metasploit | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

metasploit redline xworm fvcxcx backdoor discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Extracted

Family

metasploit

Version

metasploit_stager

176.122.27.90:8888

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000e00000001a075-165.dat	family_xworm
behavioral3/memory/2668-167-0x00000000010E0000-0x00000000010F0000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000600000001ad76-4270.dat	family_redline
behavioral3/memory/5860-4272-0x0000000001000000-0x0000000001052000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1416	powershell.exe
2540	powershell.exe
892	powershell.exe
1864	powershell.exe
9004	powershell.exe
7836	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 18 IoCs

pid	Process
2748	TPB-1.exe
2984	TestExe.exe
2668	x.exe
2172	PDFReader.exe
8012	FINAL_PDF.exe
8188	cv.exe
956	system32.exe
3776	system32.exe
3984	Filezilla.exe
1204	Process not Found
4276	Filezilla-stage2.exe
4532	test.exe
5860	fcxcx.exe
6052	Update.exe
2624	Product.exe
8128	main.exe
3404	main.exe
3268	tmp.exe

Loads dropped DLL 27 IoCs

pid	Process
8188	cv.exe
8188	cv.exe
8188	cv.exe
2296	New Text Document mod.exe
956	system32.exe
3776	system32.exe
3776	system32.exe
3776	system32.exe
3776	system32.exe
3776	system32.exe
3776	system32.exe
3776	system32.exe
3984	Filezilla.exe
3984	Filezilla.exe
3984	Filezilla.exe
1204	Process not Found
4276	Filezilla-stage2.exe
4276	Filezilla-stage2.exe
4276	Filezilla-stage2.exe
2296	New Text Document mod.exe
2296	New Text Document mod.exe
2296	New Text Document mod.exe
4672	Process not Found
8128	main.exe
3404	main.exe
2296	New Text Document mod.exe
2296	New Text Document mod.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\ACBD3BAE7E724266498721\\ACBD3BAE7E724266498721.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2800	2172	PDFReader.exe	45
PID 2624 set thread context of 1316	2624	Product.exe	61

