964	Registry.exe
5064	Process not Found
1592	winlogon.exe
3380	Process not Found
3548	winlogon.exe
1260	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\zzzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzzz.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cisco = "C:\\Users\\Admin\\Pictures\\Cisco\\VPNManager.exe"	651654794161616171771852588547475885414152526396369965885471452525258.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DriverrHub\\$77Microsoft To Do.exe\""	1231234.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62264.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe"	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Desktop\desktop.ini	zzzz.exe
File opened for modification	C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Desktop\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Documents\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Downloads\desktop.ini	zzzz.exe
File created	C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Pictures\desktop.ini	zzzz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
29	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
5	ip-api.com
6	freegeoip.app
12	api.ipify.org
23	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132
PID 3280 set thread context of 1708	3280	chargeable.exe	135
PID 3656 set thread context of 2308	3656	svchost.exe	158

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x001900000002af06-78.dat	upx
behavioral3/memory/4604-86-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/3332-120-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3332-123-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3332-122-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/3332-124-0x0000000010000000-0x00000000101A5000-memory.dmp	upx
behavioral3/memory/4604-318-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-319-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-554-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-682-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-772-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-901-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-985-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1068-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1162-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1244-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1331-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1420-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1502-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1589-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1678-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1760-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1847-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-1936-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-2018-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-2105-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-2194-0x0000000000400000-0x000000000048A000-memory.dmp	upx
behavioral3/memory/4604-2276-0x0000000000400000-0x000000000048A000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\explorer.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File opened for modification	C:\Program Files\Google\explorer.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\Google\7a0fd90576e088	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ee2ad38f3d4382	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files (x86)\MSBuild\winlogon.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Program Files (x86)\MSBuild\cc11b995f2a76d	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\55b276f4edf653	a6a1abaf12a28ea8f6553356c3bdcf57.exe
File created	C:\Windows\xdwd.dll	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCRIPT~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnaRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690c1b65a6267d6d0b201ba46089aabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	651654794161616171771852588547475885414152526396369965885471452525258.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4072	PING.EXE
988	PING.EXE
1272	PING.EXE
1096	PING.EXE
3004	PING.EXE
3156	PING.EXE
1080	PING.EXE
1448	PING.EXE
3336	PING.EXE
2000	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	zzzz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	zzzz.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2308	timeout.exe
4776	timeout.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	SCRIPT~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Launcher.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
988	PING.EXE
1272	PING.EXE
1096	PING.EXE
3336	PING.EXE
3156	PING.EXE
4072	PING.EXE
3004	PING.EXE
1448	PING.EXE
2000	PING.EXE
1080	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2440	schtasks.exe
1260	schtasks.exe
3312	schtasks.exe
3100	schtasks.exe
3456	schtasks.exe
3336	schtasks.exe
572	schtasks.exe
1552	schtasks.exe
960	schtasks.exe
788	schtasks.exe
2760	schtasks.exe
2672	schtasks.exe
1924	schtasks.exe
2844	schtasks.exe
1208	schtasks.exe
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1664	powershell.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
396	Launcher.exe
1728	svchost.exe
1708	chargeable.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2648	1231234.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2008	Client.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	4512	zzzz.exe
Token: SeDebugPrivilege	4052	winlogon.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	1708	chargeable.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: SeDebugPrivilege	1048	$77Microsoft To Do.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: SeDebugPrivilege	3732	690c1b65a6267d6d0b201ba46089aabc.exe
Token: SeDebugPrivilege	488	winlogon.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: 33	3332	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: SeIncBasePriorityPrivilege	3332	0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: SeDebugPrivilege	2876	winlogon.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: SeDebugPrivilege	2308	svchost.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe
Token: 33	1708	chargeable.exe
Token: SeIncBasePriorityPrivilege	1708	chargeable.exe
Token: SeDebugPrivilege	2504	winlogon.exe
Token: 33	1728	svchost.exe
Token: SeIncBasePriorityPrivilege	1728	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
396	Launcher.exe
4148	651654794161616171771852588547475885414152526396369965885471452525258.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3332	3368	AnaRAT.exe	81
PID 3368 wrote to memory of 3332	3368	AnaRAT.exe	81
