asyncrat | 3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

920KB
MD5

df9eddff9512b4eff624b492bdb8c791
SHA1

aa4623f25c3aa1687cc38b179246ae5874ee017f
SHA256

3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59
SHA512

d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e
SSDEEP

12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf

Score

10^/10

asyncrat stormkitty default credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7409950713:AAGOgqTx-C_IXW4TMVH0D3NzyJW8XztSM_c/sendMessage?chat_id=6059920057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 8 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Synaptics\Synaptics.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe	family_stormkitty
behavioral1/memory/2532-26-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral1/memory/1688-29-0x0000000000C60000-0x0000000000C92000-memory.dmp	family_stormkitty
behavioral1/memory/2904-38-0x0000000001390000-0x00000000013C2000-memory.dmp	family_stormkitty
behavioral1/memory/2592-277-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral1/memory/2592-288-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral1/memory/2592-322-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 3 IoCs

Processes:

._cache_Server.exeSynaptics.exe._cache_Synaptics.exe

pid process

1688 ._cache_Server.exe
2592 Synaptics.exe
2904 ._cache_Synaptics.exe
Loads dropped DLL 5 IoCs

Processes:

Server.exeSynaptics.exe

pid process

2532 Server.exe
2532 Server.exe
2532 Server.exe
2592 Synaptics.exe
2592 Synaptics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2532	Server.exe
2532	Server.exe
2532	Server.exe
2592	Synaptics.exe
2592	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server.exe

Drops desktop.ini file(s) 11 IoCs

Processes:

._cache_Synaptics.exe._cache_Server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 icanhazip.com
9 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
8	icanhazip.com
9	icanhazip.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.execmd.execmd.exechcp.comcmd.exechcp.comEXCEL.EXEnetsh.exeServer.execmd.exechcp.comchcp.comnetsh.exenetsh.exe._cache_Server.exe._cache_Synaptics.exefindstr.exenetsh.exefindstr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.exenetsh.execmd.execmd.exe

pid process

1812 netsh.exe
2100 netsh.exe
1088 cmd.exe
1896 cmd.exe

pid	process
1812	netsh.exe
2100	netsh.exe
1088	cmd.exe
1896	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Server.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2748 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2748	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

._cache_Server.exe._cache_Synaptics.exe

pid	process
1688	._cache_Server.exe
1688	._cache_Server.exe
2904	._cache_Synaptics.exe
2904	._cache_Synaptics.exe
1688	._cache_Server.exe
1688	._cache_Server.exe
2904	._cache_Synaptics.exe
2904	._cache_Synaptics.exe
1688	._cache_Server.exe
2904	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_Synaptics.exe._cache_Server.exe

description pid process

Token: SeDebugPrivilege 2904 ._cache_Synaptics.exe
Token: SeDebugPrivilege 1688 ._cache_Server.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2748 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	2904	._cache_Synaptics.exe
Token: SeDebugPrivilege	1688	._cache_Server.exe

