gurcu | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

Resubmissions

21-01-2025 02:07

250121-cjzbwa1jhp 10

20-01-2025 18:36

250120-w88fmasqfy 10

20-01-2025 18:27

250120-w3q96asnh1 10

Analysis

max time kernel
150s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

lohoainam2008-36048.portmap.io:36048

Attributes

Install_directory
%AppData%
install_file
Setup.exe
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

remcos

Botnet

Crypt

185.225.73.67:1050

Attributes

audio_folder
576ruythg6534trewf
audio_path
%WinDir%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
76y5trfed675ytg.exe
copy_folder
kjhgfdc
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
654ytrf654trf654ytgref.dat
keylog_flag
false
keylog_folder
67yrtg564tr6754yter
mouse_option
false
mutex
89765y4tergfw6587ryute-80UMP1
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
67y4htergf65trgewfd654tyrfg
screenshot_path
%Temp%
screenshot_time
10
startup_value
6754ytr756ytr7654yretg8765uyt
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
bank

Extracted

Family

gurcu

https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0002000000025cf5-383.dat	family_vidar_v7
behavioral2/memory/3804-391-0x0000000000A10000-0x0000000000C69000-memory.dmp	family_vidar_v7
behavioral2/memory/3804-421-0x0000000000A10000-0x0000000000C69000-memory.dmp	family_vidar_v7

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000025cc7-469.dat	family_xworm
behavioral2/memory/3712-476-0x00000000001D0000-0x00000000001EA000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000025bf9-458.dat	family_quasar
behavioral2/memory/760-464-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3452	powershell.exe
2608	powershell.exe
3392	powershell.exe
3556	powershell.exe
4868	powershell.exe
3240	powershell.exe
1872	powershell.exe
2312	powershell.exe
1028	powershell.exe
2200	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
992	netsh.exe
420	netsh.exe
4224	netsh.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe

Executes dropped EXE 23 IoCs

pid	Process
2540	._cache_4363463463464363463463463.exe
5080	Synaptics.exe
2412	._cache_Synaptics.exe
4356	testingg.exe
572	server.exe
4848	TikTokDesktop18.exe
3804	DverxU0PaY.exe
2340	shell.exe
1984	Wallet-PrivateKey.Pdf.exe
2368	svchost.exe
2672	SecurityHealthHost.exe
760	seksiak.exe
3712	XClient.exe
2212	seksiak.exe
4152	NOTallowedtocrypt.exe
4784	seksiak.exe
3744	76y5trfed675ytg.exe
3688	seksiak.exe
2000	seksiak.exe
1880	Setup.exe
4792	seksiak.exe
3508	seksiak.exe
2936	seksiak.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Users\\Admin\\AppData\\Roaming\\Setup.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
7	raw.githubusercontent.com
24	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com
1	raw.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
47	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.exe	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 484	3744	76y5trfed675ytg.exe	149
PID 484 set thread context of 1400	484	iexplore.exe	153