PID 3368 wrote to memory of 3332	3368	AnaRAT.exe	81
PID 3368 wrote to memory of 5088	3368	AnaRAT.exe	82
PID 3368 wrote to memory of 5088	3368	AnaRAT.exe	82
PID 3368 wrote to memory of 5088	3368	AnaRAT.exe	82
PID 3368 wrote to memory of 4244	3368	AnaRAT.exe	83
PID 3368 wrote to memory of 4244	3368	AnaRAT.exe	83
PID 3368 wrote to memory of 2600	3368	AnaRAT.exe	84
PID 3368 wrote to memory of 2600	3368	AnaRAT.exe	84
PID 3368 wrote to memory of 2600	3368	AnaRAT.exe	84
PID 4244 wrote to memory of 2172	4244	62264.exe	85
PID 4244 wrote to memory of 2172	4244	62264.exe	85
PID 4244 wrote to memory of 2172	4244	62264.exe	85
PID 3368 wrote to memory of 2648	3368	AnaRAT.exe	86
PID 3368 wrote to memory of 2648	3368	AnaRAT.exe	86
PID 3368 wrote to memory of 1700	3368	AnaRAT.exe	87
PID 3368 wrote to memory of 1700	3368	AnaRAT.exe	87
PID 3368 wrote to memory of 4604	3368	AnaRAT.exe	88
PID 3368 wrote to memory of 4604	3368	AnaRAT.exe	88
PID 3368 wrote to memory of 4604	3368	AnaRAT.exe	88
PID 3368 wrote to memory of 3476	3368	AnaRAT.exe	89
PID 3368 wrote to memory of 3476	3368	AnaRAT.exe	89
PID 3368 wrote to memory of 3476	3368	AnaRAT.exe	89
PID 3368 wrote to memory of 1472	3368	AnaRAT.exe	90
PID 3368 wrote to memory of 1472	3368	AnaRAT.exe	90
PID 1700 wrote to memory of 1664	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	91
PID 1700 wrote to memory of 1664	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	91
PID 1472 wrote to memory of 244	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	110
PID 1472 wrote to memory of 244	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	110
PID 1472 wrote to memory of 3408	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	111
PID 1472 wrote to memory of 3408	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	111
PID 1472 wrote to memory of 1708	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	135
PID 1472 wrote to memory of 1708	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	135
PID 1472 wrote to memory of 4072	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	113
PID 1472 wrote to memory of 4072	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	113
PID 1472 wrote to memory of 2824	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	114
PID 1472 wrote to memory of 2824	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	114
PID 4244 wrote to memory of 2680	4244	62264.exe	120
PID 4244 wrote to memory of 2680	4244	62264.exe	120
PID 4244 wrote to memory of 2680	4244	62264.exe	120
PID 1472 wrote to memory of 2960	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	121
PID 1472 wrote to memory of 2960	1472	a6a1abaf12a28ea8f6553356c3bdcf57.exe	121
PID 1700 wrote to memory of 2008	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	123
PID 1700 wrote to memory of 2008	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	123
PID 1700 wrote to memory of 396	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	124
PID 1700 wrote to memory of 396	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	124
PID 1700 wrote to memory of 2876	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	125
PID 1700 wrote to memory of 2876	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	125
PID 2960 wrote to memory of 3020	2960	cmd.exe	126
PID 2960 wrote to memory of 3020	2960	cmd.exe	126
PID 2960 wrote to memory of 2024	2960	cmd.exe	129
PID 2960 wrote to memory of 2024	2960	cmd.exe	129
PID 1700 wrote to memory of 4512	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	130
PID 1700 wrote to memory of 4512	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	130
PID 1700 wrote to memory of 4512	1700	150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe	130
PID 2600 wrote to memory of 3280	2600	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	131
PID 2600 wrote to memory of 3280	2600	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	131
PID 2600 wrote to memory of 3280	2600	73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe	131
PID 5088 wrote to memory of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132
PID 5088 wrote to memory of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132
PID 5088 wrote to memory of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132
PID 5088 wrote to memory of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132
PID 5088 wrote to memory of 3732	5088	690c1b65a6267d6d0b201ba46089aabc.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2786730451-600132509-465537259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\AnaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\AnaRAT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
  "C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
  "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
    "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F15.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3800
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
- C:\Users\Admin\AppData\Local\62264.exe
  "C:\Users\Admin\AppData\Local\62264.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
  "C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3280
  - - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1708
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1140
- C:\Users\Admin\AppData\Local\1231234.exe
  "C:\Users\Admin\AppData\Local\1231234.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.bat""
    3⤵
    PID:4804
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2308
  - - C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
      "C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1048
- C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
  "C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
      4⤵
      PID:3284
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\zzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4512
- C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
  "C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604
- C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
  "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3476
- - C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
    "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4148
- C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
  "C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lrznmoZiqm.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3020
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2024
  - - C:\Program Files (x86)\MSBuild\winlogon.exe
      "C:\Program Files (x86)\MSBuild\winlogon.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNvu0ZNBRv.bat"
        5⤵
        