pid	process
2748	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Server.exeSynaptics.exe._cache_Synaptics.exe._cache_Server.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2532 wrote to memory of 1688	2532	Server.exe	._cache_Server.exe
PID 2532 wrote to memory of 1688	2532	Server.exe	._cache_Server.exe
PID 2532 wrote to memory of 1688	2532	Server.exe	._cache_Server.exe
PID 2532 wrote to memory of 1688	2532	Server.exe	._cache_Server.exe
PID 2532 wrote to memory of 2592	2532	Server.exe	Synaptics.exe
PID 2532 wrote to memory of 2592	2532	Server.exe	Synaptics.exe
PID 2532 wrote to memory of 2592	2532	Server.exe	Synaptics.exe
PID 2532 wrote to memory of 2592	2532	Server.exe	Synaptics.exe
PID 2592 wrote to memory of 2904	2592	Synaptics.exe	._cache_Synaptics.exe
PID 2592 wrote to memory of 2904	2592	Synaptics.exe	._cache_Synaptics.exe
PID 2592 wrote to memory of 2904	2592	Synaptics.exe	._cache_Synaptics.exe
PID 2592 wrote to memory of 2904	2592	Synaptics.exe	._cache_Synaptics.exe
PID 2904 wrote to memory of 1088	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 1088	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 1088	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 1088	2904	._cache_Synaptics.exe	cmd.exe
PID 1688 wrote to memory of 1896	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1896	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1896	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1896	1688	._cache_Server.exe	cmd.exe
PID 1896 wrote to memory of 2200	1896	cmd.exe	chcp.com
PID 1896 wrote to memory of 2200	1896	cmd.exe	chcp.com
PID 1896 wrote to memory of 2200	1896	cmd.exe	chcp.com
PID 1896 wrote to memory of 2200	1896	cmd.exe	chcp.com
PID 1088 wrote to memory of 2308	1088	cmd.exe	chcp.com
PID 1088 wrote to memory of 2308	1088	cmd.exe	chcp.com
PID 1088 wrote to memory of 2308	1088	cmd.exe	chcp.com
PID 1088 wrote to memory of 2308	1088	cmd.exe	chcp.com
PID 1088 wrote to memory of 1812	1088	cmd.exe	netsh.exe
PID 1088 wrote to memory of 1812	1088	cmd.exe	netsh.exe
PID 1088 wrote to memory of 1812	1088	cmd.exe	netsh.exe
PID 1088 wrote to memory of 1812	1088	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2100	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2100	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2100	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2100	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 3000	1896	cmd.exe	findstr.exe
PID 1896 wrote to memory of 3000	1896	cmd.exe	findstr.exe
PID 1896 wrote to memory of 3000	1896	cmd.exe	findstr.exe
PID 1896 wrote to memory of 3000	1896	cmd.exe	findstr.exe
PID 1088 wrote to memory of 2352	1088	cmd.exe	findstr.exe
PID 1088 wrote to memory of 2352	1088	cmd.exe	findstr.exe
PID 1088 wrote to memory of 2352	1088	cmd.exe	findstr.exe
PID 1088 wrote to memory of 2352	1088	cmd.exe	findstr.exe
PID 1688 wrote to memory of 1188	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1188	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1188	1688	._cache_Server.exe	cmd.exe
PID 1688 wrote to memory of 1188	1688	._cache_Server.exe	cmd.exe
PID 2904 wrote to memory of 2400	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 2400	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 2400	2904	._cache_Synaptics.exe	cmd.exe
PID 2904 wrote to memory of 2400	2904	._cache_Synaptics.exe	cmd.exe
PID 1188 wrote to memory of 2480	1188	cmd.exe	chcp.com
PID 1188 wrote to memory of 2480	1188	cmd.exe	chcp.com
PID 1188 wrote to memory of 2480	1188	cmd.exe	chcp.com
PID 1188 wrote to memory of 2480	1188	cmd.exe	chcp.com
PID 1188 wrote to memory of 2448	1188	cmd.exe	netsh.exe
PID 1188 wrote to memory of 2448	1188	cmd.exe	netsh.exe
PID 1188 wrote to memory of 2448	1188	cmd.exe	netsh.exe
PID 1188 wrote to memory of 2448	1188	cmd.exe	netsh.exe
PID 2400 wrote to memory of 1732	2400	cmd.exe	chcp.com
PID 2400 wrote to memory of 1732	2400	cmd.exe	chcp.com
PID 2400 wrote to memory of 1732	2400	cmd.exe	chcp.com
PID 2400 wrote to memory of 1732	2400	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2100
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2448
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1812
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1852

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
920KB

MD5
df9eddff9512b4eff624b492bdb8c791

SHA1
aa4623f25c3aa1687cc38b179246ae5874ee017f

SHA256
3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

SHA512
d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Desktop.txt

Filesize
592B

MD5
b2c4ac07384a5b50f4254eb3a0662cb2

SHA1
709b44c617135571089f29cf5764dce05f783dfb

SHA256
dded7ed56e6e4ec5a2e4f6992451742f354cd4c77138c099778726fee85142dd

SHA512
7f6d9b3f7fc6a4250b5738950763fda2f484328e9496c4ad821f7b2c0204f31d1f30502f0e4f69abf2a42d5cdb1cdea00a3882bae2e951a38d41611d8440915b

