asyncrat | d98c45c9a36b59116af3e7311570fbf2fd18a70e669a980a3da5a1d06b1b5179

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
28-09-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

920KB
MD5

b36dc7511b95419ea3491a60597280ed
SHA1

8caa07eda2ef7f77c09df3d6d9eb99190c8d6c7b
SHA256

d98c45c9a36b59116af3e7311570fbf2fd18a70e669a980a3da5a1d06b1b5179
SHA512

ba71404887ecd9602fd2ac6dfb4870925e0dd16b1a7c1d5c64101d6be08a20af255655679b1ce7acc11562bab464bbdd146efcad44ff67115c9df0d23d304ca0
SSDEEP

12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94iwQiKDKqxAs:4nsJ39LyjbJkQFMhmC+6GD94hKeqf

Score

10^/10

asyncrat stormkitty xred default backdoor discovery persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7510720859:AAHJ07lkxNWZwwJs6SC36WS0jVG9IR6m3pM/sendMessage?chat_id=6059920057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233a2-5.dat	family_stormkitty
behavioral2/files/0x0007000000023407-66.dat	family_stormkitty
behavioral2/memory/4376-129-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/3668-130-0x0000000000440000-0x0000000000472000-memory.dmp	family_stormkitty
behavioral2/memory/3104-556-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty
behavioral2/memory/3104-619-0x0000000000400000-0x00000000004EC000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00090000000233a2-5.dat	family_asyncrat

A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024092831131AMSystemWindows10Pro64BitUsernameAdminCompNameKZYBFHMKLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.244ExternalIP138.199.29.44BSSID8afe71215249DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing
A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024092831131AMSystemWindows10Pro64BitUsernameAdminCompNameKZYBFHMKLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.244ExternalIP138.199.29.44BSSID8afe71215249DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsSoftwareDeviceWindowsproductkeyFileGrabberDatabasefiles6TelegramChannel@XSplinter
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3668	._cache_Server.exe
3104	Synaptics.exe
2052	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Server.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File created	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Synaptics.exe
File opened for modification	C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
50	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4204	cmd.exe
2856	netsh.exe
2868	netsh.exe
2360	cmd.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2632	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe
3668	._cache_Server.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
2052	._cache_Synaptics.exe
3668	._cache_Server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	._cache_Server.exe
Token: SeDebugPrivilege	2052	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2632	EXCEL.EXE
2632	EXCEL.EXE
2632	EXCEL.EXE
2632	EXCEL.EXE
2632	EXCEL.EXE

