asyncrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

exchange-reasonably.gl.at.ply.gg:30620

Mutex

f41ac0c2ea25f3f8b0a75a7371d6b015

Attributes

reg_key
f41ac0c2ea25f3f8b0a75a7371d6b015
splitter
|'|'|

Extracted

Family

xworm

return-carol.gl.at.ply.gg:53275

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

70.34.210.80:4782

192.168.1.203:4782

Mutex

0d965223-b478-41be-af32-ad5a13d78eba

Attributes

encryption_key
EBD92C218F947CFB9F2E27885F8DFFEAE9079F05
install_name
MSWinpreference.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Skype
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

69.160.242.105:4782

69.160.242.105:11066

Mutex

66661e0f-33c3-4f2f-88be-1634de535cd1

Attributes

encryption_key
CBED6820557E8011D93BA51D49F569DE8C1F98B4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

wzchqtvtkfun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://infect-crackle.cyou/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001e000000018678-402.dat	family_xworm
behavioral1/memory/1772-406-0x0000000000880000-0x000000000089A000-memory.dmp	family_xworm
behavioral1/memory/2000-473-0x0000000001260000-0x000000000127A000-memory.dmp	family_xworm
behavioral1/memory/2332-606-0x00000000001F0000-0x000000000020A000-memory.dmp	family_xworm
behavioral1/memory/2492-741-0x0000000000CB0000-0x0000000000CCA000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/files/0x001e00000001866d-476.dat	family_quasar
behavioral1/memory/1992-480-0x0000000000ED0000-0x0000000001236000-memory.dmp	family_quasar
behavioral1/memory/2188-487-0x0000000000A10000-0x0000000000D76000-memory.dmp	family_quasar
behavioral1/memory/2104-564-0x0000000000120000-0x00000000001A4000-memory.dmp	family_quasar
behavioral1/files/0x0006000000019401-566.dat	family_quasar
behavioral1/memory/560-567-0x0000000000B50000-0x0000000000BD4000-memory.dmp	family_quasar

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/1108-629-0x0000000000300000-0x0000000000318000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00060000000190d6-438.dat	family_asyncrat

DCRat payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x000200000000f6f3-653.dat	family_dcrat_v2
behavioral1/memory/1008-654-0x0000000000130000-0x00000000002CC000-memory.dmp	family_dcrat_v2
behavioral1/memory/2296-720-0x0000000000330000-0x00000000004CC000-memory.dmp	family_dcrat_v2
behavioral1/memory/2024-733-0x0000000000ED0000-0x000000000106C000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
896	powershell.exe
1604	powershell.exe
340	powershell.exe
1780	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1540	netsh.exe
2540	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 26 IoCs

pid	Process
828	._cache_4363463463464363463463463.exe
2804	Synaptics.exe
2900	._cache_Synaptics.exe
2060	Server1.exe
1772	XClient.exe
2544	svchost.exe
2808	Krishna33.exe
596	chrome.exe
2000	XClient.exe
1992	CollosalLoader.exe
2188	MSWinpreference.exe
2172	compiled.exe
2056	compiled.exe
896	logon.exe
2104	Client-built.exe
560	Client.exe
1380	fusca%20game.exe
2332	XClient.exe
2056	tester.exe
1928	SharpHound.exe
1108	nobody.exe
2256	tester.exe
1008	lfcdgbuksf.exe
2296	staticfile.exe
2024	staticfile.exe
2492	XClient.exe

