metasploit | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

metasploit redline xworm fvcxcx backdoor discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Extracted

Family

metasploit

Version

metasploit_stager

176.122.27.90:8888

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000e00000001948c-157.dat	family_xworm
behavioral5/memory/2304-159-0x0000000000F50000-0x0000000000F60000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000600000001a46d-4269.dat	family_redline
behavioral5/memory/2924-4271-0x0000000000050000-0x00000000000A2000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe
1656	powershell.exe
1220	powershell.exe
1932	powershell.exe
4680	powershell.exe
4428	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 18 IoCs

pid	Process
2356	TPB-1.exe
2044	TestExe.exe
2304	x.exe
1148	PDFReader.exe
8492	FINAL_PDF.exe
8652	cv.exe
8808	system32.exe
2888	system32.exe
6948	Filezilla.exe
2392	Filezilla-stage2.exe
1344	Process not Found
532	test.exe
2924	fcxcx.exe
8400	Update.exe
4928	Product.exe
4712	main.exe
5316	tmp.exe
6164	main.exe

Loads dropped DLL 26 IoCs

pid	Process
8652	cv.exe
8652	cv.exe
8652	cv.exe
2532	New Text Document mod.exe
8808	system32.exe
2888	system32.exe
2888	system32.exe
2888	system32.exe
2888	system32.exe
2888	system32.exe
2888	system32.exe
2888	system32.exe
6948	Filezilla.exe
6948	Filezilla.exe
6948	Filezilla.exe
2392	Filezilla-stage2.exe
2392	Filezilla-stage2.exe
2392	Filezilla-stage2.exe
2532	New Text Document mod.exe
2532	New Text Document mod.exe
2532	New Text Document mod.exe
2436	Process not Found
2532	New Text Document mod.exe
2532	New Text Document mod.exe
4712	main.exe
6164	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\09196CB6BB3A107340409\\09196CB6BB3A107340409.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 2172	1148	PDFReader.exe	45
PID 4928 set thread context of 7524	4928	Product.exe	65

