xred | 807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer3.exe
Size

62.5MB
MD5

4c7a118d52a8085b27ba6adbbf8b319f
SHA1

2bc99901e41cea3c38688ee946c3c324a72a7af4
SHA256

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
SHA512

d673344a02500eb4082ddd7593e4e351fd8a56f77844d1e69c5b41c1d5aa28323329aacbf0350c83e300e8c6a992fa7b4a9661e764a1308729945c488592fba1
SSDEEP

1572864:C5+ynVfeK9AHadZkQd9cYrL6on7dRBlDdI39FjuowqqSBvnvD:C+ynVJ9Hk4Gs7dRvdcfCwvD

Score

10^/10

xred backdoor defense_evasion discovery execution macro persistence privilege_escalation

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
2216	powershell.exe
560	powershell.exe
3028	powershell.exe
1588	powershell.exe
2352	powershell.exe
348	powershell.exe
2660	powershell.exe
1596	powershell.exe
1784	powershell.exe
2836	powershell.exe
1952	powershell.exe
1584	powershell.exe
2616	powershell.exe
560	powershell.exe
2836	powershell.exe
2060	powershell.exe
3060	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 8 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
700	netsh.exe
1664	netsh.exe
2364	netsh.exe
448	netsh.exe
1896	netsh.exe
2400	netsh.exe
536	netsh.exe
1892	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000016d6d-101.dat