Loads dropped DLL 40 IoCs

pid	Process
1936	4363463463464363463463463.exe
1936	4363463463464363463463463.exe
1936	4363463463464363463463463.exe
2804	Synaptics.exe
2804	Synaptics.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe
1020	cmd.exe
828	._cache_4363463463464363463463463.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe
2172	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
2056	compiled.exe
828	._cache_4363463463464363463463463.exe
2900	._cache_Synaptics.exe
828	._cache_4363463463464363463463463.exe
828	._cache_4363463463464363463463463.exe
828	._cache_4363463463464363463463463.exe
2900	._cache_Synaptics.exe
2056	tester.exe
2900	._cache_Synaptics.exe
2900	._cache_Synaptics.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00060000000190cd-411.dat	vmprotect
behavioral1/memory/2544-416-0x000000013FEC0000-0x00000001400F7000-memory.dmp	vmprotect
behavioral1/memory/2544-417-0x000000013FEC0000-0x00000001400F7000-memory.dmp	vmprotect
behavioral1/memory/2544-419-0x000000013FEC0000-0x00000001400F7000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\fusca%20game.exe\" .."	fusca%20game.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
35	1.tcp.ap.ngrok.io
94	1.tcp.ap.ngrok.io
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2256	2056	tester.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krishna33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1324	PING.EXE
1660	PING.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1492	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1324	PING.EXE
1660	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1232	schtasks.exe
2232	schtasks.exe
2032	schtasks.exe
2808	schtasks.exe
1492	schtasks.exe
2696	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
896	powershell.exe
1604	powershell.exe
340	powershell.exe
1780	powershell.exe
1772	XClient.exe
2808	Krishna33.exe
2808	Krishna33.exe
2808	Krishna33.exe
1108	nobody.exe
1108	nobody.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe
1008	lfcdgbuksf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	Server1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	2900	._cache_Synaptics.exe
Token: SeDebugPrivilege	1772	XClient.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1772	XClient.exe
Token: SeDebugPrivilege	2808	Krishna33.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	596	chrome.exe
Token: SeDebugPrivilege	2000	XClient.exe
Token: SeDebugPrivilege	1992	CollosalLoader.exe
Token: SeDebugPrivilege	2188	MSWinpreference.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	2104	Client-built.exe
Token: SeDebugPrivilege	560	Client.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	1380	fusca%20game.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: SeDebugPrivilege	2332	XClient.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	2056	tester.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: SeDebugPrivilege	1108	nobody.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	1008	lfcdgbuksf.exe
Token: 33	1380	fusca%20game.exe
Token: SeIncBasePriorityPrivilege	1380	fusca%20game.exe
Token: 33	2060	Server1.exe
Token: SeIncBasePriorityPrivilege	2060	Server1.exe
Token: SeDebugPrivilege	2296	staticfile.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
560	Client.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2792	EXCEL.EXE
1772	XClient.exe
2188	MSWinpreference.exe
560	Client.exe
1108	nobody.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 828	1936	4363463463464363463463463.exe	30
PID 1936 wrote to memory of 828	1936	4363463463464363463463463.exe	30
PID 1936 wrote to memory of 828	1936	4363463463464363463463463.exe	30
PID 1936 wrote to memory of 828	1936	4363463463464363463463463.exe	30
PID 1936 wrote to memory of 2804	1936	4363463463464363463463463.exe	32
PID 1936 wrote to memory of 2804	1936	4363463463464363463463463.exe	32
PID 1936 wrote to memory of 2804	1936	4363463463464363463463463.exe	32
PID 1936 wrote to memory of 2804	1936	4363463463464363463463463.exe	32
PID 2804 wrote to memory of 2900	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2900	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2900	2804	Synaptics.exe	33
PID 2804 wrote to memory of 2900	2804	Synaptics.exe	33
PID 2900 wrote to memory of 2060	2900	._cache_Synaptics.exe	37