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x000400000001cbc0-2232.dat	upx
behavioral5/memory/2888-2235-0x000007FEEF790000-0x000007FEEFBFE000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral5/files/0x000c0000000195b3-2062.dat	pyinstaller
behavioral5/files/0x000700000001a44d-6113.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filezilla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Filezilla-stage2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Product.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FINAL_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1524	powershell.exe
1656	powershell.exe
1220	powershell.exe
1932	powershell.exe
2304	x.exe
4428	powershell.exe
8400	Update.exe
8400	Update.exe
2924	fcxcx.exe
8400	Update.exe
8400	Update.exe
4928	Product.exe
4928	Product.exe
4680	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	New Text Document mod.exe
Token: SeDebugPrivilege	2304	x.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2304	x.exe
Token: SeDebugPrivilege	2172	csc.exe
Token: SeDebugPrivilege	8492	FINAL_PDF.exe
Token: SeDebugPrivilege	8652	cv.exe
Token: SeDebugPrivilege	6948	Filezilla.exe
Token: SeDebugPrivilege	2392	Filezilla-stage2.exe
Token: SeDebugPrivilege	532	test.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	8400	Update.exe
Token: SeSecurityPrivilege	8400	Update.exe
Token: SeTakeOwnershipPrivilege	8400	Update.exe
Token: SeLoadDriverPrivilege	8400	Update.exe
Token: SeSystemProfilePrivilege	8400	Update.exe
Token: SeSystemtimePrivilege	8400	Update.exe
Token: SeProfSingleProcessPrivilege	8400	Update.exe
Token: SeIncBasePriorityPrivilege	8400	Update.exe
Token: SeCreatePagefilePrivilege	8400	Update.exe
Token: SeBackupPrivilege	8400	Update.exe
Token: SeRestorePrivilege	8400	Update.exe
Token: SeShutdownPrivilege	8400	Update.exe
Token: SeDebugPrivilege	8400	Update.exe
Token: SeSystemEnvironmentPrivilege	8400	Update.exe
Token: SeRemoteShutdownPrivilege	8400	Update.exe
Token: SeUndockPrivilege	8400	Update.exe
Token: SeManageVolumePrivilege	8400	Update.exe
Token: 33	8400	Update.exe
Token: 34	8400	Update.exe
Token: 35	8400	Update.exe
Token: SeDebugPrivilege	2924	fcxcx.exe
Token: SeDebugPrivilege	4928	Product.exe
Token: SeDebugPrivilege	7524	InstallUtil.exe
Token: SeDebugPrivilege	4680	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2304	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2356	2532	New Text Document mod.exe	31
PID 2532 wrote to memory of 2356	2532	New Text Document mod.exe	31
PID 2532 wrote to memory of 2356	2532	New Text Document mod.exe	31
PID 2532 wrote to memory of 2356	2532	New Text Document mod.exe	31
PID 2532 wrote to memory of 2044	2532	New Text Document mod.exe	32
PID 2532 wrote to memory of 2044	2532	New Text Document mod.exe	32
PID 2532 wrote to memory of 2044	2532	New Text Document mod.exe	32
PID 2532 wrote to memory of 2044	2532	New Text Document mod.exe	32
PID 2532 wrote to memory of 2304	2532	New Text Document mod.exe	33
PID 2532 wrote to memory of 2304	2532	New Text Document mod.exe	33
PID 2532 wrote to memory of 2304	2532	New Text Document mod.exe	33
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2532 wrote to memory of 1148	2532	New Text Document mod.exe	35
PID 2304 wrote to memory of 1524	2304	x.exe	37
PID 2304 wrote to memory of 1524	2304	x.exe	37
PID 2304 wrote to memory of 1524	2304	x.exe	37
PID 2304 wrote to memory of 1656	2304	x.exe	39
PID 2304 wrote to memory of 1656	2304	x.exe	39
PID 2304 wrote to memory of 1656	2304	x.exe	39
PID 2304 wrote to memory of 1220	2304	x.exe	41
PID 2304 wrote to memory of 1220	2304	x.exe	41
PID 2304 wrote to memory of 1220	2304	x.exe	41
PID 2304 wrote to memory of 1932	2304	x.exe	43
PID 2304 wrote to memory of 1932	2304	x.exe	43
PID 2304 wrote to memory of 1932	2304	x.exe	43
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 1148 wrote to memory of 2172	1148	PDFReader.exe	45
PID 2532 wrote to memory of 8492	2532	New Text Document mod.exe	46
PID 2532 wrote to memory of 8492	2532	New Text Document mod.exe	46
PID 2532 wrote to memory of 8492	2532	New Text Document mod.exe	46
PID 2532 wrote to memory of 8492	2532	New Text Document mod.exe	46
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8652	2532	New Text Document mod.exe	47
PID 2532 wrote to memory of 8808	2532	New Text Document mod.exe	48
PID 2532 wrote to memory of 8808	2532	New Text Document mod.exe	48
PID 2532 wrote to memory of 8808	2532	New Text Document mod.exe	48
PID 8808 wrote to memory of 2888	8808	system32.exe	49
PID 8808 wrote to memory of 2888	8808	system32.exe	49
PID 8808 wrote to memory of 2888	8808	system32.exe	49
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 6948	2532	New Text Document mod.exe	50
PID 2532 wrote to memory of 2392	2532	New Text Document mod.exe	51

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\a\x.exe
  "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8492
- C:\Users\Admin\AppData\Local\Temp\a\cv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8652
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:8808
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6948
- C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\a\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8400
- C:\Users\Admin\AppData\Local\Temp\a\main.exe
  "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\a\main.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6164
- C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:5316

C:\Windows\system32\taskeng.exe
taskeng.exe {B1584E63-A32B-40BB-B9B1-06BB8D692E33} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:S4U:
1⤵
PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAUAByAG8AZAB1AGMAdAAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680

C:\Windows\system32\taskeng.exe
taskeng.exe {3132E674-7D12-4EC6-AAE0-BD13DFA0F08E} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\MethodSignature\zgfeklzi\Product.exe
  C:\Users\Admin\AppData\Local\MethodSignature\zgfeklzi\Product.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:7524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70be0c6b6a56c0f8d9f67aef4146f0e4

SHA1
2a2f3787c245c78d43a1c6d087fc2121c9d14367

SHA256
07a050207f43868aa01340c37fcb22a71a293a7b75763d74c29fe0291b5f0c1c

SHA512
717ec8a0df841fa5b35e7ecbe6f651ee21bffa74e6656fb4183f45c77fb055cbc250ae0173e534114abf18ebc44b5bc74f1c28a9e8e4033d13d935e131bee287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23e7ae30d7fcf7d2587897c5f107d6a6

SHA1
e8a642a7e47d34a8dc12642f8feac2c553e03491

SHA256
da03dbf33223b38896197c68a6977641953ba4198c2f303f1a5d6be87fd4b2aa

SHA512
ba2fd477529dfc70094895b538a1caa64b27abf573899ee49f4fbb26036280160f897755d4b93e968df23decddf93588be15cd262deb88b79978f243a12df5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\76561199804377619[1].htm

