asyncrat | 9dc800c25349a952cf4e972456f4054d6e8f8798505cc1a4fdbdb5e72ca38310

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe
Size

3.8MB
MD5

c1dc1d013b521ff6725e1e674da41209
SHA1

414e10310c572e8edf7a127937033e2f23e5176d
SHA256

806ddbb70ce7cf024d8c8d7206020007b303f0fb70f67445d898517944c91a20
SHA512

c03f343dd4c1cd7b22e7f953ac7778116b5aebba8f47259d4773659196e6db807054aea7156a5b412a438acecf0041f07dac9a3dbbaf13105457d08029550a36
SSDEEP

98304:HAI+n8ys9crUL7CKY+0lM4VI5I2mTcin9AUcPTLm17Vs+uy:gt8ysYUL7CJ+01VIcwORa+uy

Score

10^/10

asyncrat darkcomet quasar default netshare office15 discovery evasion execution rat spyware trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

netshare

novachrono.dyndns-ip.com:51399

Mutex

DC_MUTEX-6JFEBFK

Attributes

gencode
jJtniSTX6QWK
install
false
offline_keylogger
true
persistence
false

Extracted

Family

quasar

Version

1.4.0

Botnet

Office15

novachrono.dyndns-ip.com:51396

Mutex

f855a54f-46fa-48dc-a390-f591a2e4bd98

Attributes

encryption_key
E5D6E7988D0C5E1B3786B30C1AE84CBBC1CF4B1E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

novachrono.dyndns-ip.com:51397

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
repair-win.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/2440-103-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2440-105-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2440-112-0x00000000020D0000-0x0000000002154000-memory.dmp	family_quasar
behavioral1/memory/2440-193-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1704-266-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/788-288-0x00000000004A0000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/788-287-0x00000000004A0000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/788-298-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2840-314-0x0000000000380000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/2840-323-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/476-344-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/3044-357-0x0000000000750000-0x00000000007D4000-memory.dmp	family_quasar
behavioral1/memory/3044-366-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/2984-389-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1752-411-0x0000000000400000-0x0000000000494000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2168-128-0x0000000000350000-0x0000000000362000-memory.dmp	family_asyncrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
24	2476	mshta.exe
25	2476	mshta.exe
27	1944	cscript.exe

Executes dropped EXE 36 IoCs

pid	Process
2792	data-com.exe
2692	uTorrent 3.5.5 Beta (build 45916).exe
2184	netshare x86_644.exe
2740	Office155.exe
1028	win-tooll.exe
2440	Office155.exe
2988	netshare x86_644.exe
2168	win-tooll.exe
2792	Office155.exe
1704	Office155.exe
2448	Office155.exe
788	Office155.exe
1428	Office155.exe
2840	Office155.exe
1956	Office155.exe
476	Office155.exe
2028	Office155.exe
3044	Office155.exe
1992	Office155.exe
2984	Office155.exe
1136	Office155.exe
1752	Office155.exe
3052	Office155.exe
2700	Office155.exe
1436	Office155.exe
824	Office155.exe
1868	Office155.exe
1804	Office155.exe
920	Office155.exe
1860	Office155.exe
2716	Office155.exe
2788	Office155.exe
1060	Office155.exe
1556	Office155.exe
2088	Office155.exe
2740	Office155.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	uTorrent 3.5.5 Beta (build 45916).exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	uTorrent 3.5.5 Beta (build 45916).exe

Loads dropped DLL 64 IoCs

pid	Process
2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe
2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2184	netshare x86_644.exe
2740	Office155.exe
2792	data-com.exe
2792	data-com.exe
2792	data-com.exe
2740	Office155.exe
2184	netshare x86_644.exe
1028	win-tooll.exe
1028	win-tooll.exe
2476	mshta.exe
2476	mshta.exe
2028	cmd.exe
2792	Office155.exe
2792	Office155.exe
2104	cmd.exe
2448	Office155.exe
2448	Office155.exe
1844	cmd.exe
1428	Office155.exe
1428	Office155.exe
2720	cmd.exe
1956	Office155.exe
1956	Office155.exe
1376	cmd.exe
2028	Office155.exe
2028	Office155.exe
876	cmd.exe
1992	Office155.exe
1992	Office155.exe
2216	cmd.exe
1136	Office155.exe
1136	Office155.exe
2756	cmd.exe
3052	Office155.exe
3052	Office155.exe
2868	cmd.exe
1436	Office155.exe
1436	Office155.exe
2828	cmd.exe
1868	Office155.exe
1868	Office155.exe
1992	cmd.exe
920	Office155.exe
920	Office155.exe
2880	cmd.exe
2716	Office155.exe
2716	Office155.exe
2304	cmd.exe
1060	Office155.exe
1060	Office155.exe
2484	cmd.exe
2088	Office155.exe
2088	Office155.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2440	2740	Office155.exe	37
PID 2184 set thread context of 2988	2184	netshare x86_644.exe	38
PID 1028 set thread context of 2168	1028	win-tooll.exe	39
PID 2792 set thread context of 1704	2792	Office155.exe	54
PID 2448 set thread context of 788	2448	Office155.exe	60
PID 1428 set thread context of 2840	1428	Office155.exe	66
PID 1956 set thread context of 476	1956	Office155.exe	72
PID 2028 set thread context of 3044	2028	Office155.exe	78
PID 1992 set thread context of 2984	1992	Office155.exe	84
PID 1136 set thread context of 1752	1136	Office155.exe	91
PID 3052 set thread context of 2700	3052	Office155.exe	97
PID 1436 set thread context of 824	1436	Office155.exe	103
PID 1868 set thread context of 1804	1868	Office155.exe	109
PID 920 set thread context of 1860	920	Office155.exe	115
PID 2716 set thread context of 2788	2716	Office155.exe	121
PID 1060 set thread context of 1556	1060	Office155.exe	127
PID 2088 set thread context of 2740	2088	Office155.exe	133