        PID:4888
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3008
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2000
      - C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wDZd8tkMKF.bat"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1212
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDgUbHuaYy.bat"
        9⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4708
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H4KCibIlQI.bat"
        11⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5076
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmmY05In2U.bat"
        13⤵
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2068
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\59TFxmxilS.bat"
        15⤵
        
        PID:3152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1520
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gu59oh2INm.bat"
        17⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1080
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTBpj7DN0q.bat"
        19⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zmeI2KvQxI.bat"
        21⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4656
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sow6ZWML2c.bat"
        23⤵
        
        PID:640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:988
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nsnMHUbNIT.bat"
        25⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1656
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1PlbJmoj5.bat"
        27⤵
        
        PID:4264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3936
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNvu0ZNBRv.bat"
        29⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rqkgCRh4V5.bat"
        31⤵
        
        PID:3456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2592
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqrXfpsIjp.bat"
        33⤵
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1096
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7xCWyoowwY.bat"
        35⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3004
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bw8qtkvcAA.bat"
        37⤵
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1448
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2aNa3Lme8P.bat"
        39⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:1700
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\59TFxmxilS.bat"
        41⤵
        
        PID:3648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:3060
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n5V8mQYRHr.bat"
        43⤵
        
        PID:3584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:860
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJpXqSaXt9.bat"
        45⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:1080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3336
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L2HVdYORdu.bat"
        47⤵
        
        PID:3128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:408
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mgdUlucqhJ.bat"
        49⤵
        
        PID:3904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:356
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPyb5cGVEK.bat"
        51⤵
        
        PID:484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDgUbHuaYy.bat"
        53⤵
        
        PID:4656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:3372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:2592
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00M4WFsUwh.bat"
        55⤵
        
        PID:1452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        56⤵
        
        PID:1524
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qeaogqjWuv.bat"
        57⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        58⤵
        
        PID:3412
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5NsnfB5Cg.bat"
        59⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        60⤵
        
        PID:4164
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ycQG8Pfyun.bat"
        61⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        62⤵
        
        PID:984
        
        C:\Program Files (x86)\MSBuild\winlogon.exe
        
        "C:\Program Files (x86)\MSBuild\winlogon.exe"
        62⤵
        Executes dropped EXE
        
        PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Program Files\Google\explorer.exe
"C:\Program Files\Google\explorer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3464

C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe
C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972

C:\Users\Admin\Application Data\dllhost.exe
"C:\Users\Admin\Application Data\dllhost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4784

C:\Program Files\Google\explorer.exe
"C:\Program Files\Google\explorer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3548

C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe
C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Registry.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4964

C:\Program Files (x86)\MSBuild\winlogon.exe
"C:\Program Files (x86)\MSBuild\winlogon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
122B

MD5
94d61fda8abb98e0681931e176ac7938

SHA1
e1ca50b7141b0fb105dc7f288e2b6f1c27244f53

SHA256
6f83eb62f901a710ebd0c5e05d0520f7bc2e66be3526ead58a6040c4ebc17453

SHA512
7bc41c07b745d63eb06c15fa3525ab32b245c09b03cf28700886a06367239b1ee3e0f3de6d906d0f3d0ab29132c363734a5a659247d995a3698cb895a4bc2cbe