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000400000001cdae-2234.dat	upx
behavioral3/memory/3776-2236-0x000007FEEF180000-0x000007FEEF5EE000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x000500000001a4eb-2064.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FINAL_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filezilla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Product.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filezilla-stage2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2540	powershell.exe
892	powershell.exe
1864	powershell.exe
1416	powershell.exe
2668	x.exe
9004	powershell.exe
6052	Update.exe
5860	fcxcx.exe
5860	fcxcx.exe
5860	fcxcx.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe
2624	Product.exe
2624	Product.exe
7836	powershell.exe
6052	Update.exe
6052	Update.exe
6052	Update.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	New Text Document mod.exe
Token: SeDebugPrivilege	2668	x.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2668	x.exe
Token: SeDebugPrivilege	2800	csc.exe
Token: SeDebugPrivilege	8012	FINAL_PDF.exe
Token: SeDebugPrivilege	8188	cv.exe
Token: SeDebugPrivilege	3984	Filezilla.exe
Token: SeDebugPrivilege	4276	Filezilla-stage2.exe
Token: SeDebugPrivilege	4532	test.exe
Token: SeDebugPrivilege	9004	powershell.exe
Token: SeIncreaseQuotaPrivilege	6052	Update.exe
Token: SeSecurityPrivilege	6052	Update.exe
Token: SeTakeOwnershipPrivilege	6052	Update.exe
Token: SeLoadDriverPrivilege	6052	Update.exe
Token: SeSystemProfilePrivilege	6052	Update.exe
Token: SeSystemtimePrivilege	6052	Update.exe
Token: SeProfSingleProcessPrivilege	6052	Update.exe
Token: SeIncBasePriorityPrivilege	6052	Update.exe
Token: SeCreatePagefilePrivilege	6052	Update.exe
Token: SeBackupPrivilege	6052	Update.exe
Token: SeRestorePrivilege	6052	Update.exe
Token: SeShutdownPrivilege	6052	Update.exe
Token: SeDebugPrivilege	6052	Update.exe
Token: SeSystemEnvironmentPrivilege	6052	Update.exe
Token: SeRemoteShutdownPrivilege	6052	Update.exe
Token: SeUndockPrivilege	6052	Update.exe
Token: SeManageVolumePrivilege	6052	Update.exe
Token: 33	6052	Update.exe
Token: 34	6052	Update.exe
Token: 35	6052	Update.exe
Token: SeDebugPrivilege	5860	fcxcx.exe
Token: SeDebugPrivilege	2624	Product.exe
Token: SeDebugPrivilege	1316	InstallUtil.exe
Token: SeDebugPrivilege	7836	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2748	2296	New Text Document mod.exe	31
PID 2296 wrote to memory of 2748	2296	New Text Document mod.exe	31
PID 2296 wrote to memory of 2748	2296	New Text Document mod.exe	31
PID 2296 wrote to memory of 2748	2296	New Text Document mod.exe	31
PID 2296 wrote to memory of 2984	2296	New Text Document mod.exe	32
PID 2296 wrote to memory of 2984	2296	New Text Document mod.exe	32
PID 2296 wrote to memory of 2984	2296	New Text Document mod.exe	32
PID 2296 wrote to memory of 2984	2296	New Text Document mod.exe	32
PID 2296 wrote to memory of 2668	2296	New Text Document mod.exe	33
PID 2296 wrote to memory of 2668	2296	New Text Document mod.exe	33
PID 2296 wrote to memory of 2668	2296	New Text Document mod.exe	33
PID 2668 wrote to memory of 2540	2668	x.exe	36
PID 2668 wrote to memory of 2540	2668	x.exe	36
PID 2668 wrote to memory of 2540	2668	x.exe	36
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2296 wrote to memory of 2172	2296	New Text Document mod.exe	38
PID 2668 wrote to memory of 892	2668	x.exe	39
PID 2668 wrote to memory of 892	2668	x.exe	39
PID 2668 wrote to memory of 892	2668	x.exe	39
PID 2668 wrote to memory of 1864	2668	x.exe	41
PID 2668 wrote to memory of 1864	2668	x.exe	41
PID 2668 wrote to memory of 1864	2668	x.exe	41
PID 2668 wrote to memory of 1416	2668	x.exe	43
PID 2668 wrote to memory of 1416	2668	x.exe	43
PID 2668 wrote to memory of 1416	2668	x.exe	43
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2172 wrote to memory of 2800	2172	PDFReader.exe	45
PID 2296 wrote to memory of 8012	2296	New Text Document mod.exe	46
PID 2296 wrote to memory of 8012	2296	New Text Document mod.exe	46
PID 2296 wrote to memory of 8012	2296	New Text Document mod.exe	46
PID 2296 wrote to memory of 8012	2296	New Text Document mod.exe	46
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 8188	2296	New Text Document mod.exe	47
PID 2296 wrote to memory of 956	2296	New Text Document mod.exe	48
PID 2296 wrote to memory of 956	2296	New Text Document mod.exe	48
PID 2296 wrote to memory of 956	2296	New Text Document mod.exe	48
PID 956 wrote to memory of 3776	956	system32.exe	49
PID 956 wrote to memory of 3776	956	system32.exe	49
PID 956 wrote to memory of 3776	956	system32.exe	49
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 3984	2296	New Text Document mod.exe	50
PID 2296 wrote to memory of 4276	2296	New Text Document mod.exe	51

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\a\x.exe
  "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8012
- C:\Users\Admin\AppData\Local\Temp\a\cv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8188
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3776
- C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Users\Admin\AppData\Local\Temp\a\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6052
- C:\Users\Admin\AppData\Local\Temp\a\main.exe
  "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8128
- - C:\Users\Admin\AppData\Local\Temp\a\main.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:3268

C:\Windows\system32\taskeng.exe
taskeng.exe {7D97812F-05D6-4F84-BBD1-0BC2EE3ACFC9} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:S4U:
1⤵
PID:8972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:9004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7836

C:\Windows\system32\taskeng.exe
taskeng.exe {C0F3E55E-C01F-43E5-ACF9-5EE0668447F2} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\MethodSignature\exmwrmmi\Product.exe
  C:\Users\Admin\AppData\Local\MethodSignature\exmwrmmi\Product.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc539bfdb9854b9f1bc41d8b1b304378

SHA1
0cadc7cadeb687132b14cc9120991af10e7d0606

SHA256
91adec8fd66be81cda49df95d308f68ef488977b99e7129378a72353bb59e4b0

SHA512
868eb183872606032d2cc2cd1669c8d4b4f2c76c173e040ce323422dadcf808ec6c6920dcc7d62858a4b21995d806965175cc687810a93d951f36502df1bcd53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65ec5354f606b7478ab18884aee92120

SHA1
ee3fa9c98971d466f2746fbb2f24a5ce1dfe31af

SHA256
51b05dd89f839e6a784958d62c57c110024836ab8b382d5e839c3eb08e888130

SHA512
821150124ec5180881fd95f81e4ce57c35877e753ba69e4a21bb330bdbf129682d6c5d743e2db6072fd3f425fdbef852cef93616ed4a38ea9a7b8711fee523be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aba39cbf0bdbeb3dda7a29af8a6a6c8