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3668	4376	Server.exe	82
PID 4376 wrote to memory of 3668	4376	Server.exe	82
PID 4376 wrote to memory of 3668	4376	Server.exe	82
PID 4376 wrote to memory of 3104	4376	Server.exe	83
PID 4376 wrote to memory of 3104	4376	Server.exe	83
PID 4376 wrote to memory of 3104	4376	Server.exe	83
PID 3104 wrote to memory of 2052	3104	Synaptics.exe	84
PID 3104 wrote to memory of 2052	3104	Synaptics.exe	84
PID 3104 wrote to memory of 2052	3104	Synaptics.exe	84
PID 3668 wrote to memory of 2360	3668	._cache_Server.exe	90
PID 3668 wrote to memory of 2360	3668	._cache_Server.exe	90
PID 3668 wrote to memory of 2360	3668	._cache_Server.exe	90
PID 2052 wrote to memory of 4204	2052	._cache_Synaptics.exe	91
PID 2052 wrote to memory of 4204	2052	._cache_Synaptics.exe	91
PID 2052 wrote to memory of 4204	2052	._cache_Synaptics.exe	91
PID 2360 wrote to memory of 4296	2360	cmd.exe	95
PID 2360 wrote to memory of 4296	2360	cmd.exe	95
PID 2360 wrote to memory of 4296	2360	cmd.exe	95
PID 4204 wrote to memory of 4412	4204	cmd.exe	94
PID 4204 wrote to memory of 4412	4204	cmd.exe	94
PID 4204 wrote to memory of 4412	4204	cmd.exe	94
PID 2360 wrote to memory of 2868	2360	cmd.exe	96
PID 2360 wrote to memory of 2868	2360	cmd.exe	96
PID 2360 wrote to memory of 2868	2360	cmd.exe	96
PID 4204 wrote to memory of 2856	4204	cmd.exe	97
PID 4204 wrote to memory of 2856	4204	cmd.exe	97
PID 4204 wrote to memory of 2856	4204	cmd.exe	97
PID 4204 wrote to memory of 4300	4204	cmd.exe	98
PID 4204 wrote to memory of 4300	4204	cmd.exe	98
PID 4204 wrote to memory of 4300	4204	cmd.exe	98
PID 2360 wrote to memory of 1196	2360	cmd.exe	99
PID 2360 wrote to memory of 1196	2360	cmd.exe	99
PID 2360 wrote to memory of 1196	2360	cmd.exe	99
PID 3668 wrote to memory of 3520	3668	._cache_Server.exe	100
PID 3668 wrote to memory of 3520	3668	._cache_Server.exe	100
PID 3668 wrote to memory of 3520	3668	._cache_Server.exe	100
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 3416	3520	cmd.exe	102
PID 3520 wrote to memory of 972	3520	cmd.exe	103
PID 3520 wrote to memory of 972	3520	cmd.exe	103
PID 3520 wrote to memory of 972	3520	cmd.exe	103
PID 2052 wrote to memory of 864	2052	._cache_Synaptics.exe	104
PID 2052 wrote to memory of 864	2052	._cache_Synaptics.exe	104
PID 2052 wrote to memory of 864	2052	._cache_Synaptics.exe	104
PID 864 wrote to memory of 888	864	cmd.exe	106
PID 864 wrote to memory of 888	864	cmd.exe	106
PID 864 wrote to memory of 888	864	cmd.exe	106
PID 864 wrote to memory of 4664	864	cmd.exe	107
PID 864 wrote to memory of 4664	864	cmd.exe	107
PID 864 wrote to memory of 4664	864	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4296
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2868
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:972
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2856
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:888
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4664

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
920KB

MD5
b36dc7511b95419ea3491a60597280ed

SHA1
8caa07eda2ef7f77c09df3d6d9eb99190c8d6c7b

SHA256
d98c45c9a36b59116af3e7311570fbf2fd18a70e669a980a3da5a1d06b1b5179

SHA512
ba71404887ecd9602fd2ac6dfb4870925e0dd16b1a7c1d5c64101d6be08a20af255655679b1ce7acc11562bab464bbdd146efcad44ff67115c9df0d23d304ca0

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Desktop.txt

Filesize
660B

MD5
4f7a76e102c97ce800a7f4dd7d81be72

SHA1
96047b0363ec9a81cdb5fb8b01215016e769ade7

SHA256
c4d9aaa06e02ff9f4e1275e15e5725aa110fb644b625cbae13bd58279fe89ff0

SHA512
af2319e2b7fc76ff9107a9353c5801f88f8855081970cafccf97e73635d2a2753713579088d05b79b8c0d330d83bbe25b2794214f9c2d5375c2f9cb8dba36f62

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Documents.txt

Filesize
458B

MD5
d15a25558733bcd875a9c573408cca9e

SHA1
0cf1a31e960b2ecb5e8c1f4b607a2b572e4cb60c

SHA256
692a8fbc93918fc561ddbaee257cca1afbf9bde44243d2e2a2012f96a8ae98de

SHA512
c5d870cd17e8b82dd6922024853520735d00db53642b03b0469c12d247ef755efbbbe22dd1dce4c409001ed60ed73256c749d56ad9e27585e33c4f1c1ab45b51

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Downloads.txt

Filesize
683B

MD5
428de6e38a61202be5870bac53aee6f9

SHA1
cd5046c2408a6d07f998989adab6914d44ead959

SHA256
60c434c30eb1724f5b3e6d265481defe319f67248e2cfcf663c25d78dd76d3c6

SHA512
626df9ff57f43b8405882b70d6ef7dd7aa55aa707de902b58020440bd13a13e0b21382cef738d659ff2ad369b4d10a615314c2ca10ec32d66b6aa7aa82ce7b07

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Pictures.txt

Filesize
763B

MD5
2e43c8dfc2bfb5ba685bec5908b6a85f

SHA1
a30c8e4fc3714cae4c79713760a1fbbe8bbf509b

SHA256
70c37117c509d4cb3f77369edbe79504127164db13c13d83b1cbab9aee2d50e4

SHA512
c2ba1dc875f2d371bb8ee00a4486039835782d9a0aef1849765b939f3390274e8345c1c54949b727710e9d18bc0bce927eb2213df6f9a07e9034edadc134c181