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\svchost.exe.exe	server.exe
File opened for modification	C:\Program Files (x86)\svchost.exe.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTokDesktop18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	testingg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DverxU0PaY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wallet-PrivateKey.Pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTallowedtocrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76y5trfed675ytg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4640	PING.EXE
4444	PING.EXE
3788	PING.EXE
4872	PING.EXE
1608	PING.EXE
3488	PING.EXE
3364	PING.EXE
1996	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DverxU0PaY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DverxU0PaY.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1848	timeout.exe
4640	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2972	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NOTallowedtocrypt.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4864	reg.exe
2604	reg.exe
2272	reg.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
3488	PING.EXE
3364	PING.EXE
1996	PING.EXE
4640	PING.EXE
4444	PING.EXE
3788	PING.EXE
4872	PING.EXE
1608	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
752	schtasks.exe
1752	schtasks.exe
2088	schtasks.exe
4936	schtasks.exe
5064	schtasks.exe
404	schtasks.exe
1872	schtasks.exe
3504	schtasks.exe
4912	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1576	EXCEL.EXE
3712	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	powershell.exe
2608	powershell.exe
3392	powershell.exe
3392	powershell.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe
572	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
572	server.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3744	76y5trfed675ytg.exe
484	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	2412	._cache_Synaptics.exe
Token: SeDebugPrivilege	4848	TikTokDesktop18.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	572	server.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	1984	Wallet-PrivateKey.Pdf.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	2368	svchost.exe
Token: SeDebugPrivilege	2672	SecurityHealthHost.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	760	seksiak.exe
Token: SeDebugPrivilege	3712	XClient.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3712	XClient.exe
Token: SeDebugPrivilege	2212	seksiak.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	4784	seksiak.exe
Token: 33	5112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5112	AUDIODG.EXE
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	3688	seksiak.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	2000	seksiak.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	1880	Setup.exe
Token: SeDebugPrivilege	4792	seksiak.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	3508	seksiak.exe
Token: 33	572	server.exe
Token: SeIncBasePriorityPrivilege	572	server.exe
Token: SeDebugPrivilege	2936	seksiak.exe
Token: 33	572	server.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
1576	EXCEL.EXE
760	seksiak.exe
3712	XClient.exe
2212	seksiak.exe
484	iexplore.exe
3688	seksiak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2540	1352	4363463463464363463463463.exe	77
PID 1352 wrote to memory of 2540	1352	4363463463464363463463463.exe	77
PID 1352 wrote to memory of 2540	1352	4363463463464363463463463.exe	77
PID 1352 wrote to memory of 5080	1352	4363463463464363463463463.exe	79
PID 1352 wrote to memory of 5080	1352	4363463463464363463463463.exe	79
PID 1352 wrote to memory of 5080	1352	4363463463464363463463463.exe	79
PID 5080 wrote to memory of 2412	5080	Synaptics.exe	80
PID 5080 wrote to memory of 2412	5080	Synaptics.exe	80
PID 5080 wrote to memory of 2412	5080	Synaptics.exe	80
PID 2412 wrote to memory of 4356	2412	._cache_Synaptics.exe	82