PID 2900 wrote to memory of 2060	2900	._cache_Synaptics.exe	37
PID 2900 wrote to memory of 2060	2900	._cache_Synaptics.exe	37
PID 2900 wrote to memory of 2060	2900	._cache_Synaptics.exe	37
PID 2900 wrote to memory of 1772	2900	._cache_Synaptics.exe	39
PID 2900 wrote to memory of 1772	2900	._cache_Synaptics.exe	39
PID 2900 wrote to memory of 1772	2900	._cache_Synaptics.exe	39
PID 2900 wrote to memory of 1772	2900	._cache_Synaptics.exe	39
PID 2060 wrote to memory of 1540	2060	Server1.exe	40
PID 2060 wrote to memory of 1540	2060	Server1.exe	40
PID 2060 wrote to memory of 1540	2060	Server1.exe	40
PID 2060 wrote to memory of 1540	2060	Server1.exe	40
PID 2900 wrote to memory of 2544	2900	._cache_Synaptics.exe	43
PID 2900 wrote to memory of 2544	2900	._cache_Synaptics.exe	43
PID 2900 wrote to memory of 2544	2900	._cache_Synaptics.exe	43
PID 2900 wrote to memory of 2544	2900	._cache_Synaptics.exe	43
PID 1772 wrote to memory of 896	1772	XClient.exe	44
PID 1772 wrote to memory of 896	1772	XClient.exe	44
PID 1772 wrote to memory of 896	1772	XClient.exe	44
PID 1772 wrote to memory of 1604	1772	XClient.exe	46
PID 1772 wrote to memory of 1604	1772	XClient.exe	46
PID 1772 wrote to memory of 1604	1772	XClient.exe	46
PID 2900 wrote to memory of 2808	2900	._cache_Synaptics.exe	48
PID 2900 wrote to memory of 2808	2900	._cache_Synaptics.exe	48
PID 2900 wrote to memory of 2808	2900	._cache_Synaptics.exe	48
PID 2900 wrote to memory of 2808	2900	._cache_Synaptics.exe	48
PID 1772 wrote to memory of 340	1772	XClient.exe	49
PID 1772 wrote to memory of 340	1772	XClient.exe	49
PID 1772 wrote to memory of 340	1772	XClient.exe	49
PID 1772 wrote to memory of 1780	1772	XClient.exe	51
PID 1772 wrote to memory of 1780	1772	XClient.exe	51
PID 1772 wrote to memory of 1780	1772	XClient.exe	51
PID 1772 wrote to memory of 2696	1772	XClient.exe	53
PID 1772 wrote to memory of 2696	1772	XClient.exe	53
PID 1772 wrote to memory of 2696	1772	XClient.exe	53
PID 2808 wrote to memory of 604	2808	Krishna33.exe	56
PID 2808 wrote to memory of 604	2808	Krishna33.exe	56
PID 2808 wrote to memory of 604	2808	Krishna33.exe	56
PID 2808 wrote to memory of 604	2808	Krishna33.exe	56
PID 2808 wrote to memory of 1020	2808	Krishna33.exe	58
PID 2808 wrote to memory of 1020	2808	Krishna33.exe	58
PID 2808 wrote to memory of 1020	2808	Krishna33.exe	58
PID 2808 wrote to memory of 1020	2808	Krishna33.exe	58
PID 604 wrote to memory of 1232	604	cmd.exe	59
PID 604 wrote to memory of 1232	604	cmd.exe	59
PID 604 wrote to memory of 1232	604	cmd.exe	59
PID 604 wrote to memory of 1232	604	cmd.exe	59
PID 1020 wrote to memory of 1492	1020	cmd.exe	61
PID 1020 wrote to memory of 1492	1020	cmd.exe	61
PID 1020 wrote to memory of 1492	1020	cmd.exe	61
PID 1020 wrote to memory of 1492	1020	cmd.exe	61
PID 1020 wrote to memory of 596	1020	cmd.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\Files\CollosalLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CollosalLoader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Skype" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2232
  - - C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2188
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Skype" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MSWinpreference.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
- - C:\Users\Admin\AppData\Local\Temp\Files\logon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\logon.exe"
    3⤵
    - Executes dropped EXE
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\fusca%20game.exe" "fusca%20game.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\tester.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tester.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\Files\tester.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\tester.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe"
    3⤵
    - Executes dropped EXE
    PID:1928
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\Server1.exe" "Server1.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1492
      - C:\Users\Admin\AppData\Roaming\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
  - - C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2104
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
    - - C:\Windows\system32\SubDir\Client.exe
        