Executes dropped EXE 7 IoCs

pid	Process
1736	._cache_installer3.exe
2324	Synaptics.exe
2896	._cache_Synaptics.exe
2592	Bound.exe
352	svchost.exe
2644	Bound.exe
2152	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2364	installer3.exe
2364	installer3.exe
2364	installer3.exe
2324	Synaptics.exe
2324	Synaptics.exe
2324	Synaptics.exe
2324	Synaptics.exe
2324	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	installer3.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SystemBack	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\safeChrome.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\tlib.dll	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\SystemBack	._cache_installer3.exe
File created	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_installer3.exe
File created	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_installer3.exe
File created	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\be-ID	._cache_installer3.exe
File created	C:\Windows\System32\be-ID\svchost.exe	._cache_installer3.exe
File created	C:\Windows\System32\tlib.dll	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\svchost.exe	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\chrome.exe	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\svchost.exe	._cache_installer3.exe
File opened for modification	C:\Windows\System32\be-ID	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\tlib.dll	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\chrome.exe	._cache_Synaptics.exe
File created	C:\Windows\System32\be-ID\svchost.exe	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\tlib.dll	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_installer3.exe
File created	C:\Windows\System32\safeChrome.vbs	._cache_installer3.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\microboy.vbs	._cache_installer3.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_installer3.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_installer3.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_installer3.exe
File created	C:\Windows\MicrosoftWindow.bat	._cache_installer3.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_Synaptics.exe
File created	C:\Windows\MicrosoftWindow.bat	._cache_Synaptics.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3044	sc.exe
1796	sc.exe
1784	sc.exe
1208	sc.exe
352	sc.exe
2580	sc.exe
2136	sc.exe
1348	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1676	PING.EXE
1952	PING.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2056	timeout.exe
2756	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1676	PING.EXE
1952	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2644	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1596	powershell.exe
1784	powershell.exe
1736	._cache_installer3.exe
1736	._cache_installer3.exe
1736	._cache_installer3.exe
348	powershell.exe
1588	powershell.exe
2352	powershell.exe
2060	powershell.exe
876	powershell.exe
2660	powershell.exe
3060	powershell.exe
2216	powershell.exe
560	powershell.exe
2836	powershell.exe
3028	powershell.exe
1952	powershell.exe
2896	._cache_Synaptics.exe
2896	._cache_Synaptics.exe
2896	._cache_Synaptics.exe
1584	powershell.exe
2616	powershell.exe
560	powershell.exe
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1736	._cache_installer3.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2896	._cache_Synaptics.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1736	2364	installer3.exe	30
PID 2364 wrote to memory of 1736	2364	installer3.exe	30
PID 2364 wrote to memory of 1736	2364	installer3.exe	30
PID 2364 wrote to memory of 1736	2364	installer3.exe	30
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2364 wrote to memory of 2324	2364	installer3.exe	31
PID 2324 wrote to memory of 2896	2324	Synaptics.exe	32
PID 2324 wrote to memory of 2896	2324	Synaptics.exe	32
PID 2324 wrote to memory of 2896	2324	Synaptics.exe	32
PID 2324 wrote to memory of 2896	2324	Synaptics.exe	32
PID 1736 wrote to memory of 2648	1736	._cache_installer3.exe	34
PID 1736 wrote to memory of 2648	1736	._cache_installer3.exe	34
PID 1736 wrote to memory of 2648	1736	._cache_installer3.exe	34
PID 2648 wrote to memory of 1744	2648	WScript.exe	35
PID 2648 wrote to memory of 1744	2648	WScript.exe	35
PID 2648 wrote to memory of 1744	2648	WScript.exe	35
PID 2648 wrote to memory of 2968	2648	WScript.exe	38
PID 2648 wrote to memory of 2968	2648	WScript.exe	38
PID 2648 wrote to memory of 2968	2648	WScript.exe	38
PID 2968 wrote to memory of 1172	2968	wscript.exe	39
PID 2968 wrote to memory of 1172	2968	wscript.exe	39
PID 2968 wrote to memory of 1172	2968	wscript.exe	39
PID 2968 wrote to memory of 1596	2968	wscript.exe	41
PID 2968 wrote to memory of 1596	2968	wscript.exe	41
PID 2968 wrote to memory of 1596	2968	wscript.exe	41
PID 1736 wrote to memory of 700	1736	._cache_installer3.exe	43
PID 1736 wrote to memory of 700	1736	._cache_installer3.exe	43
PID 1736 wrote to memory of 700	1736	._cache_installer3.exe	43
PID 700 wrote to memory of 1208	700	cmd.exe	45
PID 700 wrote to memory of 1208	700	cmd.exe	45
PID 700 wrote to memory of 1208	700	cmd.exe	45
PID 1736 wrote to memory of 408	1736	._cache_installer3.exe	46
PID 1736 wrote to memory of 408	1736	._cache_installer3.exe	46
PID 1736 wrote to memory of 408	1736	._cache_installer3.exe	46
PID 408 wrote to memory of 352	408	cmd.exe	76
PID 408 wrote to memory of 352	408	cmd.exe	76
PID 408 wrote to memory of 352	408	cmd.exe	76
PID 1736 wrote to memory of 1436	1736	._cache_installer3.exe	49
PID 1736 wrote to memory of 1436	1736	._cache_installer3.exe	49
PID 1736 wrote to memory of 1436	1736	._cache_installer3.exe	49
PID 1436 wrote to memory of 2580	1436	cmd.exe	51
PID 1436 wrote to memory of 2580	1436	cmd.exe	51
PID 1436 wrote to memory of 2580	1436	cmd.exe	51
PID 2968 wrote to memory of 1784	2968	wscript.exe	95
PID 2968 wrote to memory of 1784	2968	wscript.exe	95
PID 2968 wrote to memory of 1784	2968	wscript.exe	95
PID 1736 wrote to memory of 1764	1736	._cache_installer3.exe	54
PID 1736 wrote to memory of 1764	1736	._cache_installer3.exe	54
PID 1736 wrote to memory of 1764	1736	._cache_installer3.exe	54
PID 1764 wrote to memory of 2136	1764	cmd.exe	57
PID 1764 wrote to memory of 2136	1764	cmd.exe	57
PID 1764 wrote to memory of 2136	1764	cmd.exe	57
PID 2968 wrote to memory of 348	2968	wscript.exe	58
PID 2968 wrote to memory of 348	2968	wscript.exe	58
PID 2968 wrote to memory of 348	2968	wscript.exe	58
PID 2968 wrote to memory of 1588	2968	wscript.exe	60
PID 2968 wrote to memory of 1588	2968	wscript.exe	60
PID 2968 wrote to memory of 1588	2968	wscript.exe	60
PID 2968 wrote to memory of 2352	2968	wscript.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\installer3.exe
"C:\Users\Admin\AppData\Local\Temp\installer3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\._cache_installer3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_installer3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
      4⤵
      PID:1744
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\system32\sc.exe
      sc stop "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:1208
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\sc.exe
      sc delete "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:352
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\system32\sc.exe
      sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      Launches sc.exe
      PID:2580
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\system32\sc.exe
      sc start "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:2136
- - C:\Windows\Dotfuscated\Google\Chrome\Bound.exe
    "C:\Windows\Dotfuscated\Google\Chrome\Bound.exe"
    3⤵
    - Executes dropped EXE
    PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2836
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1952
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF8E0.tmp.bat""
      4⤵
      PID:624
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\MicrosoftEdgeCore.vbs"
    3⤵
    PID:1076
  - - C:\Windows\System32\be-ID\svchost.exe
      "C:\Windows\System32\be-ID\svchost.exe" C:\Windows\System32\tlib.dll,EntryPoint
      4⤵
      Executes dropped EXE
      PID:352
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""
    3⤵
    PID:980
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:2056
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
      4⤵
      PID:2908
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:2836
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
        5⤵
        
