xred | 807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e

Analysis

max time kernel
116s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer3.exe
Size

62.5MB
MD5

4c7a118d52a8085b27ba6adbbf8b319f
SHA1

2bc99901e41cea3c38688ee946c3c324a72a7af4
SHA256

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
SHA512

d673344a02500eb4082ddd7593e4e351fd8a56f77844d1e69c5b41c1d5aa28323329aacbf0350c83e300e8c6a992fa7b4a9661e764a1308729945c488592fba1
SSDEEP

1572864:C5+ynVfeK9AHadZkQd9cYrL6on7dRBlDdI39FjuowqqSBvnvD:C+ynVJ9Hk4Gs7dRvdcfCwvD

Score

10^/10

xred backdoor defense_evasion discovery execution persistence privilege_escalation pyinstaller

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4680	powershell.exe
964	powershell.exe
3324	powershell.exe
4248	powershell.exe
3060	powershell.exe
2164	powershell.exe
2948	powershell.exe
3792	powershell.exe
532	powershell.exe
3332	powershell.exe
3316	powershell.exe
4680	powershell.exe
3396	powershell.exe
3760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3408	netsh.exe
3568	netsh.exe
1944	netsh.exe
1332	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	installer3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	._cache_installer3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 7 IoCs

pid	Process
2972	._cache_installer3.exe
1788	Synaptics.exe
3864	._cache_Synaptics.exe
3512	Bound.exe
2916	svchost.exe
3792	chrome.exe
4424	chrome.exe