PID 2412 wrote to memory of 4356	2412	._cache_Synaptics.exe	82
PID 2412 wrote to memory of 4356	2412	._cache_Synaptics.exe	82
PID 4356 wrote to memory of 572	4356	testingg.exe	83
PID 4356 wrote to memory of 572	4356	testingg.exe	83
PID 4356 wrote to memory of 572	4356	testingg.exe	83
PID 2540 wrote to memory of 4848	2540	._cache_4363463463464363463463463.exe	84
PID 2540 wrote to memory of 4848	2540	._cache_4363463463464363463463463.exe	84
PID 2540 wrote to memory of 4848	2540	._cache_4363463463464363463463463.exe	84
PID 4848 wrote to memory of 2608	4848	TikTokDesktop18.exe	86
PID 4848 wrote to memory of 2608	4848	TikTokDesktop18.exe	86
PID 4848 wrote to memory of 2608	4848	TikTokDesktop18.exe	86
PID 572 wrote to memory of 992	572	server.exe	88
PID 572 wrote to memory of 992	572	server.exe	88
PID 572 wrote to memory of 992	572	server.exe	88
PID 2608 wrote to memory of 3392	2608	powershell.exe	90
PID 2608 wrote to memory of 3392	2608	powershell.exe	90
PID 2608 wrote to memory of 3392	2608	powershell.exe	90
PID 572 wrote to memory of 4224	572	server.exe	91
PID 572 wrote to memory of 4224	572	server.exe	91
PID 572 wrote to memory of 4224	572	server.exe	91
PID 572 wrote to memory of 420	572	server.exe	92
PID 572 wrote to memory of 420	572	server.exe	92
PID 572 wrote to memory of 420	572	server.exe	92
PID 4848 wrote to memory of 1028	4848	TikTokDesktop18.exe	96
PID 4848 wrote to memory of 1028	4848	TikTokDesktop18.exe	96
PID 4848 wrote to memory of 1028	4848	TikTokDesktop18.exe	96
PID 1028 wrote to memory of 3556	1028	powershell.exe	99
PID 1028 wrote to memory of 3556	1028	powershell.exe	99
PID 1028 wrote to memory of 3556	1028	powershell.exe	99
PID 4848 wrote to memory of 4868	4848	TikTokDesktop18.exe	100
PID 4848 wrote to memory of 4868	4848	TikTokDesktop18.exe	100
PID 4848 wrote to memory of 4868	4848	TikTokDesktop18.exe	100
PID 4868 wrote to memory of 3240	4868	powershell.exe	102
PID 4868 wrote to memory of 3240	4868	powershell.exe	102
PID 4868 wrote to memory of 3240	4868	powershell.exe	102
PID 4848 wrote to memory of 3804	4848	TikTokDesktop18.exe	103
PID 4848 wrote to memory of 3804	4848	TikTokDesktop18.exe	103
PID 4848 wrote to memory of 3804	4848	TikTokDesktop18.exe	103
PID 2412 wrote to memory of 2340	2412	._cache_Synaptics.exe	104
PID 2412 wrote to memory of 2340	2412	._cache_Synaptics.exe	104
PID 2412 wrote to memory of 2340	2412	._cache_Synaptics.exe	104
PID 3804 wrote to memory of 1596	3804	DverxU0PaY.exe	105
PID 3804 wrote to memory of 1596	3804	DverxU0PaY.exe	105
PID 3804 wrote to memory of 1596	3804	DverxU0PaY.exe	105
PID 1596 wrote to memory of 1848	1596	cmd.exe	107
PID 1596 wrote to memory of 1848	1596	cmd.exe	107
PID 1596 wrote to memory of 1848	1596	cmd.exe	107
PID 2412 wrote to memory of 1984	2412	._cache_Synaptics.exe	108
PID 2412 wrote to memory of 1984	2412	._cache_Synaptics.exe	108
PID 2412 wrote to memory of 1984	2412	._cache_Synaptics.exe	108
PID 1984 wrote to memory of 2368	1984	Wallet-PrivateKey.Pdf.exe	109
PID 1984 wrote to memory of 2368	1984	Wallet-PrivateKey.Pdf.exe	109
PID 1984 wrote to memory of 2368	1984	Wallet-PrivateKey.Pdf.exe	109
PID 2368 wrote to memory of 2672	2368	svchost.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\ieXicsAp4C'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ieXicsAp4C
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
  - - C:\ieXicsAp4C\DverxU0PaY.exe
      "C:\ieXicsAp4C\DverxU0PaY.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\ieXicsAp4C\DverxU0PaY.exe" & rd /s /q "C:\ProgramData\JECBGCFHCFID" & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1848
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4224
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:420
  - - C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\819792d2-210b-4359-9733-2f66d82a2f40.bat"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2672
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\system32\timeout.exe
        