Filesize
34KB

MD5
c94a10802bd25bb18742e8655b0ebfc1

SHA1
e55bb03d200ad31746df3a383d363e1bd09c75c5

SHA256
de2831c4f17e1b5f0e4f5d36e5f79c690cf763279cc7cb0adc8fcc09d8dc0128

SHA512
621dde9937c1489b68bc0075e8fc7a22039805e497255363872ac3c4e77a765be75dc3a3f4e218dbed6dc50d65323ebd9657fe281b1c7ce88d414064c6a200b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B77.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B99.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI88082\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI88082\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI88082\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FINAL_PDF.exe

Filesize
1.6MB

MD5
290905106503753d8bd791403e04fb04

SHA1
a9ba718e1742482506325c18b3559f2282528343

SHA256
32e950b63131f1aaf640047618a1ac8e380131c01d5a1a823dce9711308272e3

SHA512
e2006e865ecfbcd96a3700ff81ddbe49f62c237454b0ba50992b2e74c5db661d41363fee0192b19c564047017fc67a3a1608a9570672211f81dcf40aaed9ab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Filezilla-stage2.exe

Filesize
718KB

MD5
edcd48a5a8cc8ce2f91ca65dfb0fb108

SHA1
3d6ae60f49d0daf3d56263aa087ac4c29a80dbb3

SHA256
03bc8bdb2f9eb7a46cf89e52d735d68e889c8fd903440c828f3e0ac9a5f53649

SHA512
37d9c9a10f57e7c6d596709be45299db224cd2ac7b5baeffb98e87c30525ab2284c3bb1d2aca7377693301070b032111efbc77cc5c9eeca7b6cd5316e2cb1dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Filezilla.exe

Filesize
1.1MB

MD5
caeac3f7741596b90f056899cff54bf5

SHA1
b0b43ce7990a60f74f541c6b182cfc56a3af8279

SHA256
a84985dc93e0ef81bc7f42ad0b4e1269c377de2932268e774c1aa483ae9321a8

SHA512
053d457d4542c398d67c4b718067cfb8c74c649b2eeed487232cc209a66db5993ea5c3bc7c522ab7b4dbabcbfe5d50f499d8afac82b1f077fc0123b133196078

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
465KB

MD5
760370c2aa2829b5fec688d12da0535f

SHA1
269f86ff2ce1eb1eeed20075f0b719ee779e8fbb

SHA256
a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3

SHA512
1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe

Filesize
38KB

MD5
51aa89efb23c098b10293527e469c042

SHA1
dc81102e0c1bced6e1da055dab620316959d8e2a

SHA256
780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292

SHA512
93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cv.exe

Filesize
1.6MB

MD5
19fe59da84e322469ed35704ad2cfb87

SHA1
6d7d800e2c0f455ad7ed39ead3a812562e97c3fc

SHA256
abf89117cd0e2e9c5606b42f5bbc019ade9646300e7c621ccc7d15f2e3ce03ee

SHA512
11e3b40b9233380e15c1b39feae995e7344f26f48d3b306a4fa3ca0159fe9ab45636abddd1966005ad93736697649bde6d3960b6daa9b3945c4590f3de7c0af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

Filesize
300KB

MD5
f0aaf1b673a9316c4b899ccc4e12d33e

SHA1
294b9c038264d052b3c1c6c80e8f1b109590cf36

SHA256
fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2

SHA512
97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
590KB

MD5
59eab4d3e8b7c383d6e963256ce603d8

SHA1
367ac5a131bbebce102b0fc56c3f22224fe61b47

SHA256
ea8724ff42a52834a9af9c7d3fe10ac6ff1fe8064e4f1e3e519daf9396a508f0

SHA512
5b64311ae75d93b2f15452ee6ac9a39dd44bc6bee2880affb6f3e4d7a12b98224595055dd6e44d3bcdb0ff808b0aa8ed9f2097228c5ca43b1094828b796095b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe

Filesize
7KB

MD5
459976dc3440b9fe9614d2e7c246af02

SHA1
ea72df634719681351c66aea8b616349bf4b1cba

SHA256
d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811

SHA512
368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2069KFG18VZ1NOLUKBMT.temp