Loads dropped DLL 33 IoCs

pid	Process
2916	svchost.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	installer3.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\be-ID\svchost.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\SystemBack\svchost.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\be-ID	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_installer3.exe
File created	C:\Windows\System32\tlib.dll	._cache_installer3.exe
File opened for modification	C:\Windows\System32\SystemBack\tlib.dll	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\chrome.exe	._cache_installer3.exe
File created	C:\Windows\System32\be-ID\svchost.exe	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\svchost.exe	._cache_installer3.exe
File opened for modification	C:\Windows\System32\SystemBack	._cache_installer3.exe
File opened for modification	C:\Windows\System32\SystemBack	._cache_Synaptics.exe
File created	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_installer3.exe
File created	C:\Windows\System32\SystemBack\tlib.dll	._cache_installer3.exe
File opened for modification	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\safeChrome.vbs	._cache_installer3.exe
File opened for modification	C:\Windows\System32\SystemBack\chrome.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\safeChrome.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\tlib.dll	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\be-ID	._cache_installer3.exe
File created	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_installer3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4424	chrome.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MicrosoftWindow.bat	._cache_Synaptics.exe
File created	C:\Windows\microboy.vbs	._cache_installer3.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_installer3.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_installer3.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_installer3.exe
File created	C:\Windows\MicrosoftWindow.bat	._cache_installer3.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_Synaptics.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1640	sc.exe
1036	sc.exe
2468	sc.exe
3408	sc.exe
2672	sc.exe
4176	sc.exe
5112	sc.exe
3156	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023b45-385.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
664	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4532	timeout.exe
2668	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	installer3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	._cache_installer3.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	._cache_Synaptics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
664	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2332	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
2972	._cache_installer3.exe
3792	powershell.exe
3792	powershell.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3792	powershell.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
3864	._cache_Synaptics.exe
532	powershell.exe
532	powershell.exe
532	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
3332	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2972	._cache_installer3.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3864	._cache_Synaptics.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	4424	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE
2332	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2972	532	installer3.exe	86
PID 532 wrote to memory of 2972	532	installer3.exe	86
PID 532 wrote to memory of 1788	532	installer3.exe	87
PID 532 wrote to memory of 1788	532	installer3.exe	87
PID 532 wrote to memory of 1788	532	installer3.exe	87
PID 1788 wrote to memory of 3864	1788	Synaptics.exe	88
PID 1788 wrote to memory of 3864	1788	Synaptics.exe	88
PID 2972 wrote to memory of 744	2972	._cache_installer3.exe	92
PID 2972 wrote to memory of 744	2972	._cache_installer3.exe	92
PID 744 wrote to memory of 4544	744	WScript.exe	93
PID 744 wrote to memory of 4544	744	WScript.exe	93
PID 744 wrote to memory of 4172	744	WScript.exe	95
PID 744 wrote to memory of 4172	744	WScript.exe	95
PID 4172 wrote to memory of 5032	4172	wscript.exe	96
PID 4172 wrote to memory of 5032	4172	wscript.exe	96
PID 4172 wrote to memory of 3060	4172	wscript.exe	99
PID 4172 wrote to memory of 3060	4172	wscript.exe	99
PID 2972 wrote to memory of 3408	2972	._cache_installer3.exe	155
PID 2972 wrote to memory of 3408	2972	._cache_installer3.exe	155
PID 3408 wrote to memory of 2672	3408	cmd.exe	103
PID 3408 wrote to memory of 2672	3408	cmd.exe	103
PID 2972 wrote to memory of 2520	2972	._cache_installer3.exe	104
PID 2972 wrote to memory of 2520	2972	._cache_installer3.exe	104
PID 3864 wrote to memory of 4264	3864	._cache_Synaptics.exe	106
PID 3864 wrote to memory of 4264	3864	._cache_Synaptics.exe	106
PID 4264 wrote to memory of 2560	4264	WScript.exe	107
PID 4264 wrote to memory of 2560	4264	WScript.exe	107
PID 2520 wrote to memory of 4176	2520	cmd.exe	108
PID 2520 wrote to memory of 4176	2520	cmd.exe	108
PID 2972 wrote to memory of 4860	2972	._cache_installer3.exe	110
PID 2972 wrote to memory of 4860	2972	._cache_installer3.exe	110
PID 3864 wrote to memory of 4000	3864	._cache_Synaptics.exe	111
PID 3864 wrote to memory of 4000	3864	._cache_Synaptics.exe	111
PID 4172 wrote to memory of 2948	4172	wscript.exe	113
PID 4172 wrote to memory of 2948	4172	wscript.exe	113
PID 4860 wrote to memory of 5112	4860	cmd.exe	116
PID 4860 wrote to memory of 5112	4860	cmd.exe	116
PID 4000 wrote to memory of 3156	4000	cmd.exe	117
PID 4000 wrote to memory of 3156	4000	cmd.exe	117
PID 4264 wrote to memory of 4016	4264	WScript.exe	118
PID 4264 wrote to memory of 4016	4264	WScript.exe	118
PID 3864 wrote to memory of 5100	3864	._cache_Synaptics.exe	119
PID 3864 wrote to memory of 5100	3864	._cache_Synaptics.exe	119
PID 2972 wrote to memory of 4024	2972	._cache_installer3.exe	121
PID 2972 wrote to memory of 4024	2972	._cache_installer3.exe	121
PID 4016 wrote to memory of 1184	4016	wscript.exe	122
PID 4016 wrote to memory of 1184	4016	wscript.exe	122
PID 5100 wrote to memory of 1640	5100	cmd.exe	125
PID 5100 wrote to memory of 1640	5100	cmd.exe	125
PID 4024 wrote to memory of 1036	4024	cmd.exe	126
PID 4024 wrote to memory of 1036	4024	cmd.exe	126
PID 3864 wrote to memory of 5052	3864	._cache_Synaptics.exe	127
PID 3864 wrote to memory of 5052	3864	._cache_Synaptics.exe	127
PID 5052 wrote to memory of 2468	5052	cmd.exe	130
PID 5052 wrote to memory of 2468	5052	cmd.exe	130
PID 4016 wrote to memory of 3792	4016	wscript.exe	161
PID 4016 wrote to memory of 3792	4016	wscript.exe	161
PID 3864 wrote to memory of 876	3864	._cache_Synaptics.exe	132
PID 3864 wrote to memory of 876	3864	._cache_Synaptics.exe	132
PID 876 wrote to memory of 3408	876	cmd.exe	155
PID 876 wrote to memory of 3408	876	cmd.exe	155
PID 4172 wrote to memory of 532	4172	wscript.exe	135
PID 4172 wrote to memory of 532	4172	wscript.exe	135
PID 4016 wrote to memory of 2164	4016	wscript.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\installer3.exe
"C:\Users\Admin\AppData\Local\Temp\installer3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\._cache_installer3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_installer3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
      4⤵
      PID:4544
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\sc.exe
      sc stop "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:2672
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\sc.exe
      sc delete "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:4176
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\system32\sc.exe
      sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      Launches sc.exe
      PID:5112
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\sc.exe
      sc start "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:1036
- - C:\Windows\Dotfuscated\Google\Chrome\Bound.exe
    "C:\Windows\Dotfuscated\Google\Chrome\Bound.exe"
    3⤵
    - Executes dropped EXE
    PID:3512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4248
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4680
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:964
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3324
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFACB.tmp.bat""
      4⤵
      PID:3552
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\MicrosoftEdgeCore.vbs"
    3⤵
    - Checks computer location settings
    PID:972
  - - C:\Windows\System32\be-ID\svchost.exe
      "C:\Windows\System32\be-ID\svchost.exe" C:\Windows\System32\tlib.dll,EntryPoint
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2916
    - - C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        
        PID:3792
      - C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\SYSTEM32\route.exe
        