SHA1
35bba47a7a29a170f046d384da88e69c001f9a96

SHA256
95926e691838834f2e94b30cae6bd8ee145bbb1bd98657c9978ddaa9efda0843

SHA512
fa92e19c1352fe045532ec0eb01be16d93d119b40db9b4b8945c115a20e75ced8c173833da7edefaa9d39f3b933842e25d4b2e07a9f94a31bbf284884df1d12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\76561199804377619[1].htm

Filesize
25KB

MD5
c645549ae5b2c0690cac7864f845f57b

SHA1
d22d6b303161d1649432af7d5ee8c7793ef259d2

SHA256
29839e5ad26b078e39395bad67ab41c22dbd2a9a5b5ab0e71e6cfa42b845da16

SHA512
6a87262dc223165ac5a314a2670b673bdc5e3ee85eb6908f34cc306863254fd274e9871cad908f5da6b4bfe5b021b08dc3cbfb0b80ad040c3d5d90cb0cc243c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB55D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB56F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9562\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9562\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9562\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9562\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9562\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe

Filesize
1.6MB

MD5
290905106503753d8bd791403e04fb04

SHA1
a9ba718e1742482506325c18b3559f2282528343

SHA256
32e950b63131f1aaf640047618a1ac8e380131c01d5a1a823dce9711308272e3

SHA512
e2006e865ecfbcd96a3700ff81ddbe49f62c237454b0ba50992b2e74c5db661d41363fee0192b19c564047017fc67a3a1608a9570672211f81dcf40aaed9ab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe

Filesize
718KB

MD5
edcd48a5a8cc8ce2f91ca65dfb0fb108

SHA1
3d6ae60f49d0daf3d56263aa087ac4c29a80dbb3

SHA256
03bc8bdb2f9eb7a46cf89e52d735d68e889c8fd903440c828f3e0ac9a5f53649

SHA512
37d9c9a10f57e7c6d596709be45299db224cd2ac7b5baeffb98e87c30525ab2284c3bb1d2aca7377693301070b032111efbc77cc5c9eeca7b6cd5316e2cb1dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe

Filesize
1.1MB

MD5
caeac3f7741596b90f056899cff54bf5

SHA1
b0b43ce7990a60f74f541c6b182cfc56a3af8279

SHA256
a84985dc93e0ef81bc7f42ad0b4e1269c377de2932268e774c1aa483ae9321a8

SHA512
053d457d4542c398d67c4b718067cfb8c74c649b2eeed487232cc209a66db5993ea5c3bc7c522ab7b4dbabcbfe5d50f499d8afac82b1f077fc0123b133196078

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
465KB

MD5
760370c2aa2829b5fec688d12da0535f

SHA1
269f86ff2ce1eb1eeed20075f0b719ee779e8fbb

SHA256
a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3

SHA512
1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe

Filesize
38KB

MD5
51aa89efb23c098b10293527e469c042

SHA1
dc81102e0c1bced6e1da055dab620316959d8e2a

SHA256
780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292

SHA512
93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cv.exe

Filesize
1.6MB

MD5
19fe59da84e322469ed35704ad2cfb87

SHA1
6d7d800e2c0f455ad7ed39ead3a812562e97c3fc

SHA256
abf89117cd0e2e9c5606b42f5bbc019ade9646300e7c621ccc7d15f2e3ce03ee

SHA512
11e3b40b9233380e15c1b39feae995e7344f26f48d3b306a4fa3ca0159fe9ab45636abddd1966005ad93736697649bde6d3960b6daa9b3945c4590f3de7c0af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

Filesize
300KB

MD5
f0aaf1b673a9316c4b899ccc4e12d33e

SHA1
294b9c038264d052b3c1c6c80e8f1b109590cf36

SHA256
fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2

SHA512
97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
590KB

MD5
59eab4d3e8b7c383d6e963256ce603d8

SHA1
367ac5a131bbebce102b0fc56c3f22224fe61b47

SHA256
ea8724ff42a52834a9af9c7d3fe10ac6ff1fe8064e4f1e3e519daf9396a508f0

SHA512
5b64311ae75d93b2f15452ee6ac9a39dd44bc6bee2880affb6f3e4d7a12b98224595055dd6e44d3bcdb0ff808b0aa8ed9f2097228c5ca43b1094828b796095b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe

Filesize
7KB

MD5
459976dc3440b9fe9614d2e7c246af02

SHA1
ea72df634719681351c66aea8b616349bf4b1cba

SHA256
d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811

SHA512
368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
987e741a6d13861a18a10cf409514a0a

