xred | 807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Size

62.5MB
MD5

4c7a118d52a8085b27ba6adbbf8b319f
SHA1

2bc99901e41cea3c38688ee946c3c324a72a7af4
SHA256

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
SHA512

d673344a02500eb4082ddd7593e4e351fd8a56f77844d1e69c5b41c1d5aa28323329aacbf0350c83e300e8c6a992fa7b4a9661e764a1308729945c488592fba1
SSDEEP

1572864:C5+ynVfeK9AHadZkQd9cYrL6on7dRBlDdI39FjuowqqSBvnvD:C+ynVJ9Hk4Gs7dRvdcfCwvD

Score

10^/10

xred backdoor defense_evasion discovery execution persistence privilege_escalation

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1944	powershell.exe
3076	powershell.exe
508	powershell.exe
1192	powershell.exe
696	powershell.exe
4180	powershell.exe
3280	powershell.exe
3084	powershell.exe
4888	powershell.exe
4044	powershell.exe
4716	powershell.exe
4244	powershell.exe
760	powershell.exe
5224	powershell.exe
5632	powershell.exe
1392	powershell.exe
3876	powershell.exe
4792	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 8 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1688	netsh.exe
5368	netsh.exe
6056	netsh.exe
2220	netsh.exe
3516	netsh.exe
4772	netsh.exe
3132	netsh.exe
9900	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2064	Synaptics.exe
2344	._cache_Synaptics.exe
5016	Bound.exe
620	svchost.exe
3732	chrome.exe
4220	chrome.exe
4040	Bound.exe
5176	svchost.exe
5280	chrome.exe
6020	chrome.exe