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000017570-23.dat	upx
behavioral1/memory/2692-26-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-213-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-241-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-270-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-300-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-325-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-346-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-368-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-391-0x0000000000400000-0x000000000098B000-memory.dmp	upx
behavioral1/memory/2692-412-0x0000000000400000-0x000000000098B000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\data-com.exe	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data-com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win-tooll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uTorrent 3.5.5 Beta (build 45916).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win-tooll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netshare x86_644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Office155.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 17 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
892	PING.EXE
1944	cscript.exe
1580	PING.EXE
1492	PING.EXE
2720	PING.EXE
2956	PING.EXE
2928	PING.EXE
2680	PING.EXE
2324	PING.EXE
1548	PING.EXE
2608	PING.EXE
2384	PING.EXE
2180	PING.EXE
2260	PING.EXE
2384	PING.EXE
2076	PING.EXE
1952	PING.EXE

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001924f-59.dat	nsis_installer_1
behavioral1/files/0x000500000001924f-59.dat	nsis_installer_2
behavioral1/files/0x00090000000174b4-62.dat	nsis_installer_1
behavioral1/files/0x00090000000174b4-62.dat	nsis_installer_2
behavioral1/files/0x0005000000019261-74.dat	nsis_installer_1
behavioral1/files/0x0005000000019261-74.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\FalconBetaAccount	uTorrent 3.5.5 Beta (build 45916).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\FalconBetaAccount\remote_access_client_id = "8618899482"	uTorrent 3.5.5 Beta (build 45916).exe

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE
2384	PING.EXE
2956	PING.EXE
1548	PING.EXE
1952	PING.EXE
2076	PING.EXE
2928	PING.EXE
1492	PING.EXE
2260	PING.EXE
1580	PING.EXE
2324	PING.EXE
2608	PING.EXE
2384	PING.EXE
892	PING.EXE
2720	PING.EXE
2680	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	Office155.exe
2740	Office155.exe
2740	Office155.exe
2740	Office155.exe
2184	netshare x86_644.exe
2184	netshare x86_644.exe
2184	netshare x86_644.exe
2184	netshare x86_644.exe
1028	win-tooll.exe
1028	win-tooll.exe
1028	win-tooll.exe
1028	win-tooll.exe
2792	Office155.exe
2792	Office155.exe
2792	Office155.exe
2792	Office155.exe
2448	Office155.exe
2448	Office155.exe
2448	Office155.exe
2448	Office155.exe
1428	Office155.exe
1428	Office155.exe
1428	Office155.exe
1428	Office155.exe
1956	Office155.exe
1956	Office155.exe
1956	Office155.exe
1956	Office155.exe
2028	Office155.exe
2028	Office155.exe
2028	Office155.exe
2028	Office155.exe
1992	Office155.exe
1992	Office155.exe
1992	Office155.exe
1992	Office155.exe
1136	Office155.exe
1136	Office155.exe
1136	Office155.exe
1136	Office155.exe
3052	Office155.exe
3052	Office155.exe
3052	Office155.exe
3052	Office155.exe
1436	Office155.exe
1436	Office155.exe
1436	Office155.exe
1436	Office155.exe
1868	Office155.exe
1868	Office155.exe
1868	Office155.exe
1868	Office155.exe
920	Office155.exe
920	Office155.exe
920	Office155.exe
920	Office155.exe
2716	Office155.exe
2716	Office155.exe
2716	Office155.exe
2716	Office155.exe
1060	Office155.exe
1060	Office155.exe
1060	Office155.exe
1060	Office155.exe