SHA1
4c0ad6d3ce6dbc844c6c98057c5e6558e772c876

SHA256
f984ef8df8648ff2a93dfb9d98ee134ceb637c96c24f1794202b1df5980b2814

SHA512
52cbc0d8b3c486aabb891c5b147b2e4d18710e597416ba62ba88f3498765fed5f1967f3e41d419f638d0aad65c945adc76f1ce6276073ebdda779c43c0297cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b78f2aaca7fac4331db8bb149a19f7f7

SHA1
3b7ae099a752b92d219d27bfea2b78fc528a1440

SHA256
54d04f0e6d5209daa7d3ac6f7ca70894685c5d81e58e6bc400cb273700961ea4

SHA512
4459b8d75c1d9fae7b7a64efdce4090e7cbbc9b45bd10da63ef8e99528a2d6f4984001dca69dc97418c941ffda99051cd540bf0d8700ebd41111983d6cc1fbd2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9562\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9562\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
2682786590a361f965fb7e07170ebe2b

SHA1
57c2c049997bfebb5fae9d99745941e192e71df1

SHA256
50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d

SHA512
9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

Download Submit
\Users\Admin\AppData\Local\Temp\a\system32.exe

Filesize
18.6MB

MD5
1aaef5ae68c230b981da07753b9f8941

SHA1
36c376f5a812492199a8cd9c69e5016ff145ef24

SHA256
71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6

SHA512
83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3

Download Submit
memory/892-190-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/892-189-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1316-6130-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2296-169-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2296-168-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2296-8002-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2296-1-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2296-8006-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2540-175-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2540-174-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2624-4288-0x0000000000F90000-0x000000000102A000-memory.dmp

Filesize
616KB

Download
memory/2624-4289-0x0000000000B20000-0x0000000000BE4000-memory.dmp

Filesize
784KB

Download
memory/2624-6115-0x0000000004DA0000-0x0000000004DF4000-memory.dmp

Filesize
336KB

Download
memory/2668-167-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/2748-4265-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2748-64-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2800-209-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-266-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-244-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-242-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-238-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-236-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-234-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-232-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-228-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-224-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-2037-0x0000000000EE0000-0x0000000000F36000-memory.dmp

Filesize
344KB

Download
memory/2800-2038-0x0000000000DD0000-0x0000000000E1C000-memory.dmp

Filesize
304KB

Download
memory/2800-248-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-240-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-250-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-218-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-256-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-258-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-260-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-262-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-264-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-216-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-270-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-272-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-226-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-252-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-246-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-230-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-207-0x00000000002B0000-0x000000000034A000-memory.dmp

Filesize
616KB

Download
memory/2800-222-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-254-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-213-0x00000000002B0000-0x000000000034A000-memory.dmp

Filesize
616KB

Download
memory/2800-211-0x00000000002B0000-0x000000000034A000-memory.dmp

Filesize
616KB

Download
memory/2800-210-0x00000000002B0000-0x000000000034A000-memory.dmp

Filesize
616KB

Download
memory/2800-214-0x0000000000A50000-0x0000000000B16000-memory.dmp

Filesize
792KB

Download
memory/2800-215-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-220-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2800-268-0x0000000000A50000-0x0000000000B10000-memory.dmp

Filesize
768KB

Download
memory/2984-133-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/3268-8007-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/3268-8043-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/3776-2236-0x000007FEEF180000-0x000007FEEF5EE000-memory.dmp

Filesize
4.4MB

Download
memory/3984-2246-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/4276-2258-0x0000000000EA0000-0x0000000000F56000-memory.dmp

Filesize
728KB

Download
memory/4532-4236-0x0000000004F30000-0x0000000004F84000-memory.dmp

Filesize
336KB

Download
memory/4532-4089-0x0000000001020000-0x0000000001076000-memory.dmp

Filesize
344KB

Download
memory/4532-2266-0x0000000000C00000-0x0000000000CC4000-memory.dmp

Filesize
784KB

Download
memory/4532-2265-0x0000000001110000-0x00000000011AA000-memory.dmp

Filesize
616KB

Download
memory/5860-4272-0x0000000001000000-0x0000000001052000-memory.dmp

Filesize
328KB

Download
memory/7836-7960-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/8012-2047-0x00000000008A0000-0x0000000000A3C000-memory.dmp

Filesize
1.6MB

Download
memory/8188-2057-0x0000000000240000-0x00000000003E4000-memory.dmp

Filesize
1.6MB

Download
memory/9004-4243-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/9004-4242-0x000000001A1A0000-0x000000001A482000-memory.dmp

Filesize
2.9MB

Download