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Temp.txt

Filesize
2KB

MD5
570c530d6ec1c6a5be653de3563bb9bd

SHA1
3c1cd4caef1bad5ef2e9dadb52ccf047f234c07b

SHA256
e0a86cdeffebdb42be3df30e8e863ba5dafe361db65545af867ec9415c743ae9

SHA512
61f9d7d01150f6c81e77e5af7cc3f5a25a47002e238f6fda4bc51bee5bd9161262c507f04c74870f7e2dc8fcfe9f5d48f750ae5047f93eae9c79b2366f9f3652

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
128B

MD5
72d1bb9a99e86eb1e2765871060d56c8

SHA1
259988dfeaca95ecb12e39fb238890676613ef10

SHA256
95ac9bc6830ccb5d05a52d6c3f74e2ccf51b936cc277b90c769895d58676f0ce

SHA512
bb2c2a173fb8fe36cfbb7243592b220f5c403797a2fe99af40fe57dd11442ab46b90b9607f55dbb9fd2b0a8a84fda40dea369b8a051847f51da0556222cc9593

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
191B

MD5
869ae7374b52644e17f6b52854af76cf

SHA1
bf84ad1d46f33983d8926754e72beab9274a569e

SHA256
bbdb0a044ff4aecaf07f8352ce596164b9974645a1088fc4c6679645f8eb4890

SHA512
5f0fac482c6bc71b623653f1a6c238ad404249bd14b162ae44aa81a20e8a817001263bc74b064052c2c147c21d3e2bb2f7fc91afb0e3756464c1d021180a8403

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
254B

MD5
bbcfeaede144c47072c09dcacdd6f038

SHA1
ee65746b0c49d30a94a7730034c14d7b76ad1d4b

SHA256
29c1d350c8b243787513f56379fda6764471558adb1b04ab6e00ff82e9bf68c2

SHA512
5ad870ceea42f03ca6dcaf3c57da8bf3444a635225d88c3640844fbd69cf228bd0dea386d1f08dccd1b57977559cd4801a8a89306760808ee9c0ecc92122704d

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
325B

MD5
12ed353e07896051e71b8290e0ec54ab

SHA1
951fc4d197bbb8977769a6b90929ea2cff11dfbe

SHA256
a1c8708ccdaf3db5314a13ae8e91e21df1d59a1f7b6254400a4733bc320eb7d3

SHA512
b197baa784c0a1725502e04beb916b1b8b8e7356a541b4d5395335ae003ff1be14c44355a4c668f1375ba0f02fded42d4743aa6b08ad7a06257172ffe051b548

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
396B

MD5
1b0328db391ee46b3f0ab73ed557f20e

SHA1
a886b083b5b283a39bed448677414a745aff54e2

SHA256
daaf665a627e2b1ae4f5ba26ebd0eab32f3d9782fd195496bdac6af8c025e23f

SHA512
574d06ee6595f4ddd77fc34ed017938b0dd72439c71592464dc4f28e440db33f890d2ab64a4df6513b464d1f136efb2eb3eb05b22fb0a1f84a166734e26ecbde

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
472B

MD5
2f8c867005c60363fab5eb09a870aa40

SHA1
65ae69d38885edb4f569d50f26884434e62d4cae

SHA256
c22202662da4c7753b92a14760cbef4af91656f45576c326d287de548a058a0e

SHA512
8e809e527dadea51ebda415bca639d4a6a735f402839be889b3d1d1621fab22a03717b9ad8d0b10e26ab2496a291ee3550e6155bdead46ae3de51c1d266548d8

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
548B

MD5
69e228ac4be810b0c62dc149ce0c57d0

SHA1
f586f2589ac5dec6b92da5fa2561bd1284fea5bf

SHA256
ebab3351190025d4791005bda529f8a54df37625e3fcd622e7c21f898ab59ce2

SHA512
9f135f470c30b25d46ea9c7cb7bf4e20c08c5998de84e8dd0b2533ac04818dd69a87e7f0089957a66d1b8c5869a148dfab0346d4597dd2c4d6b62736f5e2f78e