        PID:2656
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        6⤵
        
        PID:2000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
      4⤵
      PID:2944
    - - C:\Windows\system32\sc.exe
        
        sc stop "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:1348
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
      4⤵
      PID:1524
    - - C:\Windows\system32\sc.exe
        
        sc delete "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      PID:2260
    - - C:\Windows\system32\sc.exe
        
        sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
        5⤵
        Launches sc.exe
        
        PID:1796
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
      4⤵
      PID:2996
    - - C:\Windows\system32\sc.exe
        
        sc start "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:1784
  - - C:\Windows\Dotfuscated\Google\Chrome\Bound.exe
      "C:\Windows\Dotfuscated\Google\Chrome\Bound.exe"
      4⤵
      Executes dropped EXE
      PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:700
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp.bat""
        5⤵
        
        PID:2640
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\MicrosoftEdgeCore.vbs"
      4⤵
      PID:1140
    - - C:\Windows\System32\be-ID\svchost.exe
        
        "C:\Windows\System32\be-ID\svchost.exe" C:\Windows\System32\tlib.dll,EntryPoint
        5⤵
        Executes dropped EXE
        
        PID:2152
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2896 -s 1052
      4⤵
      PID:1196

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\cmd.exe
cmd /c C:\Windows\MicrosoftWindow.bat
1⤵
PID:468
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Windows\System32\safeChrome.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3048
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Windows\System32\safeChrome.vbs" /elevated
    3⤵
    - Modifies data under HKEY_USERS
    PID:2116
- C:\Windows\system32\timeout.exe
  timeout /t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2756
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Windows\System32\MicrosoftMACHINE.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1348
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Windows\System32\MicrosoftMACHINE.vbs" /elevated
    3⤵
    - Modifies data under HKEY_USERS
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VexxDpCw.xlsm

Filesize
20KB

MD5
3405b79dd474bd56ed0c105c5000ec33

SHA1
b0ab70b643332b473f7a62f05e0a88c4234ad162

SHA256
abda2b2b1d2c4d3016976e3bb55276f2466a5c8fe26950402a89cb057b0dfd3e

SHA512
5d89dcbf98a9a36a3602fe21e14e31e6b2dcd7203bc1e89fd855ce94ba1aacdeee3e0eeeeb2dbcfc111f5ce802678a988522df58e4b43ba101dc07621bb2a5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VexxDpCw.xlsm

Filesize
24KB

MD5
1c814506b643b4cfb9f2d830c9a7b79f

SHA1
0c147554e931183ada6b4d5e5fe9f2b4fca1708a

SHA256
50b5cd129d204232ce6c41ec6e4f158212add2526e75000090edef28c563699b

SHA512
51603c9d55e802280c8f9ff9a9190dd1927b833b9b4f1f9dcdefaea224bd6c040ff0bda55f90869e16de3fa6f6e71f833700357b3dc1aa8ac1fc9318b0aa8106

Download Submit
C:\Users\Admin\AppData\Local\Temp\VexxDpCw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

Filesize
188B

MD5
e80f6f16a7416484e6e47d8e3be9fbc0

SHA1
af587b284a0a7e0b86ad52ec8d5286f707e84538

SHA256
71bf36eff3ecebb81d2449c09ddf5e25b6ce96172c6e136244a5b993dd5974d6

SHA512
964b28dab05289ce778cb2a2623644b12a654135157a9af68a92ec93d715cd014f302e17447d9f7eee96cba3ec50990b7bd3256ce78d566e6338e0fd8f1b4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

Filesize
186B

MD5
b12638716283d5a59587fff0ff54fd47

SHA1
a93610b622d275d7086bb070bc3dea92bff32b13

SHA256
c30a547ba9276cb9f93ad684f32a98823b11808bdf2be29b20c283d4afd935a4

SHA512
8811c228ae3b7339aca409c4fa1feaecbb45fe3b7fcf471e1e3e82056684d893d837770cd58686af042e76408534e95124257e68d1ba6181fa1949ba6904747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp.bat