Filesize
7KB

MD5
45aa023ef3ffb9458f0c2efe414737ce

SHA1
787cfc8d81312382f4bb1cf63fbe65c595946b94

SHA256
10d5ac47ab1d611a308514da3b61b518a5aa229e9fa28fb2f6988c222ffa3393

SHA512
cff3b69f0565f91487ce8d8fc640a9cc35071d3d615907ea4f769974e7245aa815abf2615e035898f7ebccde911dc3527c34184bf334653b91934ca2a59ae08e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYT0VJRSNPADX1FINW1A.temp

Filesize
7KB

MD5
76f174a830f7f22138ed4b79639a3a2c

SHA1
3aeb67eac7353349cdac76c96b1515a96dfe5061

SHA256
aeec8893b212595fac90187b959945ccaeb4778833d12128a9db4dfb25691afe

SHA512
06b3bc8ea96c692f5f88183a6bf479d60e869bd9c32461cd6813af83c11d72c1a80707ccb2966b0c54a822bcf0b998feab9abfc5b2503d129ee79694115bd527

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI88082\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI88082\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI88082\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI88082\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
2682786590a361f965fb7e07170ebe2b

SHA1
57c2c049997bfebb5fae9d99745941e192e71df1

SHA256
50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d

SHA512
9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

Download Submit
\Users\Admin\AppData\Local\Temp\a\main.exe

Filesize
11.6MB

MD5
641d3930a194bf84385372c84605207c

SHA1
90b6790059fc9944a338af1529933d8e2825cc36

SHA256
93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a

SHA512
19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85

Download Submit
\Users\Admin\AppData\Local\Temp\a\system32.exe

Filesize
18.6MB

MD5
1aaef5ae68c230b981da07753b9f8941

SHA1
36c376f5a812492199a8cd9c69e5016ff145ef24

SHA256
71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6

SHA512
83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3

Download Submit
memory/532-2264-0x00000000047F0000-0x00000000048B4000-memory.dmp

Filesize
784KB

Download
memory/532-2263-0x00000000008D0000-0x000000000096A000-memory.dmp

Filesize
616KB

Download
memory/532-4232-0x00000000049E0000-0x0000000004A36000-memory.dmp

Filesize
344KB

Download
memory/532-4233-0x0000000004A40000-0x0000000004A94000-memory.dmp

Filesize
336KB

Download
memory/1524-183-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1524-182-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-189-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-190-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2044-134-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2172-209-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-246-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-236-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-234-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-232-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-230-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-224-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-222-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-220-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-218-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-216-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-272-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-270-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-268-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-266-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-264-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-262-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-260-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-258-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-2038-0x00000000008E0000-0x000000000092C000-memory.dmp

Filesize
304KB

Download
memory/2172-2037-0x0000000000FD0000-0x0000000001026000-memory.dmp

Filesize
344KB

Download
memory/2172-240-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-207-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/2172-242-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-211-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/2172-244-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-248-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-250-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-252-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-254-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-256-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-238-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-228-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-213-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/2172-226-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-210-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/2172-215-0x0000000000D70000-0x0000000000E30000-memory.dmp

Filesize
768KB

Download
memory/2172-214-0x0000000000D70000-0x0000000000E36000-memory.dmp

Filesize
792KB

Download
memory/2304-159-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/2356-4234-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2356-64-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2392-2255-0x0000000000F50000-0x0000000001006000-memory.dmp

Filesize
728KB

Download
memory/2532-125-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2532-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2532-2-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-6136-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2532-153-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-2235-0x000007FEEF790000-0x000007FEEFBFE000-memory.dmp

Filesize
4.4MB

Download
memory/2924-4271-0x0000000000050000-0x00000000000A2000-memory.dmp

Filesize
328KB

Download
memory/4428-4240-0x0000000019E00000-0x000000001A0E2000-memory.dmp

Filesize
2.9MB

Download
memory/4428-4241-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/4680-8034-0x0000000019F50000-0x000000001A232000-memory.dmp

Filesize
2.9MB

Download
memory/4680-8035-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/4928-4288-0x0000000001080000-0x000000000111A000-memory.dmp

Filesize
616KB

Download
memory/4928-6159-0x0000000001030000-0x0000000001084000-memory.dmp

Filesize
336KB

Download
memory/5316-6146-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/6948-2245-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/7524-6172-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/7524-6173-0x0000000000AD0000-0x0000000000B94000-memory.dmp

Filesize
784KB

Download
memory/8492-2047-0x0000000001160000-0x00000000012FC000-memory.dmp

Filesize
1.6MB

Download
memory/8652-2059-0x0000000001210000-0x00000000013B4000-memory.dmp

Filesize
1.6MB

Download