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
677B

MD5
0d79a18c578783c1fd80cdccb2f91ec5

SHA1
f0962f93fc36d7292a68d7ada01d76e212075c9d

SHA256
dcf7f0db6f4714f422632e669123ce8141ce18919e258cb232ff785781b01f88

SHA512
7c44a477b6c0ed3209b81b2bdb147263822eef44e97a0c9a35993aeb615973c3e8483750d8ca41562ec265b9dd12ada8538c1e63cd23f4c64a0a92dcc53c73f8

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
806B

MD5
ef5a939ac6cb63ad56eb95b482595a94

SHA1
c514280d4fc91e06338af690ebd021b37bc577df

SHA256
5f802000ac819b3c35fd5449ea8853208149d49b378924286ff9b4ede01a5f28

SHA512
5b497f73082565e8b5c0ea1679a832c6767b3971a07859ada563162a7e066beed9e95eb4b19d990b5f517667a36e85fc6d0174b899b6a63f2a71a77cac1a8693

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
934B

MD5
56b8f3107b7bedf590624e23f6ef9bb0

SHA1
668cf16bbd74de68cd721734b3e9c6d619a40597

SHA256
f20842652655bbd8521bc9384f034b01c4ee4179e8443d57b03819d455e57139

SHA512
693ea454505be8f5619d723224aa2293d2cc3b0299198ac4ede1df7a44624945eb6e76ea42adf776c2a37e4cff4b43ab754c5a3d7b46335d2b1901c57131d6b9

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
998B

MD5
909958cfa6a9fb3acd806c9875034b36

SHA1
36cc641660131956ca5e923a0f4f4c76c6fe0b69

SHA256
56f590aaa6044175fd479a923bc5ad1a77ea931253141014b837a87d9b234ee5

SHA512
211005d7381fcf17379bf9412bd628cf1cc36a71fe8f4c116940827a4b0da7ed8fde2ec0e4a9d20fbbfcedfe49c184acd43fd864450c5be0047982f71b10b27d

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
3a73a1dd2e164b1939fb064624f77dee

SHA1
dd3af2246b1391d379695499e63caad8079b140c

SHA256
1bd4b8500f150dbbb8383def8f4ec189f2f94d0453ba908b82e53654fd7061af

SHA512
c2f391f2a2d5f23cc236902edcbde8741ea9f7d7d63db4bc95dbc87e5a44a6e6e3b4a8d401539bdbbe3391c044729ed5766cb377321657fd23861095fda9ee60

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
601106dae1d5bfd6f3dc5c4f161b57b2

SHA1
02c39def0f1c36a815067ca5fc9085bb49bcb2aa

SHA256
f2b92a3fe8b9116bc76224397354ff33918a7df049a1574670b6115360d92084

SHA512
aa1440e7d411ea1b5089309fa099c62360d18e1dbd094e2bd346d9d83e7e1f85cfe649758697cbcef5c2af892cfce8a87ac3658a3dac4fc45dca8d75ccdcfd67

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
1fc2ff567b0c5a054209398baec5c538

SHA1
8f195d71c682bb6ae925a52dbad5186e84f3eba7

SHA256
84d6a064e8d8fb2528c8f09f41ca9d6673e8a9e19cc3534789f0bbd2d701cf97

SHA512
8afc840fe5f961be8ac8c166c04e9ee21a832dba338f015033cc3d612fa00e316f9bf92ba47c5452765e0c99fee013c665f5dd8539f5b35fe4a29499f74b4d14

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
c0b19b2742ce326b2239e72d06ae9057

SHA1
29bed12e3be9d765c1f0e49971f47a8c332757b1

SHA256
52a0698dd2da2c7fb10bc661b446f385eebff2a879ddc236456bd9385e7c8066

SHA512
999786227a4787466ed3ce3e6bffa0a354d861f4a8678de6f882dc63fdc84e0f186359b27820ccb3a22d57c730f352599b457a08b04ff50a79b771d58a11c658

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
23b4a9a4a95074e45df14cbf8f082def

SHA1
0aa8fa764b4d762861ec479a61b46082a0dbfdc3

SHA256
1ec75a74848c6a2630e351c3ac49bd5e37f4cec752a260d296403f1174474035

SHA512
12e55e64c2308dde0e8efba7e92dfa1e07de5662e18039b30c15964e25aa4ae67717d2e3e2250311415526f9d6289c9886e9ca47d177983a0fe45114b837b627