        "C:\Windows\system32\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:560
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Files\nobody.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\nobody.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\Files\lfcdgbuksf.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\lfcdgbuksf.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fKAG1yzOZs.bat"
        5⤵
        
        PID:1712
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1068
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
      - C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FVJApcqkHv.bat"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\staticfile.exe
        
        "C:\Users\Admin\AppData\Local\staticfile.exe"
        8⤵
        Executes dropped EXE
        
        PID:2024

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {7AE5C633-ADC0-4037-AC75-8CDA23FDA261} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:2588
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bd6e3a82058f2641d06b2df4cb3bdc2

SHA1
9e1fc58f0687b645cb1b1abdeab27ce7f31ecb03

SHA256
195f624a90bd67cb4940e5c249d9dded83172097b82c7bab934e743a7e313054

SHA512
599df67c177f73e72e9059db32972b4590971fffc96bfe755866874d3d549ade8f7b23eb5615a5e92d1108de4760da4a09c45328629bdfe972aaba63338182d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de17937cc2a3b05cd5785cfb79b6e8c

SHA1
48ac1f18dda5926d0809d372feca1022470cc338

SHA256
a7acd583f3c2345cd165ccd1bef7de66595c3119783f8e4fd7e99c79beda4af0

SHA512
0332a2f7d789866a72d07ad48a75769e1d3024bbd2fc140939eb607ee5a9a7e37e848481b2bc2b05b559e0f12ede3f8c8bd9ce22d376decaf826cd09ec2e321c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbf51033558f2b529eac3573a411274c

SHA1
1949d22b2fb8d003253322250d4ef0b59d3109b8

SHA256
3530cd389045cc63294013dbdceffece8b158a06cdb9027a32a5612a4a404e22

SHA512
31d0c47295828c0654ea118ba2a0b098c4996b83704336b6279ad38b0b40a9c97fa53e7c32dde16de3c06e92e76684daa4dd51262ee971dfc89b3e962d24da65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0725046e36b90e081c773cb6b5077e6e

SHA1
a020c1ca2555e975612e3bf9ae5db474684f5f62

SHA256
e8587b911a97e8bad879b341231778bbf551c79601767993015ee6fb99407a06

SHA512
43ccc779ced3eb04bf9af708a4db4013c02ef0a4de6e448f36eaba4492703c136922362651b23758a055a7920ebd89b64963bd20e02f1d5e659ab8691e2813c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45e5812ab809b8efac465e86fa54b2c5

SHA1
c3716e98853658084c4aca244bd1a750e301c7b4

SHA256
5c5bc50d69dbbde909e4fa917c3ca2470a517f012e5095f6cba5e35b21c1ba99

SHA512
aaeb1f9a8c1d7d7abe3688f6abbacf0e9b4414b1bc3968274cf0afa8483e3d26c9b055a5fe1a2618150783bc3f50d483797ff197aa7c8816aad20e7b0b166280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36dc0203768e40d266285477d753433d

SHA1
b3ec1de96b20b92903a93b7431ff9229fc03110d

SHA256
309e189c323b4e63ecf80eb80384bd1251912e75fe4502659af5ebe92620644f

SHA512
0404581b36c85a9d7fa31ed8d3f6a933076a3927151d43feb92cd7289f0841574de4af6f311a22d0be180b552453d39f971777d18588afcb20ea57251696077e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
5cf17402d782b73c33481630f139544d

SHA1
de2b5a6dded429d4dda506eeac961edbd02b36c3

SHA256
2ec6e2d363329810b4972fb15f7bce08073b3543ffc093ed7b5829c73c0b8b76

SHA512
3aa79918884d02e3f7d2b4e0efdb2df9b5331089220d713dad497ce0875eaac8a23408c606de9ee31f16fa187d728edc7a3785e0c82a4856f98e81d345c96742