Suspicious behavior: MapViewOfSection 17 IoCs

pid	Process
2740	Office155.exe
2184	netshare x86_644.exe
1028	win-tooll.exe
2792	Office155.exe
2448	Office155.exe
1428	Office155.exe
1956	Office155.exe
2028	Office155.exe
1992	Office155.exe
1136	Office155.exe
3052	Office155.exe
1436	Office155.exe
1868	Office155.exe
920	Office155.exe
2716	Office155.exe
1060	Office155.exe
2088	Office155.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2692	uTorrent 3.5.5 Beta (build 45916).exe
Token: SeIncreaseQuotaPrivilege	2988	netshare x86_644.exe
Token: SeSecurityPrivilege	2988	netshare x86_644.exe
Token: SeTakeOwnershipPrivilege	2988	netshare x86_644.exe
Token: SeLoadDriverPrivilege	2988	netshare x86_644.exe
Token: SeSystemProfilePrivilege	2988	netshare x86_644.exe
Token: SeSystemtimePrivilege	2988	netshare x86_644.exe
Token: SeProfSingleProcessPrivilege	2988	netshare x86_644.exe
Token: SeIncBasePriorityPrivilege	2988	netshare x86_644.exe
Token: SeCreatePagefilePrivilege	2988	netshare x86_644.exe
Token: SeBackupPrivilege	2988	netshare x86_644.exe
Token: SeRestorePrivilege	2988	netshare x86_644.exe
Token: SeShutdownPrivilege	2988	netshare x86_644.exe
Token: SeDebugPrivilege	2988	netshare x86_644.exe
Token: SeSystemEnvironmentPrivilege	2988	netshare x86_644.exe
Token: SeChangeNotifyPrivilege	2988	netshare x86_644.exe
Token: SeRemoteShutdownPrivilege	2988	netshare x86_644.exe
Token: SeUndockPrivilege	2988	netshare x86_644.exe
Token: SeManageVolumePrivilege	2988	netshare x86_644.exe
Token: SeImpersonatePrivilege	2988	netshare x86_644.exe
Token: SeCreateGlobalPrivilege	2988	netshare x86_644.exe
Token: 33	2988	netshare x86_644.exe
Token: 34	2988	netshare x86_644.exe
Token: 35	2988	netshare x86_644.exe
Token: SeDebugPrivilege	2440	Office155.exe
Token: SeDebugPrivilege	1704	Office155.exe
Token: SeDebugPrivilege	788	Office155.exe
Token: SeDebugPrivilege	2840	Office155.exe
Token: SeDebugPrivilege	476	Office155.exe
Token: SeDebugPrivilege	3044	Office155.exe
Token: SeDebugPrivilege	2984	Office155.exe
Token: SeDebugPrivilege	1752	Office155.exe
Token: SeDebugPrivilege	2700	Office155.exe
Token: SeDebugPrivilege	824	Office155.exe
Token: SeDebugPrivilege	1804	Office155.exe
Token: SeDebugPrivilege	1860	Office155.exe
Token: SeDebugPrivilege	2788	Office155.exe
Token: SeDebugPrivilege	1556	Office155.exe
Token: SeDebugPrivilege	2740	Office155.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2988	netshare x86_644.exe
1804	Office155.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2792	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	31
PID 2280 wrote to memory of 2792	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	31
PID 2280 wrote to memory of 2792	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	31
PID 2280 wrote to memory of 2792	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	31
PID 2280 wrote to memory of 2692	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	32
PID 2280 wrote to memory of 2692	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	32
PID 2280 wrote to memory of 2692	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	32
PID 2280 wrote to memory of 2692	2280	806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe	32
PID 2792 wrote to memory of 2184	2792	data-com.exe	33
PID 2792 wrote to memory of 2184	2792	data-com.exe	33
PID 2792 wrote to memory of 2184	2792	data-com.exe	33
PID 2792 wrote to memory of 2184	2792	data-com.exe	33
PID 2792 wrote to memory of 2740	2792	data-com.exe	34
PID 2792 wrote to memory of 2740	2792	data-com.exe	34
PID 2792 wrote to memory of 2740	2792	data-com.exe	34
PID 2792 wrote to memory of 2740	2792	data-com.exe	34
PID 2792 wrote to memory of 1028	2792	data-com.exe	36
PID 2792 wrote to memory of 1028	2792	data-com.exe	36
PID 2792 wrote to memory of 1028	2792	data-com.exe	36
PID 2792 wrote to memory of 1028	2792	data-com.exe	36
PID 2740 wrote to memory of 2440	2740	Office155.exe	37
PID 2740 wrote to memory of 2440	2740	Office155.exe	37
PID 2740 wrote to memory of 2440	2740	Office155.exe	37
PID 2740 wrote to memory of 2440	2740	Office155.exe	37
PID 2740 wrote to memory of 2440	2740	Office155.exe	37
PID 2184 wrote to memory of 2988	2184	netshare x86_644.exe	38
PID 2184 wrote to memory of 2988	2184	netshare x86_644.exe	38
PID 2184 wrote to memory of 2988	2184	netshare x86_644.exe	38
PID 2184 wrote to memory of 2988	2184	netshare x86_644.exe	38
PID 2184 wrote to memory of 2988	2184	netshare x86_644.exe	38
PID 1028 wrote to memory of 2168	1028	win-tooll.exe	39
PID 1028 wrote to memory of 2168	1028	win-tooll.exe	39
PID 1028 wrote to memory of 2168	1028	win-tooll.exe	39
PID 1028 wrote to memory of 2168	1028	win-tooll.exe	39
PID 1028 wrote to memory of 2168	1028	win-tooll.exe	39
PID 2440 wrote to memory of 2028	2440	Office155.exe	40
PID 2440 wrote to memory of 2028	2440	Office155.exe	40
PID 2440 wrote to memory of 2028	2440	Office155.exe	40
PID 2440 wrote to memory of 2028	2440	Office155.exe	40
PID 2692 wrote to memory of 2476	2692	uTorrent 3.5.5 Beta (build 45916).exe	42
PID 2692 wrote to memory of 2476	2692	uTorrent 3.5.5 Beta (build 45916).exe	42
PID 2692 wrote to memory of 2476	2692	uTorrent 3.5.5 Beta (build 45916).exe	42
PID 2692 wrote to memory of 2476	2692	uTorrent 3.5.5 Beta (build 45916).exe	42
PID 2028 wrote to memory of 2032	2028	cmd.exe	43
PID 2028 wrote to memory of 2032	2028	cmd.exe	43
PID 2028 wrote to memory of 2032	2028	cmd.exe	43
PID 2028 wrote to memory of 2032	2028	cmd.exe	43
PID 2028 wrote to memory of 892	2028	cmd.exe	44
PID 2028 wrote to memory of 892	2028	cmd.exe	44
PID 2028 wrote to memory of 892	2028	cmd.exe	44
PID 2028 wrote to memory of 892	2028	cmd.exe	44
PID 2476 wrote to memory of 2708	2476	mshta.exe	45
PID 2476 wrote to memory of 2708	2476	mshta.exe	45
PID 2476 wrote to memory of 2708	2476	mshta.exe	45
PID 2476 wrote to memory of 2708	2476	mshta.exe	45
PID 2476 wrote to memory of 2720	2476	mshta.exe	47
PID 2476 wrote to memory of 2720	2476	mshta.exe	47
PID 2476 wrote to memory of 2720	2476	mshta.exe	47
PID 2476 wrote to memory of 2720	2476	mshta.exe	47
PID 2476 wrote to memory of 1944	2476	mshta.exe	50
PID 2476 wrote to memory of 1944	2476	mshta.exe	50
PID 2476 wrote to memory of 1944	2476	mshta.exe	50
PID 2476 wrote to memory of 1944	2476	mshta.exe	50
PID 2028 wrote to memory of 2792	2028	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe
"C:\Users\Admin\AppData\Local\Temp\806DDBB70CE7CF024D8C8D7206020007B303F0FB70F67445D898517944C91A20.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\Common Files\data-com.exe
  "C:\Program Files (x86)\Common Files\data-com.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe
    "C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe
      "C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\Office155.exe
    "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\Office155.exe
      "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWY1FToFBUJk.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:892
      - C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yNO90xgGAKG7.bat" "
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cjk4XjXdTUd2.bat" "
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HE6eYneXEaeA.bat" "
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a0dMMN90B1wd.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o2tPAH6GEPGm.bat" "
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E98PJORvyfEa.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nb3vH5HtrRWE.bat" "
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UlCdeTWGb543.bat" "
        29⤵
        Loads dropped DLL
        