        route delete 183.105.66.48
        7⤵
        
        PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""
    3⤵
    PID:3580
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:2668
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:2560
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        6⤵
        
        PID:1184
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\system32\sc.exe
        
        sc stop "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:3156
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\system32\sc.exe
        
        sc delete "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:1640
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\system32\sc.exe
        
        sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
        5⤵
        Launches sc.exe
        
        PID:2468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\system32\sc.exe
        
        sc start "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:3408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""
      4⤵
      PID:1324
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:4532

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0aa63dbb46d451e47a7a682c64af776d

SHA1
3b0026f2dae8e9c491ccaa40133755779de35aaa

SHA256
9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

SHA512
4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a104609feeccd32ea3c70e05ef73b89b

SHA1
d19051123a6391b5a18a4f779ff8d401de0620a4

SHA256
4cf58c2c2607030677cefe43b7a112f4e2bf6e8e58244ed82b7a3f25a2855099

SHA512
7556a3082ec13bb90c91d845e18f0cdf750a90858f951932f499bdffbe7622721cb846d3ccb24fc889a1c9ec4cf0b37ddec3092438cdb5199414530cb782e8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9072d3c4faa83ef0f5ed5b299b75618d

SHA1
f2bb8ee12abae6da1406fc566810ce397f1d054b

SHA256
9f9196488c5ae1227d43941675252f2399ef20aebba80ed6a829822104c40475

SHA512
a7bb981438e7d0932291531f49c00ca2b57a5c44cedede2b81f5a6abeefb4f00434e0c2edb2d3ad33c21e61e88091042f9d783f9fd39b18cfd1306b450f1f6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
64b1b1f6b80a5bbf93f76717dfb27575

SHA1
9bea769cd09664ef4367a4ddf42942fe7ebfb523

SHA256
e6188ee64c8bf29915a2efe54014d2ba019279d247423bcdab6f1610c2005e5c

SHA512
834a06add6cc1a5ad1a58cc22d0352a41c02b66911c46cee655e578d6363447930e7ffaf8c27bf6069cf2e8453c132ee2e45ac873d84a23d9b850240e443c603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2C75E00

Filesize
20KB

MD5
5b8f8999cf66b4e8a48601209544138c

SHA1
65d8e49beb8d4e65b67d6850e9d57309357320fc

SHA256
077f8ec5c5872cdaff4ad6075b18f0e74f6336687e6fe81c8f89f1916bbd4691

SHA512
9120ca230addb62f9a18bbdea1c8d0b98d0900a46bff8b31ed69048373fbd1af4c9112d400a93955c0dd2796f64e4758530edad36267db91ed88419fd7eb9d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIy3s1mt.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_bz2.pyd