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
81a9a89e3f8d2750bc1e2fb5d9c1f6e4

SHA1
245f1f7cdbe74fe504d438385382e9045147d7f6

SHA256
fffb53fca182490a5f9306f38dbb231eede0ea0114d8091f43251e243f26089b

SHA512
cb3d4a2cad5d49bbd19f540289aa162614591204e4aabc4a1f507fae36016dddf1d6ab1aceb48e2a175f756ebe151db6d9f9645e765e3d3cccbdd78ccff98e80

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
272c27ec0fd9c9da18a2f682d08e0cca

SHA1
6b948dd76a48b59216d95c3c9b9e35bcfb4de9d5

SHA256
c485a54e3f2d56fa750766c7daa4bd059653c55beb75a9d3c381a1a4f8ef2735

SHA512
7a7ef2d89e935a9a3c90f611bf30a5883e58fcf45277e6f3c9d1d6bca6dff2ae788979b882a29ae651bc4bf710bbe4690c0dc8074fd9ca6248c58fbe369f1111

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
331e4951129c40d1d0cc85b4c3f6d408

SHA1
391d79c436894b92349bb3237bbb449a59f82ec7

SHA256
946314de3f77ac0abb6976d5bea1845b86d9c3359b5faba067011b3e75ee132a

SHA512
3b574ab74aac302f752cbca91dd7a2b135f49367b55f2deff4a57b6acf52426a7017915d79fd9b6fe3e2b7c78efab2f92447d1c66a850d2b8d0c8d78cd8852a8

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
924639718eb3e639b6da7e7a8af5da86

SHA1
b9422b5a679a502fd14afc7739ec1e04c7316fa9

SHA256
abbea1462660f77d68b5939b5d351904de301884903878d7fab6830da9a88b96

SHA512
1dfa2c6bbfc69c34ecdbb107fea376dcff08ca944c74abc5ead6dc5dd4cc4568935cac4c157632069375e3b29ad3ba88292a306414b282108c9eca809eee3dd6

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
ad6f0d127bfd30ae0aec301df0c7cdc8

SHA1
0c25689916c61935ec79b2ad6ba366cd24b94f30

SHA256
359da661f802476cdc2e1db80e505bc880484f2a8c1cc272f976e2041149c114

SHA512
c7ee07c5e8fe1484cba272e2bd34b8b8ac8710d22126c448b103e927cbb75cdd83a47dbaa26d65aeb1b14ab40d007e1da25fbb727c2887be91cf21989ccd21b1

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
95e9fdf01f35acd01c7d3966afb95078

SHA1
4c5f585f8a4c598a129444c9ed9ad5dfcd01b413

SHA256
f6ac74920ab0d5147120cb56d1efb55aee3f026b54a74eadf2d18851f65941d6

SHA512
8e4272f2790e3622e974a66a868322f0facd22c6c9763dde9ee5f1b862954abca0344c4790d21244cebedbd601801814be9fd56be0cc356e74135dab36fc801c

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
1KB

MD5
42e1db54464c2de323236291a0d07957

SHA1
d98ba7ebdb3e6aaecd70438dee9a764f335d5821

SHA256
a4ea0e9be5b4deeaaede5e6bd9009d7a5d22f82fff14dc23ae697b188a19ba4a

SHA512
e0c23422500dd46cedb1fc41b3dd97a354138f9a32e7c94311a4ffe9a47d706cee3b590caead870354b058454f424b7f714ac37b09ea8a6ead954eafca6a0e62

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
be098a4689a4339f4d493bd818268ea8

SHA1
9c2e5a95246deef7adee8e1cba6b490c7be23c12

SHA256
e3d22c9aee70dcd4657f4fd873c3212e74f58f385ef51ed88c626801d7f064a4

SHA512
702a5cccce4b5dbae2635f812dda9cc9c0c3feb4c9f360331da16dcf219f304fd5b4139901614af3f00b2e9c02127b03b12b47cfdf5a2c7524c550d5f41105ca

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
a44c549a9b84cbb2d3a6728ac13873c8