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Documents.txt

Filesize
906B

MD5
acda14975d2606681a5fa00e8ff73df3

SHA1
1c928728b015fe5b41969cdc970d6fada62dea53

SHA256
b940db270866b4b8200dd47a9d1ddf749266a60c22a1d3cc1da9772b4320607c

SHA512
ac2c286535a303807177ba65bd9d8f1c875f75546f9375d1cba31b2b8cab4b4979653630092adf73f23c90c4a6e06920ebed1745ce1dc30d349a53859e0bb3c9

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Downloads.txt

Filesize
620B

MD5
c2d43822de3e19c2980522752b73f331

SHA1
066da49f6a8ab81248b73870728116fe481a538a

SHA256
661d4a4188ee7ee974dc49b0b777e9e4ef3443096883f60fecef5e045617a81d

SHA512
ac6fbb804c6e3b4f8724d82ffc851f90a2e064361ae4aa90bcb5390c2cc62bbe9364f297a2f2d6d45841650a0ad09aabcc3b21c4c206b6b43c8b1816616cc0b4

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Pictures.txt

Filesize
351B

MD5
7e9073fc2d30647059c4f54c3186ca41

SHA1
f90e6d0560540095277160d5e65395a7fec8b51a

SHA256
60ddd7a979751a7eecd3fb49642df267287abbab9a0524fc76fdc11e3e086453

SHA512
fb0beadcaae1e3b5622710e7b794dbf7422a2e16e882f277d2500c14c8ab478a8ba3b3325005806218e3922cd95b40058c84209dcf257e37fb3393fd219c6932

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Temp.txt

Filesize
1KB

MD5
437f36321a68013001466ad8b82a4bf4

SHA1
8f3516d0a6a0659021b5a803ff6c8df27c761b9d

SHA256
7533c27e943019709e547720bcf03e270c72bf7a09b948e2c37c2e8836576736

SHA512
55a869dbd61409f4f820ed8390c1361323666c8e56f2341bcb7e1418f02645b222f7719882a810af797d1086ba29dea150ef2cf13366adcafcb00dab90dd3386

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
112B

MD5
c77f01a3216378178e87fd58c0dace9c

SHA1
ec8c110d03acfa3f6bd0736a09874f0c39dc9e45

SHA256
d9a5cb24072ea0001d8da01d70964a7539f0d79c0d974d48fba6e5c05d45f98c

SHA512
e701f2e73b2ca32ff3376880069e21ab3695fa0caf9603ff313490bafb68aa9410903c80b0343d5c70dc575da000f8bac135929f190884b275ee3babda85fee3

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
268B

MD5
05c8274021bbe9ed51222164ccb95e15

SHA1
16ec23f601b777070a9bc65d138d5fc4da226815

SHA256
51ef48bc7025a4f9ba67ae120e09483194d8461d197b0da1e4c37a2413cf37d9

SHA512
7589d353f23348269f2fc344ccb1378de89533210c1e26d09261054ea77bafe8b61ed54fe7b80ad77c4c695c121c7bee5c72c740df03cefab98870070efd628d

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
424B

MD5
057c3b19cb42097029b7e9824d3a5819

SHA1
08044dd550092ea0a266ad01671966fd39b09656

SHA256
075c901836d705ce9549bdb0894ee9d492bb04458f84300f64b3fb406931a822

SHA512
d8780ee94da91449d8b541bb68baf08679c1fc424c469dcafea8916166085a06e86cbdfe570333c22ee22291c3d9dd8b6a8e46f0e55ed398adaffb4e3c48e324

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
548B

MD5
2f3fa5fb985d0c161587522a26d3ca20

SHA1
c0725a7c0587e69448d3d7a167d631126df1d5be

SHA256
fdf78646b5882d4c8f3839218c32b124553b03f122c78a876a8acc681e589eb2

SHA512
d56c188f36ba3d8481b63da8228d92d051c78ff68f44afb05c54c2104f479cdfed55f529b5fe32d6c7e8dce817ce6b0be63e18d43074f4e8120f2d1bff105dbc