Filesize
82KB

MD5
ae8f1119691435dab497acf4f74e48a9

SHA1
3d66b25add927a8aab7acb5f10ce80f29db17428

SHA256
ac01e1aa3248a7e956b0999e62a426396bd703aaaae389166934928552c36ba8

SHA512
ece66874a204c1014b71482f0c34b64094f6a3a4385d9cc0e805d247b29d3d9dfe30f292879705e35a40214c9717b983cc8cb5b1af7d3000325042bb3cf17f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_ctypes.pyd

Filesize
121KB

MD5
b8a2aa0b18b076f3138d4b6af625b1a8

SHA1
965f046846293af33401c7c0d56dd1423698f08a

SHA256
ddd2e07bd447e46bf8682953e08a52ef3dec2a16b73016a210ac88196964623c

SHA512
0b75f59db170ab74ccb5d82187171000b5a607524449576ecfc8c708e3dfc501ddec5bcb82153f20e928d6c46a7109ebf59fc32d904fe1307a280ce6f1c6bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\_lzma.pyd

Filesize
246KB

MD5
496778a3b05ad610daad34b752a5fcdf

SHA1
21ad508f2faab85f2304a8e0fdb687611459c653

SHA256
be5a20ea62c97abeaf1cb0c2522f4737d71701f7e1220d92470c0eeb8a99d427

SHA512
3bb10d09a61e84b4b2d19644899021cb8e91418693a11cdc0ca0aa1b861631e11101e9a9feb4ff6883f223294296f6c3634b12206b3ee6a37b37cb761078d122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\base_library.zip

Filesize
1004KB

MD5
7c74c6bf64348a68ae2b381d310793b3

SHA1
49b904ce6851c500dd7dea40bde1072c177215e4

SHA256
dac218ce45aa7fac17619a11a2ef8315d675810b6756dab57c3ce4cc296b7ae5

SHA512
f6d0776b86410d35d64610360f0935ef9605325304294ba669c5d175595f88296c8d2f2085c3e14e3cba4e398ff837b0e8c484fd128b1881faac09df633c9f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python3.dll

Filesize
57KB

MD5
11a8500bc31356fae07dd604d6662efb

SHA1
4b260e5105131cdcae9313d1833cce0004c02858

SHA256
521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6

SHA512
15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\python38.dll

Filesize
4.0MB

MD5
147281c6864c61225284fc29dd189f37

SHA1
f9affa883855c85f339ac697e4f2942dd06a3a2e

SHA256
c5d4495bb879cc52a5076e1f366f330aa006d1e7e34c6b640a98378746244099

SHA512
ec5d36cda7689f6f9889ff0fdf2d946704c930a030d7254b901db78c4591a3f4fde0fe75a841ae91c2f0881edaf75b36d04e81e3d8605b81df4bc9195a09d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37922\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdz1neih.hby.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

Filesize
188B

MD5
e80f6f16a7416484e6e47d8e3be9fbc0

SHA1
af587b284a0a7e0b86ad52ec8d5286f707e84538

SHA256
71bf36eff3ecebb81d2449c09ddf5e25b6ce96172c6e136244a5b993dd5974d6

SHA512
964b28dab05289ce778cb2a2623644b12a654135157a9af68a92ec93d715cd014f302e17447d9f7eee96cba3ec50990b7bd3256ce78d566e6338e0fd8f1b4b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFACB.tmp.bat

Filesize
149B

MD5
b1e083971d0025aebd1efd1b6c2db408

SHA1
ffa98d52772bafb4eef1f6c27c9739932308c3ba

SHA256
e4d84488b2d58ebf5efa48a513dccd6e16aa619c93bc51865cfca646d615b29c

SHA512
7380ecf83f3d390e473f2d2895af8c530418f0e30fb196a67a14b01eaada9fd30fc7f30fa05e8141ddab419ee533c9578da3ba72212a0ca35b4384c928afcb73