Download Submit
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe

Filesize
446KB

MD5
385585748cd6feff767a913bd76c2457

SHA1
1bedac2bc0da78c4dbaaf3914816d84f5c08f005

SHA256
0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5

SHA512
80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880

Download Submit
C:\Users\Admin\AppData\Local\1231234.exe

Filesize
37KB

MD5
8f00376c7ee9fb1653dc2ae09afa5589

SHA1
0005d278c062b496628e9c2a27043e87fc05689e

SHA256
6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18

SHA512
2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9

Download Submit
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe

Filesize
227KB

MD5
1a83a244d9e90a4865aac14bc0e27052

SHA1
d2b65e7aed7657c9915f90f03d46902087479753

SHA256
150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

SHA512
f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

Download Submit
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe

Filesize
233KB

MD5
4ef3177a2e94ce3d15ae9490a73a2212

SHA1
a34f47568ce7fcea97a002eebeae385efa98790c

SHA256
87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

SHA512
635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

Download Submit
C:\Users\Admin\AppData\Local\62264.exe

Filesize
198KB

MD5
f30e9ff8706f3ec72c82a74ee6328db9

SHA1
b526d52d22600b28892f898a717eb25779ef3044

SHA256
d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489

SHA512
a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6

Download Submit
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe

Filesize
1.6MB

MD5
e2100d88aca7c0a44ba9bb988ccd3916

SHA1
ddaf17adbc769556037bb4fbf4bce7065bf57ef3

SHA256
75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688

SHA512
5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5

Download Submit
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe

Filesize
608KB

MD5
690c1b65a6267d6d0b201ba46089aabc

SHA1
9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39

SHA256
244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f

SHA512
cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a

Download Submit
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe

Filesize
110KB

MD5
0dcc21bdebe05957ca2922be486abe22

SHA1
8bcbd8a839a58e0050c17221e6a1cc775f07586b

SHA256
73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3

SHA512
0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Desktop\EditCompare.ini

Filesize
444KB

MD5
d0cb5e64f028feb9147b326fd10864cd

SHA1
e55c76c3b82e9819ce117c58c9ca45036d5ee1e1

SHA256
d591748b6991bf2a0faa408e472c74e1fa2374751c9658e1ccb1c7af0d7cf43a

SHA512
6b99e265bc2cb8e7f04f62f06aa87b16b381244333b8915625d895f07cad0a934e78864af8acd4cea6dd993f707b7ea549eb5f0407f9c1c361ba259830e3f437

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Desktop\UnpublishSave.docx

Filesize
586KB

MD5
cc2940f3d11d1c933b389915880504dc

SHA1
1437609ae9e153431f6493a88219f1a4bc8cca3f

SHA256
e0ce644cdfc81c31c84ebc417638797e1cbf457e76c4dfd68f25ff99adbc0cd9

SHA512
e826d33422a8c9e039ce6e095bb95653e0398a7b6030706862268ffa4df2a6f59dec6e51ab262ae1150217cc915ac2bae7bf31cee69ad5c92aa673d2d30218cb

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Documents\AddStep.pdf

Filesize
1.0MB

MD5
814e80632d17fddb8f370e8ea32d71c2

SHA1
60af5b4caa8134a0f63f999648af838d52a56776

SHA256
63eef42578c64b0ac521cdd33dd849fb9795dcb5eba556ac5e315edd44028650

SHA512
bf5052c6cdd869007f69abcc4657bce1e02986bc9676429a3ecaddf4928e11999c760a0f96253bbe90c41a1b9e40caad1bbeedddc901d23d16e14cc339a4644b

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Documents\LimitConvert.html

Filesize
3.3MB

MD5
b1232319066cf6bb33470b6e2ab44210

SHA1
401a1797bf92ec78149b4c5716466bde5f585b43

SHA256
6db45d12b1992de6ec6be97d691aae299a0d5f911d3ca4df0a7f1ae12af327f2

SHA512
c2ab166923ebb83a59c56a85cd59424d19c1ee66c0c0f39add2eb8aaeae7c8b0a6bb5c6ed5b9abaabe295002953b71726f6fbc99dd4e5c0a5ed0ef1e4e48ccba