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
672B

MD5
223cc65b99631d9e30c4ac387348c5e1

SHA1
8b4d5f66cea313dfc529a9ebed653456825b75e4

SHA256
e3062c3a1c5f61eaedd05536d6d2601186d45834330200128892aeb47220342a

SHA512
8410b40bfd5a01a44277180961727a23acf028c23d67cb65d8052fe962213f409c9283cc27306d18dccda849aa9e847c6f3deb6e32154ee8406ee7302ca3c185

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
701B

MD5
09d316ad8046992a603a155a0809c596

SHA1
c4cf610949c6eb6f6e270d6280145656a2d87fb0

SHA256
a2c39cc4482a802ee1947b71980063af274f82a49f473974e09596599df5b8f3

SHA512
ec79dd478cae703889502476cc1d12b9ae9a0cbdeebc3eede2f81710e7093baa2cd058064779a7ec2715448dfd6e1d32d048ff6e1c0f90d64a99a8cfab2aee46

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
730B

MD5
c42af63a1f93a782760dded771aa5f98

SHA1
aab48ceadbb6402cf9fe9389f25abd3851fbe649

SHA256
073350ad2716d91b7dfed2f4259332d2dc5af9d5bc42941150cb61c8dab919ed

SHA512
51fa14deff150b2a489174aca6840921431c87235867ed28b1497d761f863f18823bdab0f90d26371ee9a5d362f3dc91aac2cae17829231b1a4dfa7e88a7b2ff

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
884B

MD5
b3b72d8d9d4ef6589e8dd0445543bf5e

SHA1
8160b8befd19801f1a8b2fa8a40d036f11e9885c

SHA256
98ae777633ed4ab048b5cd683cabfe560c39326df352917dd9f1103c8b342eb7

SHA512
4dd9a4fd84022d6af4cf0fbb94752d6b19a4d4d655c47adb215232dc558d0b6a85efbe4b752b6cee69ac9b0e60a166d61a8351de90af72ff4d5ec129f6f3da62

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
949B

MD5
445369cf445c3789953a737047735a0d

SHA1
c16223ddf955ce4922c16a8352b87415d181701a

SHA256
b297c7449ddbc1b2d0cbccc80e82da532c474238fa7e1481cd9aefe506aa9053

SHA512
5e4f9badb860c78e8506564b1be502120ca9e6d3a95a4fe143660cb8fc2595fee5a9764a35024b26c0e25f06f99e76e4e5f0924d2cabdb35f778f7e3ee0af175

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
a676b6c8c227a46c9090990896e47807

SHA1
63fd27d833359724f99ddcfb9583b238331f274f

SHA256
63f467c4ed617326b58d51c6e4b43751833982d8cefea4dff2b6d3fbf91a11db

SHA512
29c218acf68a9a4cc60c9398c4df14e687007c8c13cabd1e13de005e8c3e78ebab6f82a1e0a34cd89fe7cf9c33475f727329ba50be782d2ddf74b3bba9a102ce

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
3a0e80247a5af83c697b03a6fb9b1fa9

SHA1
06dd72907a25514814e9b81e8f600a4f54de3591

SHA256
b2f90e78136a3c217dab89c6d6548ed5d664549eb70dda6654d65d1f509ec957

SHA512
144a1b81479a06626c34ccbba7120302f5c6788a65abba87026ad79ca4557f206d125f0f7937b737473b8b97322db7df68cf87b7ad851036cca6ad659f158337

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
659d71189ce9b99840fffaa5f91a497b

SHA1
d69a967c15b8c009b7a8daec79b7dcc71e3473ca

SHA256
06250e269392fc0de52f600d5de43a6a92344d48583dfe40617d34708ba7271a

SHA512
bc1d113d956074dd1158661f04d9715596fdf2cb74fff681566ae220de58a4c3fbedbc935be8a8b142df154e910b9fc30108636a994a8799b1673716bab775da

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
8effcdd67901cee84ea7e1ec1dc5d812