        PID:2868
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dpObPhZ0Tbzb.bat" "
        32⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xzcggGudPFyS.bat" "
        35⤵
        Loads dropped DLL
        
        PID:1992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\91RdbSn97a7X.bat" "
        38⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P7yB2QqitKkJ.bat" "
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kzYQRkMjyuoI.bat" "
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        45⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Office155.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Office155.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lz6wMDRO49WJ.bat" "
        47⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
- - C:\Users\Admin\AppData\Local\Temp\win-tooll.exe
    "C:\Users\Admin\AppData\Local\Temp\win-tooll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\win-tooll.exe
      "C:\Users\Admin\AppData\Local\Temp\win-tooll.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2168
- C:\Users\Admin\AppData\Local\Temp\uTorrent 3.5.5 Beta (build 45916).exe
  "C:\Users\Admin\AppData\Local\Temp\uTorrent 3.5.5 Beta (build 45916).exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\uTorrent 3.5.5 Beta (build 45916).exe" /CLIENTARGS "/LAUNCHBUNDLEDURL \"http://build 45916\" /LAUNCHBUNDLEDURLTYPE \"@\"" /LOG "C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\index.hta.log" /PID "2692" /CID "UHx0rRHyM8ZUrSqW" /VERSION "111850332" /BUCKET "0" /SSB "4" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-3063565911-2056067323-3330884624-1000" /CLIENT "utorrent"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2720
  - - C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI2OTIiLCJoIjoiVUh4MHJSSHlNOFpVclNxVyIsInYiOiIxMTE4NTAzMzIiLCJiIjo0NTkxNiwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjY0Iiwic2xuZyI6ImVuIiwiZGIiOiJJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjEwNS4wIiwiZXhlTmFtZSI6ImZpcmVmb3gifSx7Im5hbWUiOiJHb29nbGUgQ2hyb21lIiwidmVyc2lvbiI6IjEwNi4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IkludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjExLjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifV0sImlwIjoiMTgxLjIxNS4xNzYuODMiLCJjbiI6IlVuaXRlZCBLaW5nZG9tIiwicGFja2lkIjoiZGVmYXVsdCJ9"
      4⤵
      Blocklisted process makes network request
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\91RdbSn97a7X.bat