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Downloads\JoinSync.html

Filesize
812KB

MD5
04cff06ceb4959afbf1d2dd7e48e11b4

SHA1
0f9ed3e2f9d3c033fdce4d689236997a90bc7b15

SHA256
9a5aa7f1ce02930ee4439822bf3ec1b91a6fae20698d988d2ad73910f2f52f8a

SHA512
07bc80a3281b111413915345c18f685b7c02c493a4cfc5f5b9fd4f46bb882af127ec5a22f27113236f29a20d2316181cb6afecd2035b838870bc76602906729d

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Downloads\ResizeConfirm.png

Filesize
705KB

MD5
6a0db73aba76303f34d710b39773a78e

SHA1
b777d3d1f7591d51998a6c39a7cd9b51c677c600

SHA256
b2eb2fc7e259e2bc0864ccec0a1ef335b7b41cdef53d4ceabafe0abf1f4f2f0b

SHA512
1567467fff3ca7be724686a7f02d4a8e42c811a4a40a3310832db6f11b41d13ad283a42d85e3595f77aa2bca688df2708e3471f03aba49c8342b6614a2daa3ab

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Pictures\ConvertToSend.svg

Filesize
972KB

MD5
f9de5a8d3251f4b0f698c8c1588a9d70

SHA1
dec35478e2e82e36eb0c0f3c90ecf2498dd28de0

SHA256
fce6a0e09903cf9fad0c874e7df9c8330a3873e06b0c29b5eb5e7a17915dc1d3

SHA512
a95376771840803a64b7c43556783add9d4fb50eb15d8e8fc267b0ca4394e3dd6df2d9ebac21803b902024c353c8dacfd6a59f8c923fa3e8eda0b0024fe3033e

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\FileGrabber\Pictures\ReceiveConnect.bmp

Filesize
1.1MB

MD5
242b553560110cc46640b871333d0993

SHA1
596e2124b757572ffcf67d9d7b4b289129dab446

SHA256
31a4dc6797d3c153cb1d8c6399555a5804693b7f8e7b8cd1340b54332b8d39b9

SHA512
915a5fcb791cf2b10cfdccde8b44788af816f9fe6c0e81a72114aa6cbcd2cc3941eefd63d1effb9017d1791d1aec9fdee1652f88c14affc7ebe7bd71ef3e254c

Download Submit
C:\Users\Admin\AppData\Local\JMSGLQKO\Process.txt

Filesize
4KB

MD5
9fdf169099e9214ae00698e93b09296c

SHA1
e37169d51287801dd495d430366684edc0c34745

SHA256
7924f06a86e875996a1a51ee04697879bfc9e8f2a7778816e5a92efcb505c03d

SHA512
a50d28c7da457983601d2fcf69084a62b2ba4755666051b787f1ab1bb3b5e3659f4aab8ef4bf7f1ff070569edb3a0cf0141c33b7b8236b05086ef7206e27ef70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Filesize
400B

MD5
120bfac9d59228edf92ec26d4bbfaf9e

SHA1
bc36d828b7f358671ef0cb934c4ab2fdfb02b447

SHA256
c4c6e7ef90b460bf232e55933594a95ba4a2d156fa5accb06d1c7c2f817fcf35

SHA512
684f086ff7d41d85782b21f5bc7e79584f5866f3c06eabbca2c5a697c1d142aa81e0dc25c78be978ba67e9e6fc014f3b62d1da114dc1bb009c7637491a619137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
ff57aee42af564848904a21322229214

SHA1
f71bfedd2de67380b807843d2613fa58cf52d87c

SHA256
3d58419ab8c9ce80e4823e05b37697e0614e7a0d0464c7ae625cd6869d77a5ab

SHA512
88b12a8752359882e3622c2e7666720d10366c59989b43393523e71e93de4111a9565bcc158337d548c8d051cb0da0b824856b5eee91a9c2352925bea0717ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\690c1b65a6267d6d0b201ba46089aabc.exe.log

Filesize
1KB

MD5
bc39854661a6b32a76bb89194cb4f97d

SHA1
aaa2fe4865ad144fc246a5109df804068c0e6aae

SHA256
8c743434094ed0f13f342c8c34d31d35067abc2c143668aea6fbf2f9793d4104

SHA512
44f9c3f41c39ac1f187b129bc91d8ef35a69b14643f5a520267cee84d9f7d837d0dc5361433ea519c33bc1237123e59c83009a4f0a2fbc1658c89c5d61600101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
7e1ed0055c3eaa0bbc4a29ec1ef15a6a