SHA1
089ef2512ef2a212bb01b31f0b7b3281b35a22e4

SHA256
ce4ed307752a597d935e39e28fd336511d3df049b50a4a822fe5f0d416118ae4

SHA512
1cac87f25c837125b8a0b14bfd78b196ac9f7c5d2528614d61b06d9062110e4911da1555438418eafaac75234b37101108e917e1a52516d871937c75a29bf094

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
ac97349e7783812514899918e6419c7f

SHA1
816fa6ddf24ec683f516cb884a1e304f5f46eb1e

SHA256
2799a3f5047891098800cb98972379e6e73961af25ca684fe39af93262a1cdd2

SHA512
c1261f0fb14d04b7764af9396f875453727d6677d26d70aec978c8d750a1fc6b2053d956b857c6c77eb6fa04c3fde0136816a402683259b1b5230fc0ef9a0770

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
0ef54100c0b61aff69666138936b2b1f

SHA1
4e201c3ac236838f1b9f6c8d227e936a91974079

SHA256
69b515cdb4927955e4a1dd8646719bd39b4090b4942fd0671105b90c1e90d36f

SHA512
2f77cbd8b80520ca4c70a24ceb0040f5d662f66546227b5114b7f720d137b5fa0fad1ac7504c7db5d3f1fbf19ea084704b5e17034ed0b54412333ec399e3976c

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
838a5f57d3745734f1d62ca34bc0a64d

SHA1
9da30dbd0a87166f60404d785862f192597cb3bf

SHA256
2a87f606b25d2884fdffe314729a8e12f4ca77e894befb0003158e7163f2f7eb

SHA512
bb6e3c50e0c0db1e046561a285a6db7afb1966dde4204afcd098611e1e167f53d7520f75e7deee5053356c192cda04607cfa3db756bec487b64101fc21c32487

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
b955857b5b6eb57672e45cad9cf2dc8b

SHA1
a2d95d3ef907c1b42c86cb0f39add8dc6c439fca

SHA256
9409a4554ce076d33c4d9b88b6e2be39e8aedeeb6ac45c89a25fc12053d1d2ff

SHA512
f3dffdab392e33b5fead85f67a04fe1f55793c9ed9025609ae9ad8b54c39c29eac42b92e538c30776ba5428df5025ada2186d7d1641b31467dde70921880645b

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
7a26318b16953198595e3411271d4cf9

SHA1
7af0c6182538d22fc952a74aecbb17081153f920

SHA256
d6f7d0308dcc1e8877e7631399a59ffa3d83949bb93aed2368a93a51406befc7

SHA512
190ad433a364c4e8ee56c89f6ce2728f483c05e98147a911e9dfaee9b2000ff7a25f74d8299c55583245dd51d6bc66da4ed7dfac4fd524697cc5c772880a2989

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
5e80c93abe58f62f3267be2b52b1a600

SHA1
43ca5c7220f03f3563665fff1146765fe8ba5058

SHA256
68656054392b3c5df69143320184736fb1ab4372d295138738c32d929371d119

SHA512
c71bca0a1a553d2e50045e516127fd65124616265fd39891117abfca1aecaed6bcec647656ae28e8284eef61fc478dcae714d9ee82c5648596bb740c80a6914f

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
e8c1056f0837711e341348432d3d88a1

SHA1
e940c7db08639e2e8d5043d96629b0eebea58425

SHA256
ede2af9c140f6c748935682abf94cf36713155b172d58809fab718f986cf7240

SHA512
fcbe5a47696ff00768486f141981f355348418c5fafb527d023a892af7361b5c40d698061e5f6f7d023401cefb9cecf8e85cbfdc93f1465d1f9ef8f449ac697f

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
1KB

MD5
4fdd4350517f8f71f9074f06d224deed

SHA1
91f1bb5c2339af60f71c5cc661fb109c7e2b6fbe

SHA256
9cd025deb12b33ed143953014c5227284e3c008dd66c79db7f1e831e8f0a46c5

SHA512
0d8815c1d12d7aa65fd72412e10fa9d05c97c569f2c6286494e5be9c7c50198efb55a54c51148dc9dd0ac2510c334ec50cbb1d97ab55d98fb49b02365265eca5