Download Submit
C:\Users\Admin\AppData\Local\Temp\7l1Cc3AP.xlsm

Filesize
23KB

MD5
999b85197f485b9602c4c854667470f7

SHA1
f07d3ba17577d392683e386ff653a98571bae6f6

SHA256
b428620c8cc6af4556c0cfdbf7ab014f4ab7dbf3e872ae9ac0506354da020508

SHA512
5d6f087c18e4c9ad3406ea527afa8a5cb45e2366aae5911d23fddb15cb1b4c377849309b57778009c3b69dd81e00c6f51b6b0fa73e80934c550cad1a0de8d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7l1Cc3AP.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA22B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe

Filesize
97KB

MD5
1ebef0766160be26918574b1645c1848

SHA1
c30739eeecb96079bcf6d4f40c94e35abb230e34

SHA256
3e664b59ba376749eb9b596b6499bf7edcec5d34382ead80964f9fe92a4c3c83

SHA512
01c42bb22a92543a3408c6f420593443357a53915937341b5eaf8563ee775dbdeba7af38e2df9c9cf249a512a5a42c65c4c4d39d100e8a4143e58fd235b85951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lfcdgbuksf.exe

Filesize
1.6MB

MD5
8c6e4c86c216b898f24ff14b417c4369

SHA1
266e7d01ba11cd7914451c798199596f4d2f7b53

SHA256
858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

SHA512
3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA24D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\Crypto.Cipher._DES.pyd

Filesize
53KB

MD5
3ea65a7a907fa6b93a8225a9d212e078

SHA1
cd0818a429eef3d2a02c9f402fea9b08dba9ccde

SHA256
9ba3544a6d4bc02634895b758a7485646d8fd4af3efa8e4b459dec8d5cb0d428

SHA512
0f5b6c45bfff1cc4f72e2fae914094b9b80bdaf5e3a2e4903bee6c1b8b1b830f43768c3e2b778ce16a41535c120a8562400db88027165d8a0c36a15a60614133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\python27.dll

Filesize
2.3MB

MD5
676fc65e4a49a525df0ecde3596f3ae5

SHA1
e125975958b08207be081e94ca1674fec0bcec98

SHA256
c9192fe69d7eef69b1e27e630ae643dcb0838b7bc0ac43e69a979f5a726256c1

SHA512
3a4dde17cbe3eb60c5ce6f3bc58c24769835c9fcef091df5883b47e058516b15be2dc28a49e3a360ee3e5da8e4c6845cbcfc05e0042ae2d592efc13778a23c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat

Filesize
150B

MD5
b41d395653bc2769c0c12c1b9ebc1b7d

SHA1
d3faf27f307777d7d337ba2598745592ac46c0c8

SHA256
0ee199b3265b8a12bfa26967095ae4698fc32de1dfb83c1efe1a48623aaa90d9

SHA512
45058a09a2db4faa5edfc113f98e9df880e1e3ebb09e3ede142248ec5dfd52fbb7ec4e50d66be055ac453a2a1162b55b542bc1dc87e71e741d63355a3cf068eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d7e42c410b6f2fcfefa371bd94b5bbd0

SHA1
5217ca59fc7310e4616644b0eb73415b4306a53d

SHA256
c993e065e2a3b24c4152d534d72629360ef29862094431d1495d144f965c6779

SHA512
b03ff999162df9d85b063343e9e578efe5f7a1faca6e5ef3bc9746684b6d3b363e2d83529905018a704df904eb4972a75fe1b2526f165833adb2c29d664cf2b0