Filesize
206B

MD5
f382a70f18283b773dd34f35160f9c92

SHA1
74e6f0d5a767fb8f72cc0801a286360d14b10849

SHA256
f4b285bdb7bcb63f640d204aebafef86b3977f46b4ae24a8041e593cac025250

SHA512
7d2b0c154f6a15f1645c323dc8e1a0fc3bf1ae74c1927320a11047a5a07bdad3be90ce6518a586ef97d77a9a07cd4380c88d3fd587e7c6aee4535887dea5eba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E98PJORvyfEa.bat

Filesize
206B

MD5
95fee7fcbb8131c8e912d6899897a2b4

SHA1
098ee936333cfbf3c4b72e6fb9aca4c3adbac798

SHA256
b78f4b25e31baab4944af3a3843a133d07fb270014f636cf33f75ba5216d869b

SHA512
8ad007c55f61de0d745919e44ef9835e247747740070b41db1d7de88cbe56bd5d88e53c8dba04526e6fdcf2091f63b800fd95cbab3cf733ba057d4e56040138c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HE6eYneXEaeA.bat

Filesize
206B

MD5
023bc0bb11f42f9e67ed300a26f9cb46

SHA1
510aedba4dc45e818095befaa61bdc5be01c4302

SHA256
1e54685e8cf0861959997dc9ab04d6e3bc5031fb00858c0d3f17a04fe73a550d

SHA512
3093198081e28881ad32e68dc048b211e07268944881066f4207e038dcfb31e0c1e4ca96013101e38970fcea5cd97a6b3beb42eb57244a4a8d805bc55a5d828a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\i18n\en.json

Filesize
5KB

MD5
4417dbfa9fce94752a5a2dfdc823cb92

SHA1
12d2fd479d85b3f26c28351bbd0e44f06bc60597

SHA256
2381252b689d7ef2a8e1dcea6b7366c0436e70ff29e9b63f3ae34bcc5c60aaf5

SHA512
922c3e44db618cb2a77ad8ae6cceeaaecda3acf47034dcfe620cc5c352bededa6e4c983c74a05a797bcbed4f595d205f21829e3393b8994feb73f8179494a93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\images\loading.gif

Filesize
5KB

MD5
c910e2a5db424644aead18e1758c5efd

SHA1
fa58fc1a0c17db6c0eb573a0d548e544604114da

SHA256
00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce

SHA512
66d87ba337fc672f3f2fac50e2b32774b3a470b32fe5ba1a0e887bf74465e3db1375eca3cab91367bf88b2c6fbf0301e11d6f64c90dddc0c972fabeaefd37b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\images\main_icon.png

Filesize
3KB

MD5
e29ae2c3347790175085244651c40d6a

SHA1
0b9a15b6791439b319496950b85ab82dc2e3e5ae

SHA256
639bccb6ed0fce165cc979a2949d211ec8f1570133d644bf042a5400c3454c21

SHA512
53287d741b18275ee35eb4c4392c452e25846748ccaf3954a57f017a6e844b25ec4a39438c6ed7b24128138b8d7239cfacf69112f9803ab9d2ee981ea97a9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\images\main_utorrent.ico

Filesize
104KB

MD5
44d122c9473107fc36412de81418c84a

SHA1
a0072c789a9cd50ba561683c69af8602927cf4a8

SHA256
7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

SHA512
b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\index.hta

Filesize
522B

MD5
76903930c0ade2285f1ab1bf54be660d

SHA1
0fdd5990ca58cf6c49985ffd2075baa09cd728ce

SHA256
61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

SHA512
c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\install.1735132720.zip

Filesize
743KB

MD5
b95e97108189f7babf89539f08186890

SHA1
bf8e669ff37c68d86eafd239bd82684b0bce00a0

SHA256
52bd756b898a3e7dd1c0ec8d3ef76db5f68b9fc5953ca61c493df01eec61ca12

SHA512
cca151213d0062d529d267f31af39236527399b96b019f0c6a68b68bfbcb0bbd7fa747ad24b8d7db9c900e08ed47cfbe79fdd88e1ff97e0ab7eafc5fe228c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\scripts\common.js

Filesize
337KB

MD5
78b4d4390bff0f011ebd271c9bebeec5

SHA1
12f0f137a8173be5791187a583256894d68bea26

SHA256
2f2edf2bd12ae6c6553042c30cb73b967e9066babad5f18f5ff054e708ffd19c

SHA512
a83f8133f26fca263070b278879582268d5bc02a4bad5028f5c80517c069bdc9915b21bcdea31f4f81df04ab891e9b5858109d80e2e4421812af64ae1c12a67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\scripts\initialize.js

Filesize
1005B

MD5
2a65c76b51a2c15eebeefa662d511af9

SHA1
3c5f93d39fdd573e43c7a451836d425bc1b07a5d

SHA256
31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

SHA512
85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\scripts\install.js