Filesize
149B

MD5
4872427c9c1e5eb5bd47348c60a8a203

SHA1
0939e724dd4b7b8ac8431bf4084a8c98a87b72a8

SHA256
1bacbb885bb6d3ed2ba773d66ebe8b925f06d6eb8399fbb925fdff72cfa91ca9

SHA512
2dfebccb84e6587b98148ecaf51aecc380e7f9747727bea371abac42d492605cca2f80ad1502bdf957d5b7e0232162750e7f1caa6264d20ef42ee03a4c6cd074

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8E0.tmp.bat

Filesize
149B

MD5
649338ba39041fe8beeed8551619cdce

SHA1
2f4cbf5bccd3ce5b1eb07405e51406ce283c5ab2

SHA256
fb4061edd6b8eec5380b32889de6d941db61742924dea911f325ac72586c3589

SHA512
92566d22fda6cd488fba6bc79d0648bf7023b886df8f512702904788037f24a99dc78fbac459998fa2966845e77da4c535ac43f94e62c7f9b1e551c97f374b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0a2e83d5879f38b001a05e82aa46c653

SHA1
f1a26cea01d85004b49f92a2f8f7779186d3f2cf

SHA256
676441f8f124f6c1619b6e99914e64a4589834ba8c87a8006adabfea08483656

SHA512
820b915108f1ecf3936a3360739d97e4867ce600ef42366ae5b875ae3cf84a62f71ab57e743d514204a9fd4a181feae95b0ecf15eb29516619f1e63e789600a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d000c8a393db27e0f73fca39194da25d

SHA1
0008fa617ef177b75c9e728338a2c664af2bdb8b

SHA256
497b1edb7d31016ca2f1ef723582af01c7d0b3699dd62c64dc0a69eaef9275e0

SHA512
4010be27628ecb217c168c65c3aa09d7895f0551c778169cc55fbb44b13c51bd68e10c85e1cd2f20d50657ed5088670b76ee017138c45801a8df725fc16d34dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebc0a4867e9c99a9e9168b32510613b7

SHA1
d627d4d4783d54786abe5011119b51311596f068

SHA256
dbd255ff15108c4b60ce336eea31848f7e052538a2e13a4f84fb61a68e0c915a

SHA512
ead5ec9833523a0ff0158972762738f0958e82c62c926a384d436639f1e3286fe6e8b44de775a2386312d928db0e670826e9991bf313cabc0daa6375a7cc47d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
75d4bf5cd1ce8e871c87612251460bd1

SHA1
a74a909988bb70690f8e2e564b20822eedaa42bf

SHA256
82abbb9d0609cf1aa5e044a67f24810202bf682951affab158c2991e373226a1

SHA512
e7c6679e222d55b6c506e1faca22854e556724daa3d46581074cf4bf131c3450b628bcfb6c2c4bfe44c52a85aeed300e188c709bcd238b64b6657210afed856e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92e04d304f80ee776dc00673fe68070e

SHA1
035d99fe46381017983fd115e680c25dd884ccaa

SHA256
87630c85fc9d22d84ed5efcb50319a56c8a8a29d47ad24d9b1acfd8ffad3ad29

SHA512
42636066c2985a525c05212ef457963d0005c3470ae9858b1db2beb2fde7bf41a4235dfa85c9d80b9cfb23a22bae6b689dca37bc4dfc7409c9b5f19c8094b7d4

Download Submit
C:\Windows\Dotfuscated\Google\Chrome\Bound.exe

Filesize
120KB

MD5
1a84e8b19c5594acc1f1a643a3f79ab2

SHA1
afa563efe41d4be521b6cbbbcb9d816ab7ae7b6f

SHA256
c39198797d4d00ab327456214dfc2346faf7988bc363ffee07d22a82dbb73995

SHA512
ef863fce3ac55936ab284c555f63b2a354ee753186869987d4077c341c04f8fc292567028d447174ce48cb36d365c8ea9cd0eb186623610a6679ab38995d769c

Download Submit
C:\Windows\MicrosoftWindow.bat

Filesize
144B

MD5
ef4431f1f11097009995b3203f1a8c4e

SHA1
8940d2aa0e23b8977eb9ebe17d3e8f74baf249f0

SHA256
03f658d4aa9e333f96e9a8ec119c027396ad5933b8d2945b283d68d34fba1faa

SHA512
9f66ce022a4e41cc03167b4ce36b9450008af99b726684b0ed44d31e7e6677028124ad6f257bb92b6cb1a130e180663383ea66c74cacbc8a8010724314d5353f