Download Submit
C:\Windows\System32\SubDir\Client.exe

Filesize
502KB

MD5
05aa0a6d16f1dabf72b4c880a5d357d0

SHA1
4a3ebaa010ba5306cd09c07eb26bbe99ff46496f

SHA256
fdba9e9d51c62d59de744a179a50ce9f5838af549f30f5b87c8175dace024fee

SHA512
931a147bf27a8a14db99b8f6480dddfa2bd1e0b4aaa59092552ef93e9f93adddbcb71d7d9c7a1f45f7854e32d16555dc7f3be701a2df9578a9e99349e972758a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\CollosalLoader.exe

Filesize
3.4MB

MD5
9a1361570008e75a9a8c6c93b8ea9a68

SHA1
66852a8ff188d2003cb0a5c5b3b6d7659719c18c

SHA256
516e463e2ea077d24cf12f4e3d8a886b99948497cb2eb1fe9a73ca0d61eea32e

SHA512
88c39ba29172e236eaa32c1ac531975dc952d36556b7f3d3eb2faa3c9ffe0a39f7f3e4b2a1ae22664f86df41fddef5046d9ded2b522bd9848e5aaa58170889d5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Server1.exe

Filesize
93KB

MD5
71b3810a22e1b51e8b88cd63b5e23ba0

SHA1
7ac4ab80301dcabcc97ec68093ed775d148946de

SHA256
57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f

SHA512
85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
75KB

MD5
f217cb6a9ff0f633c6915721c34d76b1

SHA1
733e92b6d6306621d61b22caf2945ff0b6fa7204

SHA256
1bf088679098e14b781ae20796e29aedba5dda2e4aa1d4cf846712b238f0bd57

SHA512
ee94af9fa9bfb10fc6c1fe5a5e18f238ad35b726a18dce461d921f46000e58b98bcf82c04639ab329f144e92179dfc3bebb149ec3321ffbaefcbd5b1916531c3

Download Submit
\Users\Admin\AppData\Local\Temp\Files\compiled.exe

Filesize
4.6MB

MD5
333e51675c05499cfadd3d5588f0f4ca

SHA1
aca16eda7f33dfb85bed885e2437a8987d7a09e4

SHA256
cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407

SHA512
5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
1.1MB

MD5
8911e8d889f59b52df80729faac2c99c

SHA1
31b87d601a3c5c518d82abb8324a53fe8fe89ea1

SHA256
8d0c2f35092d606d015bd250b534b670857b0dba8004a4e7588482dd257c9342

SHA512
029fd7b8b8b03a174cdc1c52d12e4cf925161d6201bbe14888147a396cd0ba463fd586d49daf90ec00e88d75d290abfeb0bb7482816b8a746e9c5ce58e464bcf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21722\Crypto.Cipher._ARC4.pyd

Filesize
8KB

MD5
fe57b01d7dbb04bf98681b8931fffaf1

SHA1
857bc955ab973a5d46785fc0091e656995dfc220

SHA256
cf327b3ba51174172233a897e325198b1e3b72b2f4420cb58b53f586fb76bfa6

SHA512
964ba77ae7a0d6bbde7c1514f704252feedc550b98f95ae66f289b6b6bb43182cc7b38893beb9f976f0abed1a16837c8d994f47af306b086d9aff0ea3991e0d5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21722\_hashlib.pyd

Filesize
698KB

MD5
3c58062b89379f2d29a12bffd3d01af8

SHA1
0e0cf91da17d972f02a4983e7dc67142d89b2f4e

SHA256
706beba9f66b1422ac45f35e9094846f1e6e76cf1120fcab0835ea6be4236b61

SHA512
54cf110b88fa2ee2d69a03952776cf1a3022ab3d340aa71bc79e90725262f2c946cf5bcc719756b483a5dfacf38ba5dca09efc39cbb8a400165efe140ab2fcd4

Download Submit
memory/560-567-0x0000000000B50000-0x0000000000BD4000-memory.dmp

Filesize
528KB

Download
memory/596-467-0x0000000000CB0000-0x0000000000CCE000-memory.dmp

Filesize
120KB

Download
memory/828-408-0x000000007369E000-0x000000007369F000-memory.dmp

Filesize
4KB

Download
memory/828-557-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/828-719-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/828-18-0x000000007369E000-0x000000007369F000-memory.dmp