Filesize
5KB

MD5
36f8dbcbdeed01079dcd0abdf481ffd7

SHA1
354d8fa00c37255d15a07a8b93f99ec2821ed1a2

SHA256
8d41b55c7626eccd4369418e4d0a1cfc2c7ca56b6424ac7b04e50ebc883837c9

SHA512
3a9ace6ed03f59599739bba74271aac5f4bdd589cbc2727285dd26fe390c8febebd9915c0d72e809e09c47f3d6ec12709acbd99c69796672775f5c0159c4a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\shell_scripts\check_if_cscript_is_working.js

Filesize
18B

MD5
401b092610275ba2a62376598bfd9c6b

SHA1
da1173bc19dd51759f06ac21237a1e8af19d96e7

SHA256
d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862

SHA512
4a6b34a572864c8648ae1d3e2fe7b3ae2caada78cac726fafe4fe840afdeac1b53ea161ef27abe82ed6843e61bf853901a2d1bdf2ec255de0c395423d1b2e865

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\shell_scripts\shell_ping_after_close.js

Filesize
312B

MD5
3ba92505f8af34e948f97360767d4f8a

SHA1
997a36be9f9f5262195b24c8c99c0688086c80ee

SHA256
5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1

SHA512
b33d3519684e3b54e582e401c7144d4d3783ac44ee73e8d9ce2d92b2e0a091758d330d966ab7db19f7d22fe18335d3e8effc0961ff9d9c4ac147d0ec2c91e626

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\HTA\styles\common.css

Filesize
99KB

MD5
8a94d780401556cceabf35058bbd4b5a

SHA1
19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

SHA256
086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

SHA512
b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDE4D4.tmp.1735132720\index.hta.log

Filesize
57B

MD5
b86335c9837f4fa79617172032c534c4

SHA1
5d0698d86bca010555eb9d89daa34a6392e7b925

SHA256
f01f44413ecb26210c6c101982789ea4de5a5afaef96fef8c2d943af01f174a6

SHA512
af70ac58e6d140c1cdb54ac993eef3d60c8bd6c5a23a42a063445a184d89adcf7d13b4c180f854f2d20f3ebbed2a0abca807a2bdd25a49871f808b4f4d4df9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lz6wMDRO49WJ.bat

Filesize
206B

MD5
9cf9ebea75209f243dc5428811e1f85a

SHA1
7079d52f372c183f9aad122193c4f1673ec713e3

SHA256
5522c3e62606ae3c01901c6976ae07f1d49b88647f6e63ec6ca3ee553c9c489c

SHA512
1ccdf9df0b9acc4d0a76647cf9763dc78eee5f0541dd1f142b71a96a5af576276d1864b9cedff2dacf461f648596e5c869eb749220fee4e65b80cefe7bc85099

Download Submit
C:\Users\Admin\AppData\Local\Temp\P7yB2QqitKkJ.bat

Filesize
206B

MD5
bc1ee63af68cd9e8a36b496479e21980

SHA1
7bd9d72a2525d0478bc99151067e4a4e61938179

SHA256
d5bb21a8386e36f301aa674cc0b112382d4ec2e7d70c5e296fba8b8f8acd47ae

SHA512
38fe45ba8187e7bbb9c49653168567f079b3c4573e30324808cc54d9d0c7733c7094bdbfad4ada47939e3e683949730b46ae90b2d45460b66f8adc48cd99d7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlCdeTWGb543.bat

Filesize
206B

MD5
528b81a8a938cc935e8a62e2cf4461ad

SHA1
d575fa7bbe62786cf102f286c616a410bb9b8058

SHA256
79e5bb820d3f58854ffc8a378c25757d9b5c19aee952ecd367b8c91932d6a34c

SHA512
91a911f0fa0d034051f6d62ebb8078cba8caadc177f5dd530548e0f7b9295af2626b9a16fec948370a5a0ca27aaaf288e94d8323b98416cb09d06058ba15ea8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0dMMN90B1wd.bat

Filesize
206B

MD5
facef8893cf06036b6ce4829d3fcee17

SHA1
b04219865f2358e6d640682cab9ef44e8020cdc6

SHA256
f27ea5006fff15c728cfef58030e022a2ad209fdcddfe132a3cfafe41a9f6b21

SHA512
cd1e9fb196d4041f52dffca769cf25d88a7960a480f590c6c6d41601efad852c9bd2ab0e2741dfb2e847fdb3f90cc90f92a83470e480c3032f1f9fe0e012a355

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWY1FToFBUJk.bat

Filesize
206B

MD5
97853d9c8c5927ebe6c1769db8cf6511

SHA1
5c4b1bd3ab9aad5a1570e6ee1ebc08f9f2fbb123

SHA256
f0c4fb3a68dd1c6768ec988a0c7d04b11df878b60c5982b0fc70c52db7c875e0

SHA512
9f0708fba353a97fbec8ba34c4771ebca450dc7f6858f1df19a71669703d3ed9f03c2023d6ce64673bc4fe9b8db2cbd4c982ea969a141cfdc81d6df4fbd070e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjk4XjXdTUd2.bat