SHA1
765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

SHA256
4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

SHA512
de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59de841975cea5c045c2883ecdcd2e70

SHA1
020aee4a942de398cd857ce2041433082c026c03

SHA256
f69868801f4042873d4fa598cd30374bce211bb8273cb67147b0a9035517b14d

SHA512
386e7e6953e25c5c6566b02a6c245d087c1844d872009e2d1a1ed57488ea1c4b1fee535c2cd24b65f1dc25df40d9c5c3c7a3630756365936298f5a27033e4796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
33db5b5f393cd18bf37308dc10e4b112

SHA1
0032feff5d4698e6c9c0b5207ea2e204aea49ca1

SHA256
df56410addd3027dbf24afe9df4803c76b3281f3209d1b0338f424758a9ff281

SHA512
5379f777ff7606de1219448e079357fde1d03f7bcfc1b47c43920557eff8775ee17f442b10fa971f1df5aa3d509fcf2888a67685c3f1738a090212037119abe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ddc1e3ff67420b3dda22865773d9bb6

SHA1
73d5c798995cb645bb941675e4e6b187d67b55ad

SHA256
6ff4024dc1542f862d90e62b0313486afdbee5f5a6f9a39a39943c03189322b9

SHA512
17d52522f4c28e8c3cef4335eda8c1d3e202de5cf771db46924776c51cea6a403b3b13f0651095618c4a0578859bd86cacebd8b2f069c89f0b75ac93d7ae696c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d9a6ea8e743049ae53038c5a65a78c57

SHA1
293ccb70a18993b9d07f3650bd4ed9d97bdb0055

SHA256
b2e354795e698af03dbab0276d473bb2cf797e87e4f47697890e710a20fd9392

SHA512
266805e9c18a7ab7760f5accf3b5ed2e7b6bad4ef9a7255d8b9ec99dd876f04917073998ebb09e58d3334ada84416bc4a7b2e8cf177c934d9ddc31aadb790f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
100KB

MD5
21560cb75b809cf46626556cd5fbe3ab

SHA1
f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

SHA256
d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

SHA512
21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE

Filesize
210KB

MD5
4ca15a71a92f90c56b53d9d03da17657

SHA1
3d610aee0423eea84ad9dc0df7865e1bed982327

SHA256
ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1

SHA512
e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.xml

Filesize
19B

MD5
fdb26e74f4d6ca3a02af55b15fcca7f2

SHA1
7d990a1a4062fc3f0ae117dc72f47bcb3ef66425

SHA256
49704e6fd30fc98988f40be963296c81b95662d7f3af605c372cd0344ab78e1b

SHA512
36a82624ee8173bacffdf978e00f9c5ffe96bd6b27ba1230f2891a11bc301908ed6ea790c75669219c7445489806f00ba67eda2ea7346396ca3304e02c6fec7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.zip

Filesize
308B

MD5
b3609673caf3522ae50fe7b2f69b46f2

SHA1
c14f39aa78398030b84ab6b3d36014483b97a520

SHA256
c2423419d653bf31077eb40ad665590445b5baac4f82948822c8ed55fc009c4d

SHA512
be15ca57e7b80049c35a37f216fb1387b89d68440494c81e7e8b21644dbab8ab161119a37475ad873d144ceae105ec2c61097f0c115f078cde961bc38e6f28b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

Filesize
152KB

MD5
4b6d4727ca3c277e5af47092ec9e3ef1

SHA1
8faea131181960c1f43ccee6a2b7bcdaa23fcd81

SHA256
5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4

SHA512
8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
22KB

MD5
4c8f3a1e15f370ca8afe2992902a6e98

SHA1
dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

SHA256
dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

SHA512
b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNvu0ZNBRv.bat

Filesize
171B

MD5
174fd9388e8b1d09bb6012e8e06b9c4f

SHA1
7131a4b429b2e1bb81edac9fcb678e70477aa98c

SHA256
b0b1abe1d7f4104164e4c49e23dbea8b1a592e289bdbe3a43b4f736d7a19dca8

SHA512
f89796f3ce56681389eee57123f389ddd700f0a3dc9f1676a15a05e5a63ac683ddd78747e3b673e645688878de31b0ae7f7a15a9e0914b4a1835749203880982