        timeout /T 2 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:760
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTpEKygM37XE.bat" "
        5⤵
        
        PID:2656
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1912
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wP5pbRHdr3SG.bat" "
        7⤵
        
        PID:4936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MBT0H5uBPJ3g.bat" "
        9⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bbZlyjusY5om.bat" "
        11⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bRHhW8mvZ5MT.bat" "
        13⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HtDZuezzSumI.bat" "
        15⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6M5K9o8eur2w.bat" "
        17⤵
        
        PID:2280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSQXcR2N9QBP.bat" "
        19⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Setup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Setup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup" /tr "C:\Users\Admin\AppData\Roaming\Setup.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:752
  - - C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4152
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4864
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3744
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2604
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        
        PID:1400

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\seksiak.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f5b375dd5c271543ddbc7b8e579e09f0

SHA1
c529a78441f2ffdc83933ef444f69c54d31c0dd0

SHA256
e7e61da170eab4c6b042a3f0853031e30da6cdc069723bec191e47d004807ce6

SHA512
dd844bc6d77f6821963540858d4705047025608ab585e7d73b05cfb89aaf216b48349ebc976a18e646604b40ef4c442b88934124631a44d65e0e8189bb1f372b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
0e5a236acaa144eb2260ac087d48114e

SHA1
591a8cd42f8e3bef2c7bd055ed9bcd60cbd249e9

SHA256
aac5c213cd569b03996759f02398ead8146e9c752a2d8d07a8a016f9cb11f06f

SHA512
6680e765d5cf3ca3a97b8b8e3cc5521296e1fe0f24c071359589788d8a66a0615fc8947050e207fbd41c94ff5947393c64fe6533a310076692088b136ab2d4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
52351d2d17bc4aeaccd427846282a862

SHA1
9ac92da13a927a3b6318340c267d26974ec233ee

SHA256
0d56b834d8304154e34e6d4009bcf04def58d31bf38667f84c6abcf95f9eb882

SHA512
42e678027f970ec9909d9d5503e5b76bbea257f16049f4970d33c4c7f70463c2c6a2cb67ffe4f1d2a92135202e27b28c9c25b50b4efcef4fb531e6daad41f09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0c19866ed372c0ad1493bc700a4f665

SHA1
8deff01b187d761334563e0faaad767bc26b9477

SHA256
92097d4c09a66ed6c057e968122d723605c4dd9cd39d7ea8c610fa5551c22d79

SHA512
02e077ff944e9489dc61a3e905546b1b2a66bc1b5a468c0322bcbc9e491d5cf7e9a7ab1729cf3ed0c9f3cb091ecaa63f6e4b35c138eb5110578405060a080548

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M5K9o8eur2w.bat

Filesize
210B

MD5
2c9da23772ab4c6e69464ede15923b51

SHA1
132f921a217fc0a69a228039c8815910d9a37987

SHA256
08b789d2469493863674a4ed5facf162beff2daeb286747f25c6f33fa0288b88

SHA512
870d6dce5a5594fcabd5bf8737277d4f8553f768346cf2909c54acfb15a845d39c08bdf1d2fd76c9d63d1632a966380a593f832166f0a716104b4ad96efd35bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\819792d2-210b-4359-9733-2f66d82a2f40.bat

Filesize
152B

MD5
7062cc9adeb2eebe9dca89ed32b67264

SHA1
7be539e558897e93653286269bdf997a33836d05

SHA256
b5e108b5456e88547b24cfc76a7a2c250cb697a5d276539e861f0c3c66ca9412

SHA512
06e98effa3dcfbc101da73e6f0ea827811b018c0339db615cec3223c33fc1a5ddccb4af489702b868f324f6bec439fa1a7c3cc078ea67130c7893ff67d954147

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NOTallowedtocrypt.exe

Filesize
475KB

MD5
2b8f487213f3da1f42779e22d7b02d1a

SHA1
77c96429d6facbd1900290c9cbfed378103b8e01

SHA256
a4da37e92ca54c8851ad144fba875b61e2018f69bbe43b11926d8f8d831b56f0

SHA512
2db88a30fdfc1e859edb7229b2073449b5d57640e484e21d78047fd674fc194c2c790995621b4d0ed7927ec06e8325c7333a1893227e50d38b2559fc267cc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TikTokDesktop18.exe

Filesize
17.9MB

MD5
81f6b6fe3201c3941bd49243c5896811

SHA1
8bd0d5bb78255fc9f2dcf70fde14dba16c66551c

SHA256
fa4f1c0b324654420f8758b8ab1d7e0db22f0eacbff0d2e14413ed904ca54aaf

SHA512
f3d22c84fb70a2c851f533037b74c45248b9074aa3042371672c89c3ee5229bbdbbc193e54840adbc5f17672430fbbc0b94dd12c8014f3a3ec93fece24e54d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe

Filesize
107KB

MD5
036ba72c9c4cf36bda1dc440d537af3c

SHA1
3c10ef9932ffc206a586fe5768879bf078e9ebeb

SHA256
bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114

SHA512
c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
80KB

MD5
1fdbde7773dca61675f332594d8f7e99

SHA1
b993f62c871c311fe9a398ad2424389b1072906e

SHA256
439f9b3edd8b69f54c8a03c34f56660b95f345688edfad7911780a41f9839d65

SHA512
51a74a252c827f9fd3cbcd39cd6b95d721b97fd25fb8f78574700ccbf60e85d072ffa5b893887d67a2c5f69478df3ce687c6d11632312117bed928800b3e63b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\seksiak.exe

Filesize
3.1MB

MD5
239c5f964b458a0a935a4b42d74bcbda

SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce

SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shell.exe

Filesize
72KB

MD5
156b3dd7b265fdbeb2ade043097d069b

SHA1
58d37918893d2109804c79f93316570a74aa2855

SHA256
da47b99da4257ab831799c5d2fb02086c093511988fb4239aab3a57dab00c049

SHA512
43d28d9f5b32e8acea884380ef733eaf51b9110c6fe334ab2d9551319c3f4b7e235f08b1f3f26fb5914b6973586e6089f14f7aceebcf110ca40f492f963fdea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe

Filesize
93KB

MD5
87301d7789d34f5f9e2d497b4d9b8f88

SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1

SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516

SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\HtDZuezzSumI.bat

Filesize
210B

MD5
8c2662bd875f05f5c4d6d2464ce3cccc

SHA1
4bc303ca83f93fa11f299a62e7197c29c792115e

SHA256
276bfd7e7feafa2e1735bb386c00a7b8c2d920c56a44342a0d90cd779255b95e

SHA512
f0bd2ed1087d59a6f1e8c31de7cd67c2d80beca676d8314eff350cd6c70b5687f57cc0661f362e90396e8c3261df6e02f0bd4632bf175cbf23994340535457ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBT0H5uBPJ3g.bat

Filesize
210B

MD5
b3978b038b905c8ecf43416afaa17403

SHA1
f62c55cfa0e32ae41e506a9c5d2e3a6e28c36a3d

SHA256
05d05591797a9aa3887832e29bb7a97ffbacfd152482f22c21e407d08521da3d

SHA512
0ad81a3797d3080197657352bf60c1242817f48fb269fffd063eaea206866b2b8304f1d0a65c1e5e72e297012f9c3b03ad12a9bbc5c7434494e106a1baf854fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe

Filesize
3.7MB

MD5
6967a105bf22f11871cf14fb2fda7bf1

SHA1
9be5af0232c8219b9ba0df4cb2b924b07e467ac2

SHA256
d06a144d1382d9fb1596b5a7a94d43377249bc95faee1d7b23dce3d6ac98dd3d

SHA512
df232d8915746eac5383a179fbcf322d697eacca9104da95962826a85416555c708575ffb84a769d8699c03597309a84269f310f3d555525a39f86967f85dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsH2GHgj.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cg2syaap.m3f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bRHhW8mvZ5MT.bat

Filesize
210B

MD5
e053ed75ce3cf97239f5288900f108e3

SHA1
0cb9453bb39717b915422bb417a343dd178959fc

SHA256
149d755722c0490b327e079de644f3d5c5518df552396ac003529f97faa58e55

SHA512
a7e97362521af79e9b02898121a88d2a07cd7a5033baa307e63704c04196a0ce45de78eec2a35f0bbc6c8abe19f96a92c608cf35e971c0430e8c17ccdd40ce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbZlyjusY5om.bat