Filesize
206B

MD5
ff029683dd52a46e587f16c025aae533

SHA1
c283858b0779561a579e0bfc50b4792c666d47b9

SHA256
ba1f4d805a351991179a9f578d732a7459f09e1a507461e34e97906fbf64b604

SHA512
7ecd24003dba95ef2956430636dc3ed7e5063dcab13f5e4fc31df41007ad04f09b084b6264d8be5fc0091251486550e400c0d4e6c31e88236c8e3e6ebd31c2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpObPhZ0Tbzb.bat

Filesize
206B

MD5
7194874fbd828827b647c14e1549fda3

SHA1
5eca8c5e5b3f2cdb353f6a82c822dcb476696533

SHA256
7801673d889365e489345a0fd5d27d2f7ebff7bce1101306424447519c6cf58a

SHA512
989925751cbc2c1bfce789959f30313ae3517e3065db020228070282ad96edcf7e1c00e4ffd50fb3d29f9597b61f7b7adf4257f6e5fc0bf62b84bf9d19f8cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzYQRkMjyuoI.bat

Filesize
206B

MD5
b9310e6467d858888127d28fa674b0e0

SHA1
4aaa5ab3f3d42c931c59c9eb1fc9eb4675c888f1

SHA256
7dd0508ce7c656080df846a7bbbf78c0f5b470513014e4b9e7b5a2d70c5aaf40

SHA512
252228d4040540c51bf9a281321a2fa89341ee44298aa6440925a50087463437394d940174b25d7bac265d60a813f50d6241956d73a67ff990e7f0244e65730a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb3vH5HtrRWE.bat

Filesize
206B

MD5
58cb1773810f44d73d1bae6104b5b5b5

SHA1
e81d40052bd4876bce0bd36b654e7ea72b24e9a1

SHA256
403a237a49bc672b69058e4eb3b6af062d20f896ec26df0279ec57530fcdd0a4

SHA512
4c0dba48fa72e17d12f6cbc34f64529870f134c0d8e7c1b1b8f40eb6d245503b96cc996a40892e24bec90b28ae36b2a0cd9e958d6386e00a84cce29b222359f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\netshare x86_644.exe

Filesize
718KB

MD5
7443707310e3a6b120beb1e61b34d25a

SHA1
1fa6806ee6553931532cc6e2bb49e42d8655734d

SHA256
afe09a1fd24c633424b2ba1aa1df9cc80431c6f9558a48b933063fd18d055fb1

SHA512
37f673558b6d4953f807f18bf14a6a1fde7d39fa3d82c733e98809c7732d30591ac52b17dcb9a80d87418d8b797bec67fa511b1666ad18a5afb276d64f07a721

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE7D1.tmp\7aew68vt0q.dll

Filesize
586KB

MD5
fd826e8cb4ced9c11498351c5d602c35

SHA1
81295b8b5146668e5b1e97ed414cd5807c5b83a4

SHA256
8202d16efc125121e836db33f3a71b265a87740c1407a79b2e6ba796c028a9e8

SHA512
00b2a3c2a392844680819d7106b70e586ff207de9d5c7c90290fbfba72fa4b6e9a5ac59164cc67026e7a1467c69feb2e796440078dcf48e75f61c6ece922b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE9A5.tmp\t7f2wc.dll

Filesize
129KB

MD5
0e2d5c75d97e0ea879e12dacbf91a6df

SHA1
a61ffac27eca63ebb0075e842a460e80326a5092

SHA256
d40c71ea25575e573284a6763e5530cfd395b3b75a45db4cff8f7a298e84cc74

SHA512
08acde739b4e1caa22fcdfaab508d2ef3b6db78191b0f4a2cedc1d5c0a1de68fb9d8dff72b8de2e129ef011073abd18bdcbf172a99e862bca76e71c7046bab51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE7A2.tmp\8x0pq8gq9j.dll

Filesize
669KB

MD5
2064ea94df92b42740c547aa2c610dd1

SHA1
9ad300e310ce27c2a0d94131ca182fd74edb5f62

SHA256
cd43f332905d74b8d8926ae6288888cf843666db0a5b703f2123afbd63c5f2cd

SHA512
607f19c5cc1eb57a1bb81c82aefc84761f532df08c3538140db94b06005163678199e7841e9e78cf457e289ea307f96c78507e948d6bd9137a756e7ff74d3090

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2tPAH6GEPGm.bat

Filesize
206B

MD5
4758f1a348ce7652086d0aaef66d4da9

SHA1
c95ebfc01301980b4d38ffce1d5880b74556ddb4

SHA256
1ac93366c6e0dba5999541112569abcad905cffdcb94a461ebc9361767e3b2fe

SHA512
da9992576949a0db8f92fd155958cbed8d828bedcedfa5ef609218297abf8d881f3fc75f816f5dfd67fe3b084facb9c0da76cc062b13e1888d7332f40de0ea05

Download Submit
C:\Users\Admin\AppData\Local\Temp\uTorrent 3.5.5 Beta (build 45916).exe