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4hgghfq.uvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrznmoZiqm.bat

Filesize
219B

MD5
b2d0a78ad9d2a3f7463fd485aeeaf652

SHA1
48d4eadedc8e777403ccabf342f7cd9c7e01c3f0

SHA256
063ea7eb6a121320304027a9fe357a2bbfba86ca1513d30fa0592f300a1cb00f

SHA512
56cccfb60216219873c594ef8da971701596a360eca0964e4868822746512f8c52cb8fbd1891573b06d473e06dc82894632addfe9051d50ffef9f10760653576

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20E.tmp.bat

Filesize
172B

MD5
f31a886c9eddee8c6f753d02da63963f

SHA1
2082887aad5084834fc75f638315950981e87141

SHA256
8e28ae0d8bdc8453a1924c54f3d59b818b2c9e8e336441a2393fde98b5f1fea2

SHA512
3f683a1b83ae0b5aea09394eb00c282b5d62e966e457698451dcb3a7ae363d948933ed58297013f0d5df075140fbf83ab805f9000a8870d6473e0a6996eb466e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F15.tmp.bat

Filesize
154B

MD5
c008583ee3b4c7eba1192573048997f3

SHA1
9fcd1ce1b24deec0af6a050f699b2958041e900b

SHA256
d843acbb735d3602feb7a23070e908d0ab87d82e0fde3dfc9e3d4436e518ba8d

SHA512
74b900b2efe2edd72ebe1795327a700e4cbb7ecf05e286fcd24160fa8c70271e8a2444b8dae515cd8ee7e81bb25f2b58e48f06799213fa76ec442a6bb420ed6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzzz.exe

Filesize
320KB

MD5
de4824c195cf1b2bb498511ef461e49b

SHA1
f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

SHA256
51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

SHA512
b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

Download Submit
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe

Filesize
874KB

MD5
a6a1abaf12a28ea8f6553356c3bdcf57

SHA1
b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

SHA256
f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

SHA512
e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
110KB

MD5
167b5c6260f714be50f3cbb4fb999384

SHA1
1f1bae100fc1e448e200b0187f7cb4cc38734289

SHA256
acb2e1558174fc39e3c3273e51b1e2117d6f82d6e3566679b4b773f07448f053

SHA512
9f8e4054d97647d7a7303a107588aa1afb98d602da052c67c4c550a2a0919645826f28eaa0921b69a58effbcfa82e5deedc7eb775fe0f2eade76eb5a478fb75a

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/384-1819-0x000000001DDA0000-0x000000001DE4F000-memory.dmp