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
296cdf458a81e79c4103cd8326982e97

SHA1
2401cbfa93ecff38da62a491ca76ea98d1295925

SHA256
26c5899f2a0cbc405aa9ccda1026fa6d5c6350d42dc11bbcb56db6cb900f258d

SHA512
ec7f07c07b63c40c2ee7eefa7679f05d99abdefb4f866763c0aa544a4e7b7bfb583c3f7cf23fceddf42d8d9d014a04a533e9431a116793839fcef6cb43041b4b

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
6f1e53d0b5dfc552cd8f63866ed4a83c

SHA1
88e70951b28d90a6f7d1dd246357ffdea194470d

SHA256
8b2875d144c02ee5ed08a288a0d90d2fd25138582ead2d871e8d235ae9ded3a8

SHA512
5c10a9499202daef7d57d63b6618f39390b086dbc08c043a970b0f6509efbc12bc227eeddb6b7573df67d558285dce8432a4442e53f43329e8713729b86c4934

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
fdbc9f0519d694e1309ae41d16d3759f

SHA1
b6be7b629c63365894e480c6728f1c987241a1bc

SHA256
f9b196f0d5d6b9de5a37e7384820027d260961ecc0c0f7f19902d75c35ad3db9

SHA512
d7bfad64eb5411f25b1087abb4066e0d2c7bccb95536b5e50268eaae78e2549b891809e643bc3dbc369ca0abae4555072169f2c8fdde09e87dcb24f2ee5c43ef

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
af820907522269f6f331232b1b842ee3

SHA1
8891ea10267037a5807ac7f88ee0c4fbdbfa10c4

SHA256
78f0d6fde7e5ee66ec688963d03a56f43fd7bc414425543356f2d88100efa5a2

SHA512
3e5a50a10b334b900e035cc41535c386bb66b5268533826117309bc5e68e7f4dd0ea976bff8822853fc0f4274e86d6341346fe8e15ae6784d710312e8b944fd4

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
064327475f70cdb982a50e52bf7ceae3

SHA1
3af233f2ba6e97d3d5522f003aec43b6c06a8fdc

SHA256
cb83a24090efb818066dd43a9a934d3dbd0ee085d5f0a0a80422fa6fd661d539

SHA512
fe7d7521fdde44214f5b2285b8bc2cdef666ccd83e3f566e099bae37b329afd71cfa9a5c2de1263e8a79800b14be14b973be63243549e87468724fe846fa18eb

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
808c7fd9f1f285e2df49965cc156aa28

SHA1
96ab376a8ad96e8499056f4bd95bb9b9aa9b95e8

SHA256
bda217afd28c4aad51c43dab752954291d709d5e9a0fc7d748e34cdf3c1b4f9a

SHA512
e9a8ae155cc4634acf97d9d83f7134de7f240309ce30da542b709a45cde2b13beabd1ff9f57a3be91150b12aa7674be7871328ad2e7d39abb8ce6450ebb8131f

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
2ba14ea856f1dfce9ec6f9b3dcdf5d51

SHA1
202061ec5920a8d3bf9281635e0a4f6244c65c16

SHA256
99767af2b22b39838be92db702dc5326734fcb274ed02e6fe8b555b2d5d6da4e

SHA512
07bb7c94f5ab2470e10a40c807d36f70dcfdf06bc71d5430fca5b438eba1445cee9ae108aa3f98aaa7a95f34479c97bf0bd57bb13658a97a8bd96ae10a1c9b7a

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
2880cc52c4d3c88f55f503170afbef14

SHA1
afe9163d08709ab3d4aeed3293490a6fc639b12d

SHA256
1644b4690ba6ecfe795158f911dc1677299a2a6be618431afd3cbfeb03657250

SHA512
5cd8dfde62b02a1184f2eef2dbed0cc96b986247b66c3c0597774643f95f708f746202f8d75ed5270c9ddd019778342bafc63b281b29de1ff8f3ad3aed4fa7df