Filesize
2.1MB

MD5
758ad638d4fc0acffbad183d5eccea99

SHA1
440b462c9d1d40ea4b0f226f458cbc0cf222a801

SHA256
d75c4115426b6cae2da95f065af3a38c93bf68169bb66f725a9cc6144a1c49db

SHA512
4e694720f0c2c061cfeff564891d7f3d6a35f2723918b9ac44330bc39879970c251e7a452e21c8479d49c856b54a267c31f929dcf287106df0e95732caf26417

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzcggGudPFyS.bat

Filesize
206B

MD5
a22b98fdac1af40b4330e8ddfd764380

SHA1
3bb081b170f37723116b23cff594782ff8369339

SHA256
ba8b95d97a4868d27efe9a9087d08578d20449bd2266ad92c9d036157d22a267

SHA512
c745f15dd2e02676c0a3434d1b1eb295d97f72642bda5d879d5ef004b395ad3f3334b8c592bd281133cd8d1f1f7179ee24c8571ac93f82d5e3b2abc63d54add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNO90xgGAKG7.bat

Filesize
206B

MD5
51b073e7ac46bc6598c9ff37bcbaea15

SHA1
d7e6285bca558cfe101d1520b6730123ea0c7b2d

SHA256
477e395086a17dfcaa2988cf8929d131e340a181b48154f0387911513848231e

SHA512
6bdaa41c36c6fec94ca65f53c3a1496a9444c0a6ea660dc9ccc5b1cdc01b30cd486038dc2ab2f19305b96a82bde57da0a9bc90d6935b7765b4fb93fdc967554b

Download Submit
\Program Files (x86)\Common Files\data-com.exe

Filesize
1.7MB

MD5
11ce0a152fdbf1997778a2a0d11200aa

SHA1
b728d7df96a888eb6b61a20d4daa4e71445bab68

SHA256
dcaf19328afff04eb26fa9d8edcbe16fe0ede4785830a6a8b66b68e9e23290f8

SHA512
5f3e889de15dddc4d77715b5a90c6db736ac045384fa03b604e9f9bf64e961d522a4ce1057fbcdf766fac7d01344c6fd1cbd2db085c9e2b8d4d7e833d579eceb

Download Submit
\Users\Admin\AppData\Local\Temp\Office155.exe

Filesize
650KB

MD5
e1719a774dafed6ca894ec6b1d0fd457

SHA1
13651637cf5477d3103410cf9829999285d9eebe

SHA256
78474b2f484a98ec6375e8389adb097afd942181fef9dfc2550f54ece30edcbf

SHA512
38ecde8ec5833c1f3ad207dfe14ff71792632b29c9ee6ea954563243020b755bc1fe8547d54eeb91bc25d7f32f204d891f6c865735af781049741efa15e1baee

Download Submit
\Users\Admin\AppData\Local\Temp\win-tooll.exe

Filesize
177KB

MD5
cb7cac7a65b31662f2116d75d65d010a

SHA1
92869d6a5a06114c2c571fe583d744708b401be4

SHA256
dfcff668b6a257948fd604e9346b570d91d8e1602d8058548d2141f0e7c5ac2b

SHA512
6cf8db0a4a54d0cd6d2c85135173cf520a1b574e111babc42d154325251bf7ef0ba2b4adaa071492adc85039e96204f6893ab7e1f7f526062bde0103869bbc4f

Download Submit
memory/476-344-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/788-288-0x00000000004A0000-0x0000000000524000-memory.dmp

Filesize
528KB

Download
memory/788-287-0x00000000004A0000-0x0000000000524000-memory.dmp

Filesize
528KB

Download
memory/788-298-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/920-486-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/920-484-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1028-120-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1028-127-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1060-529-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1136-400-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1428-313-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1436-441-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1436-444-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1704-266-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1752-411-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1868-463-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1956-335-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1992-379-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2028-356-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2088-550-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2168-126-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2168-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2168-243-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2168-128-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2184-83-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2184-110-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2280-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-25-0x0000000003C60000-0x00000000041EB000-memory.dmp

Filesize
5.5MB

Download
memory/2440-112-0x00000000020D0000-0x0000000002154000-memory.dmp

Filesize
528KB

Download
memory/2440-193-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2440-103-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2440-105-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2448-281-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2448-286-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2476-269-0x0000000007210000-0x000000000779B000-memory.dmp

Filesize
5.5MB

Download
memory/2476-211-0x0000000007210000-0x000000000779B000-memory.dmp

Filesize
5.5MB

Download
memory/2476-212-0x0000000007210000-0x000000000779B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-213-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-270-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-325-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-26-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-368-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-412-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-300-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-241-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-346-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2692-391-0x0000000000400000-0x000000000098B000-memory.dmp

Filesize
5.5MB

Download
memory/2716-507-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2716-510-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2740-91-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2740-106-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2792-253-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2840-314-0x0000000000380000-0x0000000000404000-memory.dmp

Filesize
528KB

Download
memory/2840-323-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2984-389-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2988-108-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-111-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-413-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-371-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-301-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-347-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-326-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-242-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-392-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-271-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-122-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2988-123-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3044-366-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3044-357-0x0000000000750000-0x00000000007D4000-memory.dmp

Filesize
528KB

Download
memory/3052-420-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download