Filesize
700KB

Download
memory/384-1706-0x000000001DDA0000-0x000000001DE4F000-memory.dmp

Filesize
700KB

Download
memory/488-957-0x000000001DC50000-0x000000001DCFF000-memory.dmp

Filesize
700KB

Download
memory/488-1073-0x000000001DC50000-0x000000001DCFF000-memory.dmp

Filesize
700KB

Download
memory/1472-119-0x0000000001370000-0x0000000001376000-memory.dmp

Filesize
24KB

Download
memory/1472-116-0x0000000001360000-0x0000000001366000-memory.dmp

Filesize
24KB

Download
memory/1472-132-0x000000001B790000-0x000000001B79E000-memory.dmp

Filesize
56KB

Download
memory/1472-153-0x000000001CCC0000-0x000000001CCCC000-memory.dmp

Filesize
48KB

Download
memory/1472-151-0x000000001CC40000-0x000000001CC4E000-memory.dmp

Filesize
56KB

Download
memory/1472-143-0x000000001CBD0000-0x000000001CBDC000-memory.dmp

Filesize
48KB

Download
memory/1472-141-0x000000001CBC0000-0x000000001CBCE000-memory.dmp

Filesize
56KB

Download
memory/1472-134-0x000000001CBE0000-0x000000001CBFC000-memory.dmp

Filesize
112KB

Download
memory/1472-115-0x0000000000A50000-0x0000000000B2C000-memory.dmp

Filesize
880KB

Download
memory/1472-139-0x000000001B7A0000-0x000000001B7AE000-memory.dmp

Filesize
56KB

Download
memory/1472-137-0x000000001CCA0000-0x000000001CCB8000-memory.dmp

Filesize
96KB

Download
memory/1472-183-0x000000001D320000-0x000000001D3CF000-memory.dmp

Filesize
700KB

Download
memory/1472-118-0x000000001B9C0000-0x000000001BB44000-memory.dmp

Filesize
1.5MB

Download
memory/1472-135-0x000000001CC50000-0x000000001CCA0000-memory.dmp

Filesize
320KB

Download
memory/1664-149-0x0000019CB2150000-0x0000019CB2172000-memory.dmp

Filesize
136KB

Download
memory/1700-85-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/1708-434-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2008-247-0x00000000004B0000-0x00000000004D0000-memory.dmp

Filesize
128KB

Download
memory/2504-1575-0x000000001E910000-0x000000001E9BF000-memory.dmp

Filesize
700KB

Download
memory/2504-1474-0x000000001E910000-0x000000001E9BF000-memory.dmp

Filesize
700KB

Download
memory/2644-1963-0x000000001E7A0000-0x000000001E84F000-memory.dmp

Filesize
700KB

Download
memory/2644-2077-0x000000001E7A0000-0x000000001E84F000-memory.dmp

Filesize
700KB

Download
memory/2648-66-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2680-200-0x0000000005EE0000-0x0000000005EEC000-memory.dmp

Filesize
48KB

Download
memory/2680-181-0x0000000000AE0000-0x0000000000B0C000-memory.dmp

Filesize
176KB

Download
memory/2876-1330-0x000000001E630000-0x000000001E6DF000-memory.dmp

Filesize
700KB

Download
memory/2876-1216-0x000000001E630000-0x000000001E6DF000-memory.dmp

Filesize
700KB

Download
memory/3332-123-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3332-120-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3332-124-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3332-122-0x0000000010000000-0x00000000101A5000-memory.dmp

Filesize
1.6MB

Download
memory/3368-0-0x0000000075171000-0x0000000075172000-memory.dmp

Filesize
4KB

Download
memory/3368-114-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/3368-1-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/3368-2-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/3476-490-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3476-493-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3656-955-0x0000000007300000-0x0000000007316000-memory.dmp

Filesize
88KB

Download
memory/3656-837-0x0000000005F40000-0x0000000006297000-memory.dmp

Filesize
3.3MB

Download
memory/3732-377-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4052-757-0x000000001E720000-0x000000001E7CF000-memory.dmp

Filesize
700KB

Download
memory/4052-590-0x000000001E720000-0x000000001E7CF000-memory.dmp

Filesize
700KB

Download
memory/4148-492-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/4148-496-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/4148-497-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/4148-500-0x0000000000590000-0x0000000000612000-memory.dmp

Filesize
520KB

Download
memory/4512-312-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/4512-282-0x0000000000120000-0x0000000000176000-memory.dmp

Filesize
344KB

Download
memory/4604-901-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1847-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-86-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-772-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-2194-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-682-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-2018-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-985-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1068-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-2276-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1162-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1936-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1244-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-319-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1331-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1420-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-318-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1502-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-554-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1589-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1678-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-2105-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-1760-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5076-2195-0x000000001E830000-0x000000001E8DF000-memory.dmp

Filesize
700KB

Download
memory/5088-368-0x0000000005500000-0x0000000005516000-memory.dmp

Filesize
88KB

Download
memory/5088-84-0x0000000000440000-0x00000000004DA000-memory.dmp

Filesize
616KB

Download
memory/5088-95-0x0000000005510000-0x0000000005AB6000-memory.dmp

Filesize
5.6MB

Download
memory/5088-97-0x0000000005060000-0x00000000053B7000-memory.dmp

Filesize
3.3MB

Download
memory/5088-96-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/5088-110-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

Filesize
624KB

Download
memory/5088-108-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/5088-117-0x00000000054D0000-0x00000000054EE000-memory.dmp

Filesize
120KB

Download
memory/5088-373-0x00000000090D0000-0x0000000009124000-memory.dmp

Filesize
336KB

Download