Download Submit
C:\Windows\System32\MicrosoftEdgeCore.vbs

Filesize
1KB

MD5
75d8f74fe37df49b866abd5a9f323999

SHA1
a010e31a4a570ac2deb2ab76223668c8c19267e8

SHA256
50b59a7c5d5d6faf76da51ab8e33dec0864600662f1672ed58f569c7fd6e96e7

SHA512
dd47f1382d33f13fda337f81e21179562fd11906e00eed23b090cdeea82e13e99fdb8dcd19d464b9dbe622ed4b9b8ac1270207a21b4b369d152f8fec9f78fdd3

Download Submit
C:\Windows\System32\MicrosoftMACHINE.vbs

Filesize
2KB

MD5
e925bb2769652e05d64f12fa47f9aad6

SHA1
e0472b755ba3139a97e68b3a21e9a011bc34d130

SHA256
1ba6ea7cbd8c0982dd24f5dea9bc203d76ee24e9e4a3a65a48700e5f59e6fe06

SHA512
ea1b252051e5efb48e0cc2ce932099399f00cedf0c6041374381093bedb2a4f404a2f5d94a69b503c590fa4016bbde257d25a89f460f461036092810d7c375cd

Download Submit
C:\Windows\System32\be-ID\svchost.exe

Filesize
64KB

MD5
fc4d23ee35a8ea3f6dc0636bf5b8cb29

SHA1
ea6f004d81b09aea8a4ffd14fde4add62e4a549c

SHA256
e9e592d3da945a42ac78f6c22435ddda13f354f0a5ee61153dd2ccc7680a6775

SHA512
558c2efbc0bde4b90369d58825bd547f88042d2afcae07c22d9d6ea1c0777b16cc92bf3301640d37ea6ec671ad192fe1ed8cb9a2adba8a0aed20048d87373502

Download Submit
C:\Windows\System32\safeChrome.vbs

Filesize
1KB

MD5
6d10ddcf0d7c64ea6673823d26f20fa0

SHA1
6d1079a25c756f5580eecbd28f0c91f813b435db

SHA256
c100849a38133e76457efb6795d7560bddb1b268e215b74a4c7d4a8462d71f56

SHA512
66b3c880da621e90bd5c92c2e2ccee583b09a4d48f265ce1b45a0f32bbea21f279a860eb387a2058c3f2e4c263b8cb36d0ea4b77d241985cc011a88a9eb0c691

Download Submit
C:\Windows\System32\tlib.dll

Filesize
103KB

MD5
ec5266dbfc2df559988246e4c2b54151

SHA1
5f4864f378b6ffcdbcce739f33c0b33ff79d2f35

SHA256
9eca0aa437ae9c2079f11801acf9f7a2ae84c491b1c35933e7490c4e1f4e4c52

SHA512
7bfffa7b7c88f6f1849dde188f15f248140fa7e3bef91be959bf21ec0cbdf68b24491412bb0afd84cbe63dfbd308b8317e53ed2fa68501656211d32f7fddc683

Download Submit
C:\Windows\microboy.vbs

Filesize
1KB

MD5
7d04c5353c0128ccf7e064e06a9e5604

SHA1
33d206239c9faa19b0557d172b61fc4fb0a00189

SHA256
6cc5e97ebd8e332dd749e9937d97c716aa0f7cc5e667884b8606bf4e2acabb04

SHA512
3bd32ba6794d83ac39ac7dd3819a4ceb499427f3df3fa50da7949b45818a4a38bfeb846c30e14c7727d1f8898bbb76618a357c0581f6a0af63565eb5dd09853e

Download Submit
memory/348-120-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/348-121-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/560-203-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1584-264-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/1588-141-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1596-80-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1596-79-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1736-42-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1736-29-0x0000000001170000-0x0000000004F32000-memory.dmp

Filesize
61.8MB

Download
memory/1736-39-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1736-41-0x0000000027900000-0x000000002B68C000-memory.dmp

Filesize
61.5MB

Download
memory/1784-113-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1784-114-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2060-164-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2324-235-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2324-126-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2324-316-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2324-285-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2324-40-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2364-28-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2592-152-0x0000000000F10000-0x0000000000F36000-memory.dmp

Filesize
152KB

Download
memory/2592-153-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/2592-154-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/2592-155-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2644-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2644-253-0x0000000001320000-0x0000000001346000-memory.dmp

Filesize
152KB

Download
memory/2644-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2896-38-0x0000000000B20000-0x00000000048E2000-memory.dmp

Filesize
61.8MB

Download
memory/3060-191-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/3060-196-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download