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
f4c733ad850637d72a31698a18b5b0ad

SHA1
e26a78a7cb929fbdcc34390512e30b44c1fc775f

SHA256
1111e7b887f20e4f1c1643829ee5fca21f9acb93556040d8af94b0184f285e79

SHA512
cc2f3abdb186347f3474b9d17fa97fae1d0b2fa2d07115b9a9ee149699d01fb5af6a81cf962ae001d229591094a42d977dc18833e077e4fa16bdd906628effec

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
a951bb6604054827ddc6a1f6191b3d13

SHA1
8d677542da4bcbc2ae80e69069b5c83722f99eb5

SHA256
f571653b4735135e9a28f67ebe0cb34d37d6fba2509b1d569c7b7dcd6c762765

SHA512
4646203095a605eed960ef22bdba25564df22930b4040ebf690c54a245dda94b42bc72bf411cb3d2a0d1c23d2086cd2ff722f98494c62caadb6780afc3897351

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
4c84d5138f2a09d758ad575809cd7547

SHA1
fcd9b271277fd9a3fee84d368e549ebc1eca3420

SHA256
e298bc3e612242db503816a86ef41540918682d4cbefea49f5b116f6a6adea16

SHA512
b0656b3279f1c96f8db4d76665068e2af17b5df9ffc640bdfa9063affee300c6acc2953021cefc131b1561d1119d989d04b2d0c39d22b384980b037f4a318c02

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
1d46992f61a4570e2e859419e91a73f4

SHA1
f6d82116591c53532552fa29c52c45309d522cba

SHA256
76934d7fb20e1e668135ea810146a6aa10655355eda1d040c21b3dc1b6221249

SHA512
8c69efa24e9cf2eba67feb8d7d910e489b466fb2c33dde3a0a8c9c3f49536a6f9bc349dc7a07d4dc12489f9e5c4173624fda0549d1788c91e610b681947f8532

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
2bc6e59fb1ae06da086dd930da24b9ce

SHA1
7b637db8029daffe40f0c08d794ed83999027a0f

SHA256
f69055957b51a03427ac7c5b55912dd729ec22dff9525e3461bad553eb2bfb95

SHA512
7d714c29753aaebe507123c6f2d531ac7f6bcf1cc310f68b1405246607076ebe4c7ef09412057c505c78b659903eb6476ba6b0f93149a1113e43061126d46871

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
8bacfa6f45515d2046fce983742a4122

SHA1
fedfcda2757903ed928648b2c8aede9436e09986

SHA256
7416b4338ba43ffcdc8b0133cd390abe4e4858d43631f91223f535bb51130e21

SHA512
ca6f869bbc58e0b13158e8e1a131a22cacdf9d79efc4cfd49b6f7db1dd8b52e815daa2609c27c55fc2ea76561ff5a045b9c2bd5ffe954691c1e85bac5dfa9515

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
77ae3cc9383720cc17e95e021357b3e9

SHA1
c4cd426deb6dce8e6ec2fcbb5b904239981ac90d

SHA256
acaed6821ab09f174859900c96e8d7e60a5b569cc08e8e30e2c6bae8bb5a3e13

SHA512
2ef7c8154c319f3b81ca9c74640530bf10fbb1742e1b71464518e806db3618195107a878fa9c8e46b6c5af7bb1bec08d38ae9e47f327144a7ba79d1a1b27ddf4

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
e519d57010bade69b87bc36e1c9488ae

SHA1
49f6519e837a47de627f588e215eab4bd1c70147

SHA256
202bd897c22bb1522bf06c9509fd1ca7d3b823e96fbfb5e8bb8a56fcecd2eb29

SHA512
6167a8dee112f098e5ed697ff2b692b70dd745f7091c55184d2ecfee5bd7b0e31a5ca6d21b17edaaeed34be86bd26691c666541975e73486c266de78585810a5

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
2KB

MD5
31506d581bb7f53b4f020659ce7089f4

SHA1
b83e2e548653b5b89bdb6fb3f2f758ef023493bc

SHA256
873ddb4d28ccc0ef45e31374a636a977da691f66c1f3de95193baf535c523841

SHA512
5ff2bb69638301dd3b08d3f81b2695ae2f063eef6fade206c733429ec3cd66784e2eca021c2c30ea13fc901813ab919c33d13364ffd9dd01fad68a3a5938ca1c