SHA1
1800a1b55d4b78057f298afb1641469ae91eb454

SHA256
e558474fbbb55be89be8e96cf8dac6532a98bbf347ed0f1adc2e460d015ad509

SHA512
a1ff0f57ccc8c7f8fe86b9b9dd891f482b8dc4d54c0c28d4dc917c0193dbaf4133fc7f199ab341fb9ae5b8e0eef1901d3bf4ce97771984e2ed0bd82d32784cb4

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
4606b2257f537e6e46f21c1769d00edf

SHA1
9ea9372a8b85f73203c223b12de330749e4ff45b

SHA256
0b0eccdd5e9f96eb6e0c950e8693315d00a0bca592011e4f332cb81c569a5a15

SHA512
fa766b6c4d42e9728f5da77526ba250bf9b7fd497d98b4f6b0d6ad193e30165c79ba95b4d99adca0ea8487b3f24ca42ee2beff0bd2f183871c7f9f0599a45963

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
40f4fd9f88643b037c97406e8803bf1d

SHA1
f377f39918dcc4d84493098cb970462a9d27c589

SHA256
0b4391e1093ba789160f40d67ff9221786ff314a8c96adb1ce6a6c00bdb0969d

SHA512
9420952fa845e360fd41c352175b58f7f2af202e5453174b675db8312d19861a54551d4539901a15c9960e710e4f163242d5ae91e3288319642369c99e79efdc

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
5f87993a10c9007ee57c9b231e6655a2

SHA1
c4589f4326c15dd9163256a89586ee6bdb6c479e

SHA256
e718570d8f398075df9b4f72771b493f84bd6d69421b36a1311424d7be564de6

SHA512
2fbe6ab0d2111c9cd21830dcf919ad5ff52e586bcee3df086f03baa6a5cea976f479511c168c1351dd83720fe68634917d35fd7e6858aa3aef152f1f5b9bd4bf

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
f69a49d670286a4f45e97954cb9e4c1e

SHA1
53d09b4e61656d1ed80d2b43aa2cd933a1fc5765

SHA256
35832a7450c65cb50ecb04f16fc38a0c71b0e538790b545faffb9b7f43d99ec1

SHA512
38d7af50adc7a9419a28de75e6176f1728dace8e8bf7cc232abfa0ae0c00887c8cdce88d913b4194d0a336491e18f480e0dfc623fc7c34dcedd14c4d94f29d8b

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
2KB

MD5
fce365c5914ec9c2339ae355736ecf67

SHA1
629657d57caed258757fb49178afbe78cbdf4c19

SHA256
0a6cec2ecb4a4ccb4c558a98d1579024c2f8d15c641848ee9774e5daef228a7a

SHA512
b3333be029ebc1b633e8cc82934a927715c45788434b82cb1f604f80859b18ad9568c5ea14beb6623bbb272d25b704d420b3152c6feac0f109148d9a31ef181a

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
80fd3a9f4c85d361defa9937081891ca

SHA1
66453b00dba30a3d4429fa3f36e8a3485a29602b

SHA256
74e67496af67999a88410a88163b5e162a90602ba651313c4def2ba153810976

SHA512
7c466517aa0c9191fba3f2cab1ebdcc8ab9c65d018b02350f7d6a89ff7cde86d0a9ef1144d35d31ea0b745c239c92413ee9618bb2c4caca51c6a1373a1617922

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
1c05e847579a001eb17434864b541073

SHA1
6db3c26b11d32c4e1f3d8a7fbdb34d751f1aa86a

SHA256
69c6a17daf46f188a34cc5f5341e771be0e5b044f6dca01248901b35581a9d8b

SHA512
42e914ac22c5d4b61daa6cf8ceb57239aba242b1ed45d8da831ff653754d07866566388ed633e54b4068ca4d5d25a6684649cc7b189cef9ae5fdadafca073d6d

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
41f0de70fb06b7aafe36c44688e0d799

SHA1
fe9c698be3546a27fb802d625b53a5d916591788

SHA256
93b8acc1a8726d37c34b1257ea1962ffb48e1dce09b0228f8c1e75795d3d13d9

SHA512
05491494b9ec3c8ce1a378efd5b189e4cd268a0e62a3a77f2e03e4eb080de5b8394d0911ef88cdcbf254217acf212657b1f58771c21a05e2266c8ed052f55308

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
c3f2a6c24ebda1aaf8224331ac620ae7