Download Submit
C:\Windows\Dotfuscated\Google\Chrome\Bound.exe

Filesize
120KB

MD5
1a84e8b19c5594acc1f1a643a3f79ab2

SHA1
afa563efe41d4be521b6cbbbcb9d816ab7ae7b6f

SHA256
c39198797d4d00ab327456214dfc2346faf7988bc363ffee07d22a82dbb73995

SHA512
ef863fce3ac55936ab284c555f63b2a354ee753186869987d4077c341c04f8fc292567028d447174ce48cb36d365c8ea9cd0eb186623610a6679ab38995d769c

Download Submit
C:\Windows\MicrosoftWindow.bat

Filesize
144B

MD5
ef4431f1f11097009995b3203f1a8c4e

SHA1
8940d2aa0e23b8977eb9ebe17d3e8f74baf249f0

SHA256
03f658d4aa9e333f96e9a8ec119c027396ad5933b8d2945b283d68d34fba1faa

SHA512
9f66ce022a4e41cc03167b4ce36b9450008af99b726684b0ed44d31e7e6677028124ad6f257bb92b6cb1a130e180663383ea66c74cacbc8a8010724314d5353f

Download Submit
C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs

Filesize
1KB

MD5
75d8f74fe37df49b866abd5a9f323999

SHA1
a010e31a4a570ac2deb2ab76223668c8c19267e8

SHA256
50b59a7c5d5d6faf76da51ab8e33dec0864600662f1672ed58f569c7fd6e96e7

SHA512
dd47f1382d33f13fda337f81e21179562fd11906e00eed23b090cdeea82e13e99fdb8dcd19d464b9dbe622ed4b9b8ac1270207a21b4b369d152f8fec9f78fdd3

Download Submit
C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs

Filesize
2KB

MD5
e925bb2769652e05d64f12fa47f9aad6

SHA1
e0472b755ba3139a97e68b3a21e9a011bc34d130

SHA256
1ba6ea7cbd8c0982dd24f5dea9bc203d76ee24e9e4a3a65a48700e5f59e6fe06

SHA512
ea1b252051e5efb48e0cc2ce932099399f00cedf0c6041374381093bedb2a4f404a2f5d94a69b503c590fa4016bbde257d25a89f460f461036092810d7c375cd

Download Submit
C:\Windows\System32\SystemBack\chrome.exe

Filesize
61.1MB

MD5
cd157c45cbf8278ab67341c648aacb4d

SHA1
bd711106b7f138610ec16b3787560f77acdfda1e

SHA256
bebc05af8d51056f5cab949ee81451e1d312edfd223fdffdc6d4155a46b18de7

SHA512
13d9aa3f63c2b10c2eefa5aa8fc93cac0a163b1304f3b3d70006e04b08ef12cbf7afba47a06c1355f9f1c0794ea5c92b853bdb96cee599c6261826d85aa7038d

Download Submit
C:\Windows\System32\SystemBack\tlib.dll

Filesize
103KB

MD5
ec5266dbfc2df559988246e4c2b54151

SHA1
5f4864f378b6ffcdbcce739f33c0b33ff79d2f35

SHA256
9eca0aa437ae9c2079f11801acf9f7a2ae84c491b1c35933e7490c4e1f4e4c52

SHA512
7bfffa7b7c88f6f1849dde188f15f248140fa7e3bef91be959bf21ec0cbdf68b24491412bb0afd84cbe63dfbd308b8317e53ed2fa68501656211d32f7fddc683

Download Submit
C:\Windows\System32\be-ID\svchost.exe

Filesize
64KB

MD5
fc4d23ee35a8ea3f6dc0636bf5b8cb29

SHA1
ea6f004d81b09aea8a4ffd14fde4add62e4a549c

SHA256
e9e592d3da945a42ac78f6c22435ddda13f354f0a5ee61153dd2ccc7680a6775

SHA512
558c2efbc0bde4b90369d58825bd547f88042d2afcae07c22d9d6ea1c0777b16cc92bf3301640d37ea6ec671ad192fe1ed8cb9a2adba8a0aed20048d87373502