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
3KB

MD5
ebd0791ba195d6b1fb2b4fff4f8ab949

SHA1
9a10678a49cc02bce26d994f2841bc641f2fc64d

SHA256
20381ef17abd9e125b678f58c5e4102e2c2b5a9fd6dae0dda186b0ef784dc4f2

SHA512
a1a58af4985333dca28290b56d3a3bbf29d2a466248fc2c4209719fe3da8345ecde26f611587a06509e13485bb2e710db4e819de77ef2f7803bfcdae102b9433

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
3KB

MD5
315ace3206e41600a5d6aff481adb424

SHA1
ac37d3e2473fd7a6b8be92d4396c65ad9f987efe

SHA256
f0c1eccc8075766d5cebb09d2ff61b17b8b514370dfb63b1a03345583b6b2e5f

SHA512
4527c13e711dccf502f1e293a4647dbb637a4a9d7ed4a218184c46ccb5d57f882a43967f0128d5dc1ed0ebf9903705b0dee9369c292f783db3cf950d408078f9

Download Submit
C:\Users\Admin\AppData\Local\2d22ddebf732a4f0e35ffb5d7b9b91d2\Admin@XPAJOTIY_en-US\System\Process.txt

Filesize
4KB

MD5
494de582c4290a1ae42effbf6b56bb28

SHA1
89825fff4ede360e1742f2f3085a37c09ae57c37

SHA256
72d18a9423cbb8e27b05f2f73cea7d3df496194789ea8cc34255c8a7fd027afa

SHA512
b3596a4648f6590603c7d215917015849923b7c927e5841b65d9fb1faa1f823e5f9bbf988ea2e16dadd1b8316ee92e28149b9dd9df69b0ac27334d331d6929cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
175KB

MD5
33d7934b7f436cde6b5f374c179fd228

SHA1
0b985932346e625934f2100eab2f62406897dfdf

SHA256
f262e3910d40c694d77b77aa4bc9a62abdb0394efed57fab03dd86834c333c96

SHA512
501454fdb67cc44ce136bedc3fdc0594bb684ebdca9593e2d462f4c553b6a2efd0874e33963c0ee4e4cef64752c1b4ec3869188b85cb08066c74ffcb85f740b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC24A.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC24C.tmp.dat

Filesize
92KB

MD5
2cd7a684788f438d7a7ae3946df2e26f

SHA1
3e5a60f38395f3c10d9243ba696468d2bb698a14

SHA256
2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

SHA512
0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC26B.tmp.dat

Filesize
5.0MB

MD5
e87d64670a56c2a625658096ae73408f

SHA1
9dee648b8d5660e09416e33d66b7d09b3fc3db98

SHA256
d3fbdfb580352a821362428d3f90d8fc11dc00afecd1b1bae5bb125de15435e6

SHA512
23de58acd9030113477588ac1c55e8cc1011babdf06f0fde1f6cfd51cf65fe33f7774faff028e8c69eae860419c44e326126b7e2960ca68c25687e48236b8138

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLrnaVOX.xlsm

Filesize
25KB

MD5
663675f67b527995d8f8ba8cf0ed7f04

SHA1
0d815a125acff20ad088bf934a03add2a15b26b9

SHA256
4880d4bcddf5a42ffa57b6e2b64b432be5f47d79be8880cbf60f8da7b4b65082

SHA512
0090f9255751e932ead4be0ff2319b611fb7211d2900359b4579d2dc43ffb5452a9eb85c7778bbe350efd56f3942cbcac28a149f32f25a1b270783aab4563f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLrnaVOX.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\d6c873f077ebb9bf20357a1b9587948b\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/1688-29-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/2532-26-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2532-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2592-277-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2592-288-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2592-322-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2748-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2904-38-0x0000000001390000-0x00000000013C2000-memory.dmp

Filesize
200KB

Download