SHA1
4307abaade368066417900d72238a25a9fadda36

SHA256
449f0ae2264d8a33898b57f1ef0e608d601d3bc6a15b7e355842b8b3e099cd0c

SHA512
a531586faa5f80e7a77672d9633ec2af423b494d4a720d864f37e9076d1c2ee2bb67a69a425cb01fbb69c1163b48e831a426c3fc28758527d6847bdab300b798

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
955b9e7bf992c374328a55b6b8dec4c3

SHA1
16d6e73d80e238e0df9f0031043b3a462ffd8144

SHA256
53dac5bd0fc4f926d5c4568a484b0417d919962af085a5fb4cadd79e4e82bec8

SHA512
6308b6680fe9f8e209e4ba8ad5a60b82fc954be36773719381f8f40760203598cb3b7bb2fc85356d05a0dba8d5df8d13aa5cfadf05633ee24022566fce6c57e6

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
3KB

MD5
8caeccbcb106bc99c783ae75ee047595

SHA1
ecbe54992fdb6012b47b72717ec2a8ca97b32ad5

SHA256
f7a94fdb296cb7d3b4c03dec521700bed94b519c9bdd9ab8c433fcf2d7caaa87

SHA512
1e6837396a84eec3dcfb7cf1fc4009665a3718b7118a05455f8b157fd3000d23c92204712fbff47c7d08b31e9bb6c0e9e40592e1571560ffec8bb57f15230914

Download Submit
C:\Users\Admin\AppData\Local\3ebe8a8c26e00559fc9e776a513c4967\Admin@KZYBFHMK_en-US\System\Process.txt

Filesize
4KB

MD5
096c08e0debfbefbc2de7ec746f51641

SHA1
fd10e88a1c1d937b8979535f88ee8691da4e3c9c

SHA256
3732dcbd5f8a8ed6a79fffbefe8f176123a56c734df8d9badbf18921fddc36c7

SHA512
6a4f530f71cf5fd33dac5a8987b395241000a212e55d6635f60d2cc964395659a9b283b4544efde7b080358b897417b06326dec910e0af369511567fbafdcd93

Download Submit
C:\Users\Admin\AppData\Local\9f14789e79876668fdc6516ab714a73e\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
175KB

MD5
14b15cea169536afebbef45c29ac005b

SHA1
8f8a085f45aaf1babdbeb5beb7ef75db9a6451ef

SHA256
3a8e7fcf4ecdf5c6f45d05d2003f561d65ed7959e181beb2cfc55e60a4717396

SHA512
ef3c7c6ea00e1d0472d6797cdb5d5c462dcfd00fb14a5c34afdef0dd84d1c258a1f44a570c376236c7fc7a8d6a1a49941294ec30ad3edc04438db5cfbdc4957d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90CC.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90CD.tmp.dat

Filesize
114KB

MD5
242b4242b3c1119f1fb55afbbdd24105

SHA1
e1d9c1ed860b67b926fe18206038cd10f77b9c55

SHA256
2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

SHA512
7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90DF.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp911F.tmp.dat

Filesize
5.0MB

MD5
81412f7f844b75a6c65ed71eac0b9e61

SHA1
39b14eb48e13daaf94023482666fc9e13118ba72

SHA256
e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

SHA512
63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2mC4P7E.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/2052-554-0x0000000005D60000-0x0000000005DF2000-memory.dmp

Filesize
584KB

Download
memory/2632-195-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

Filesize
64KB

Download
memory/2632-198-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp

Filesize
64KB

Download
memory/2632-197-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

Filesize
64KB

Download
memory/2632-196-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

Filesize
64KB

Download
memory/2632-194-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

Filesize
64KB

Download
memory/2632-193-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

Filesize
64KB

Download
memory/2632-199-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp

Filesize
64KB

Download
memory/3104-506-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3104-619-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3104-556-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/3104-131-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/3668-557-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3668-444-0x000000007242E000-0x000000007242F000-memory.dmp

Filesize
4KB

Download
memory/3668-130-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/3668-555-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/3668-132-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/3668-566-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/3668-118-0x000000007242E000-0x000000007242F000-memory.dmp

Filesize
4KB

Download
memory/3668-572-0x0000000006710000-0x0000000006722000-memory.dmp

Filesize
72KB

Download
memory/3668-213-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/4376-129-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4376-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download