Filesize
210B

MD5
b2de043189597b1c1ac8b1a1aab8510b

SHA1
ebc47ac22ab6a970288052a8f3b61e59d8084ffc

SHA256
db03251380103f39d8955fc5fb8bd6a20c314d10cd85eff635cf1e747b06e70e

SHA512
4e5bf503c296e2f08135b587a1b03a32beffe64cdc234dd433309fe78c31796dcc2bb69b7cd00cf792237175294f35246d48d4498c124e1cc4ff40693c79238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTpEKygM37XE.bat

Filesize
210B

MD5
ddd8e3c1004bef379c0132baa043e9fa

SHA1
bb7a28b2f9d705df1961728a050fb96613f287be

SHA256
533ed10b4311db24f38cf8df570bbc29538656e54cf7f153928ad5f1165d2c59

SHA512
9095ab6757ffa3a7ee3b48f93852841508da63b8fab50594db4c86631baa6a78bb0c283ba22acaeba8580513263c916c7de33c75622fdae7fdcfdd3dfd0ded3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oSQXcR2N9QBP.bat

Filesize
210B

MD5
46abf68f3c18ee552edb78d2e4173695

SHA1
4874528e0ddcafeec6bd5319ef64b70b3c288054

SHA256
d90baba649838579376251fdcb659875dc48fc95372fa8847158614d96328bfe

SHA512
16de78082ba715dd226cd8e31759e164d538ac05901699df21e98a1a46928bb003dce3e0f6733c25ca98d1a079d6cff8af4dafaca7793265a73d05fdef7f2d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
73KB

MD5
9d347d5ac998a89f78ba00e74b951f55

SHA1
73df3d5c8388a4d6693cbb24f719dba8833c9157

SHA256
2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c

SHA512
3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wP5pbRHdr3SG.bat

Filesize
210B

MD5
d03008c5f59a957c35670619a5b77ec0

SHA1
350bdf50e340de4850c8a235a7af434e4831ff11

SHA256
0606d135a030a884d8c4c9e5657ebd7156c4493bb0fecab8f0125f05dbf2b710

SHA512
449fe6c7c9c9c918926bb5a5caacfaeee417c5a557e5637d5bfec6b0cd87d3aba64b8c40f7a02d831e1a14e16b4221b779aa64bde232803f3ec846d9d2a69e47

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
C:\ieXicsAp4C\DverxU0PaY.exe

Filesize
275KB

MD5
0a7b3454fdad8431bd3523648c915665

SHA1
800a97a7c1a92a92cac76afc1fe5349895ee5287

SHA256
baf217d7bb8f3a86856def6891638318a94ed5d7082149d4dd4cb755d90d86ce

SHA512
020e45eaeee083d6739155d9a821ab54dd07f1320b8efb73871ee5d29188122fdbb7d39b34a8b3694a8b0c08ae1801ec370e40ff8d837c9190a72905f26baff9

Download Submit
memory/484-604-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-611-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-632-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-613-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-638-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-655-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-656-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-609-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-603-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-617-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/484-602-0x0000000000430000-0x00000000004B0000-memory.dmp

Filesize
512KB

Download
memory/760-477-0x000000001BEC0000-0x000000001BF10000-memory.dmp

Filesize
320KB

Download
memory/760-478-0x000000001C830000-0x000000001C8E2000-memory.dmp

Filesize
712KB

Download
memory/760-464-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/1028-317-0x0000000006110000-0x0000000006467000-memory.dmp

Filesize
3.3MB

Download
memory/1352-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1352-128-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1400-614-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/1400-615-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/1576-297-0x00007FFD19070000-0x00007FFD19080000-memory.dmp