Download Submit
C:\Windows\System32\safeChrome.vbs

Filesize
1KB

MD5
6d10ddcf0d7c64ea6673823d26f20fa0

SHA1
6d1079a25c756f5580eecbd28f0c91f813b435db

SHA256
c100849a38133e76457efb6795d7560bddb1b268e215b74a4c7d4a8462d71f56

SHA512
66b3c880da621e90bd5c92c2e2ccee583b09a4d48f265ce1b45a0f32bbea21f279a860eb387a2058c3f2e4c263b8cb36d0ea4b77d241985cc011a88a9eb0c691

Download Submit
C:\Windows\microboy.vbs

Filesize
1KB

MD5
7d04c5353c0128ccf7e064e06a9e5604

SHA1
33d206239c9faa19b0557d172b61fc4fb0a00189

SHA256
6cc5e97ebd8e332dd749e9937d97c716aa0f7cc5e667884b8606bf4e2acabb04

SHA512
3bd32ba6794d83ac39ac7dd3819a4ceb499427f3df3fa50da7949b45818a4a38bfeb846c30e14c7727d1f8898bbb76618a357c0581f6a0af63565eb5dd09853e

Download Submit
memory/532-128-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/532-0-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/1788-248-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/1788-198-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2332-196-0x00007FF891D10000-0x00007FF891D20000-memory.dmp

Filesize
64KB

Download
memory/2332-191-0x00007FF893ED0000-0x00007FF893EE0000-memory.dmp

Filesize
64KB

Download
memory/2332-193-0x00007FF893ED0000-0x00007FF893EE0000-memory.dmp

Filesize
64KB

Download
memory/2332-192-0x00007FF893ED0000-0x00007FF893EE0000-memory.dmp

Filesize
64KB

Download
memory/2332-194-0x00007FF893ED0000-0x00007FF893EE0000-memory.dmp

Filesize
64KB

Download
memory/2332-195-0x00007FF893ED0000-0x00007FF893EE0000-memory.dmp

Filesize
64KB

Download
memory/2332-197-0x00007FF891D10000-0x00007FF891D20000-memory.dmp

Filesize
64KB

Download
memory/2972-132-0x000002B2B12E0000-0x000002B2B12E6000-memory.dmp

Filesize
24KB

Download
memory/2972-125-0x000002B2AD170000-0x000002B2B0F32000-memory.dmp

Filesize
61.8MB

Download
memory/2972-237-0x000002B2D3C50000-0x000002B2D79DC000-memory.dmp

Filesize
61.5MB

Download
memory/2972-238-0x000002B2B1370000-0x000002B2B1376000-memory.dmp

Filesize
24KB

Download
memory/3060-258-0x000002100F900000-0x000002100F922000-memory.dmp

Filesize
136KB

Download
memory/3512-401-0x0000023F158A0000-0x0000023F158A6000-memory.dmp

Filesize
24KB

Download
memory/3512-388-0x0000023F15820000-0x0000023F15838000-memory.dmp

Filesize
96KB

Download
memory/3512-377-0x0000023F15810000-0x0000023F15816000-memory.dmp

Filesize
24KB

Download
memory/3512-376-0x0000023F15450000-0x0000023F15476000-memory.dmp

Filesize
152KB

Download
memory/4424-624-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-618-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-640-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-638-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-636-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-634-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-632-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-630-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-628-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-626-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-644-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-622-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-620-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-642-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-616-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-614-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-612-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-610-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-608-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-606-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-604-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-602-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-600-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-598-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-596-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-595-0x0000021E2F380000-0x0000021E2F381000-memory.dmp

Filesize
4KB

Download
memory/4424-646-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download
memory/4424-648-0x0000021E2F390000-0x0000021E2F391000-memory.dmp

Filesize
4KB

Download