Filesize
4KB

Download
memory/828-19-0x0000000001360000-0x0000000001368000-memory.dmp

Filesize
32KB

Download
memory/896-424-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/896-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-425-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/896-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1008-663-0x0000000002050000-0x0000000002062000-memory.dmp

Filesize
72KB

Download
memory/1008-665-0x00000000020D0000-0x000000000212A000-memory.dmp

Filesize
360KB

Download
memory/1008-659-0x0000000000A90000-0x0000000000AA8000-memory.dmp

Filesize
96KB

Download
memory/1008-657-0x00000000008B0000-0x00000000008CC000-memory.dmp

Filesize
112KB

Download
memory/1008-656-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/1008-654-0x0000000000130000-0x00000000002CC000-memory.dmp

Filesize
1.6MB

Download
memory/1008-661-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/1008-669-0x00000000021C0000-0x000000000220E000-memory.dmp

Filesize
312KB

Download
memory/1008-667-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/1108-629-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/1604-431-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1604-432-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1772-406-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/1928-619-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1928-617-0x0000000000A40000-0x0000000000B44000-memory.dmp

Filesize
1.0MB

Download
memory/1928-618-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1928-620-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/1928-621-0x00000000021A0000-0x0000000002250000-memory.dmp

Filesize
704KB

Download
memory/1936-28-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1936-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1992-480-0x0000000000ED0000-0x0000000001236000-memory.dmp

Filesize
3.4MB

Download
memory/2000-473-0x0000000001260000-0x000000000127A000-memory.dmp

Filesize
104KB

Download
memory/2024-733-0x0000000000ED0000-0x000000000106C000-memory.dmp

Filesize
1.6MB

Download
memory/2056-631-0x00000000058B0000-0x0000000005A12000-memory.dmp

Filesize
1.4MB

Download
memory/2056-632-0x0000000000760000-0x0000000000782000-memory.dmp

Filesize
136KB

Download
memory/2056-612-0x0000000000C10000-0x0000000000FDE000-memory.dmp

Filesize
3.8MB

Download
memory/2056-537-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2104-564-0x0000000000120000-0x00000000001A4000-memory.dmp

Filesize
528KB

Download
memory/2188-487-0x0000000000A10000-0x0000000000D76000-memory.dmp

Filesize
3.4MB

Download
memory/2256-639-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-643-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-647-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-646-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-645-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-635-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-634-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-637-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2256-641-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2296-720-0x0000000000330000-0x00000000004CC000-memory.dmp

Filesize
1.6MB

Download
memory/2332-606-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/2492-741-0x0000000000CB0000-0x0000000000CCA000-memory.dmp

Filesize
104KB

Download
memory/2544-419-0x000000013FEC0000-0x00000001400F7000-memory.dmp

Filesize
2.2MB

Download
memory/2544-416-0x000000013FEC0000-0x00000001400F7000-memory.dmp

Filesize
2.2MB

Download
memory/2544-417-0x000000013FEC0000-0x00000001400F7000-memory.dmp

Filesize
2.2MB

Download
memory/2792-52-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-45-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-58-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-57-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-62-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-55-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-50-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-60-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-63-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-65-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-48-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-47-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-59-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-46-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-56-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-64-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-66-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-51-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-61-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-53-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-54-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-43-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-44-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2792-49-0x0000000000800000-0x0000000000900000-memory.dmp

Filesize
1024KB

Download
memory/2804-468-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2804-599-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2804-407-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2808-440-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

Filesize
120KB

Download
memory/2900-39-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2900-469-0x00000000068A0000-0x0000000006AD7000-memory.dmp

Filesize
2.2MB

Download
memory/2900-415-0x00000000068A0000-0x0000000006AD7000-memory.dmp

Filesize
2.2MB

Download