Filesize
64KB

Download
memory/1576-298-0x00007FFD19070000-0x00007FFD19080000-memory.dmp

Filesize
64KB

Download
memory/1576-308-0x00007FFD164D0000-0x00007FFD164E0000-memory.dmp

Filesize
64KB

Download
memory/1576-301-0x00007FFD19070000-0x00007FFD19080000-memory.dmp

Filesize
64KB

Download
memory/1576-304-0x00007FFD164D0000-0x00007FFD164E0000-memory.dmp

Filesize
64KB

Download
memory/1576-300-0x00007FFD19070000-0x00007FFD19080000-memory.dmp

Filesize
64KB

Download
memory/1576-299-0x00007FFD19070000-0x00007FFD19080000-memory.dmp

Filesize
64KB

Download
memory/1872-490-0x000001C4403F0000-0x000001C440412000-memory.dmp

Filesize
136KB

Download
memory/1984-435-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/1984-439-0x0000000006D10000-0x0000000006D1A000-memory.dmp

Filesize
40KB

Download
memory/1984-434-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/1984-433-0x0000000000920000-0x0000000000940000-memory.dmp

Filesize
128KB

Download
memory/2368-441-0x00000000006F0000-0x0000000000708000-memory.dmp

Filesize
96KB

Download
memory/2540-129-0x000000007237E000-0x000000007237F000-memory.dmp

Filesize
4KB

Download
memory/2540-182-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/2540-133-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2540-274-0x000000007237E000-0x000000007237F000-memory.dmp

Filesize
4KB

Download
memory/2608-238-0x0000000006150000-0x00000000064A7000-memory.dmp

Filesize
3.3MB

Download
memory/2608-225-0x0000000005200000-0x0000000005236000-memory.dmp

Filesize
216KB

Download
memory/2608-226-0x0000000005930000-0x0000000005F5A000-memory.dmp

Filesize
6.2MB

Download
memory/2608-228-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/2608-227-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/2608-229-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/2608-240-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/2608-239-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/2672-447-0x00000271ADF40000-0x00000271AE2F6000-memory.dmp

Filesize
3.7MB

Download
memory/3240-367-0x000000006D050000-0x000000006D09C000-memory.dmp

Filesize
304KB

Download
memory/3392-275-0x0000000007400000-0x0000000007434000-memory.dmp

Filesize
208KB

Download
memory/3392-276-0x000000006D050000-0x000000006D09C000-memory.dmp

Filesize
304KB

Download
memory/3392-296-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

Filesize
32KB

Download
memory/3392-295-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/3392-289-0x0000000007810000-0x000000000781A000-memory.dmp

Filesize
40KB

Download
memory/3392-294-0x00000000079F0000-0x0000000007A05000-memory.dmp

Filesize
84KB

Download
memory/3392-293-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/3392-292-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/3392-285-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/3392-290-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/3392-288-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/3392-287-0x0000000007DD0000-0x000000000844A000-memory.dmp

Filesize
6.5MB

Download
memory/3392-286-0x0000000007640000-0x00000000076E4000-memory.dmp

Filesize
656KB

Download
memory/3556-335-0x000000006D050000-0x000000006D09C000-memory.dmp

Filesize
304KB

Download
memory/3556-344-0x0000000007A80000-0x0000000007B24000-memory.dmp

Filesize
656KB

Download
memory/3556-345-0x0000000007D50000-0x0000000007D61000-memory.dmp

Filesize
68KB

Download
memory/3556-346-0x0000000007D80000-0x0000000007D95000-memory.dmp

Filesize
84KB

Download
memory/3712-476-0x00000000001D0000-0x00000000001EA000-memory.dmp

Filesize
104KB

Download
memory/3804-391-0x0000000000A10000-0x0000000000C69000-memory.dmp

Filesize
2.3MB

Download
memory/3804-421-0x0000000000A10000-0x0000000000C69000-memory.dmp

Filesize
2.3MB

Download
memory/4848-224-0x0000000000020000-0x000000000120A000-memory.dmp

Filesize
17.9MB

Download
memory/5080-291-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5080-387-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5080-132-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5080-559-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download