Loads dropped DLL 64 IoCs

pid	Process
620	svchost.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
4220	chrome.exe
5176	svchost.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe
6020	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\be-ID	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\safeChrome.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\be-ID	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\tlib.dll	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\be-ID\svchost.exe	._cache_Synaptics.exe
File created	C:\Windows\System32\tlib.dll	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\chrome.exe	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\tlib.dll	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\SystemBack\MicrosoftMACHINE.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\safeChrome.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File opened for modification	C:\Windows\System32\SystemBack	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\MicrosoftMACHINE.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_Synaptics.exe
File created	C:\Windows\System32\SystemBack\svchost.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\System32\SystemBack	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\SystemBack\MicrosoftEdgeCore.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\SystemBack\chrome.exe	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\be-ID\svchost.exe	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\tlib.dll	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\System32\SystemBack\svchost.exe	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4220	chrome.exe
6020	chrome.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\MicrosoftWindow.bat	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_Synaptics.exe
File created	C:\Windows\MicrosoftWindow.bat	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File opened for modification	C:\Windows\Dotfuscated\Google\Chrome	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\chrome.exe	._cache_Synaptics.exe
File created	C:\Windows\Dotfuscated\Google\Chrome\Bound.exe	._cache_Synaptics.exe
File created	C:\Windows\microboy.vbs	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2668	sc.exe
4296	sc.exe
1752	sc.exe
3436	sc.exe
2784	sc.exe
508	sc.exe
1752	sc.exe
1676	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
10000	PING.EXE
5312	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
4552	timeout.exe
1332	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	._cache_Synaptics.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
10000	PING.EXE
5312	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2280	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
3280	powershell.exe
3280	powershell.exe
3280	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
3084	powershell.exe
3084	powershell.exe
3084	powershell.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
4888	powershell.exe
4888	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
4888	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
620	svchost.exe
620	svchost.exe
4044	powershell.exe
4044	powershell.exe
696	powershell.exe
696	powershell.exe
4044	powershell.exe
696	powershell.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4220	chrome.exe
Token: SeDebugPrivilege	2344	._cache_Synaptics.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	5224	powershell.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	6020	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE
2280	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2976	4724	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	86
PID 4724 wrote to memory of 2976	4724	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	86
PID 4724 wrote to memory of 2064	4724	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	87
PID 4724 wrote to memory of 2064	4724	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	87
PID 4724 wrote to memory of 2064	4724	807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	87
PID 2064 wrote to memory of 2344	2064	Synaptics.exe	88
PID 2064 wrote to memory of 2344	2064	Synaptics.exe	88
PID 2976 wrote to memory of 4896	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	140
PID 2976 wrote to memory of 4896	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	140
PID 4896 wrote to memory of 320	4896	WScript.exe	94
PID 4896 wrote to memory of 320	4896	WScript.exe	94
PID 4896 wrote to memory of 3124	4896	WScript.exe	96
PID 4896 wrote to memory of 3124	4896	WScript.exe	96
PID 3124 wrote to memory of 4792	3124	wscript.exe	159
PID 3124 wrote to memory of 4792	3124	wscript.exe	159
PID 2976 wrote to memory of 2156	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	99
PID 2976 wrote to memory of 2156	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	99
PID 3124 wrote to memory of 1944	3124	wscript.exe	101
PID 3124 wrote to memory of 1944	3124	wscript.exe	101
PID 2156 wrote to memory of 3436	2156	cmd.exe	102
PID 2156 wrote to memory of 3436	2156	cmd.exe	102
PID 2976 wrote to memory of 3776	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	104
PID 2976 wrote to memory of 3776	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	104
PID 2344 wrote to memory of 4916	2344	._cache_Synaptics.exe	106
PID 2344 wrote to memory of 4916	2344	._cache_Synaptics.exe	106
PID 3776 wrote to memory of 2784	3776	cmd.exe	107
PID 3776 wrote to memory of 2784	3776	cmd.exe	107
PID 4916 wrote to memory of 232	4916	WScript.exe	108
PID 4916 wrote to memory of 232	4916	WScript.exe	108
PID 2976 wrote to memory of 3716	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	109
PID 2976 wrote to memory of 3716	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	109
PID 3716 wrote to memory of 508	3716	cmd.exe	136
PID 3716 wrote to memory of 508	3716	cmd.exe	136
PID 2976 wrote to memory of 980	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	113
PID 2976 wrote to memory of 980	2976	._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe	113
PID 4916 wrote to memory of 720	4916	WScript.exe	115
PID 4916 wrote to memory of 720	4916	WScript.exe	115
PID 980 wrote to memory of 1752	980	cmd.exe	138
PID 980 wrote to memory of 1752	980	cmd.exe	138
PID 720 wrote to memory of 4004	720	wscript.exe	117
PID 720 wrote to memory of 4004	720	wscript.exe	117
PID 3124 wrote to memory of 3280	3124	wscript.exe	119
PID 3124 wrote to memory of 3280	3124	wscript.exe	119
PID 2344 wrote to memory of 4620	2344	._cache_Synaptics.exe	121
PID 2344 wrote to memory of 4620	2344	._cache_Synaptics.exe	121
PID 720 wrote to memory of 3076	720	wscript.exe	123
PID 720 wrote to memory of 3076	720	wscript.exe	123
PID 4620 wrote to memory of 1676	4620	cmd.exe	143
PID 4620 wrote to memory of 1676	4620	cmd.exe	143
PID 2344 wrote to memory of 4824	2344	._cache_Synaptics.exe	126
PID 2344 wrote to memory of 4824	2344	._cache_Synaptics.exe	126
PID 4824 wrote to memory of 2668	4824	cmd.exe	147
PID 4824 wrote to memory of 2668	4824	cmd.exe	147
PID 2344 wrote to memory of 1188	2344	._cache_Synaptics.exe	129
PID 2344 wrote to memory of 1188	2344	._cache_Synaptics.exe	129
PID 1188 wrote to memory of 4296	1188	cmd.exe	131
PID 1188 wrote to memory of 4296	1188	cmd.exe	131
PID 3124 wrote to memory of 3084	3124	wscript.exe	132
PID 3124 wrote to memory of 3084	3124	wscript.exe	132
PID 2344 wrote to memory of 452	2344	._cache_Synaptics.exe	134
PID 2344 wrote to memory of 452	2344	._cache_Synaptics.exe	134
PID 720 wrote to memory of 508	720	wscript.exe	136
PID 720 wrote to memory of 508	720	wscript.exe	136
PID 452 wrote to memory of 1752	452	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
"C:\Users\Admin\AppData\Local\Temp\807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
      4⤵
      PID:320
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\sc.exe
      sc stop "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:3436
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\sc.exe
      sc delete "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:2784
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\sc.exe
      sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      Launches sc.exe
      PID:508
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\sc.exe
      sc start "Microsoft Edge Update ServIce"
      4⤵
      Launches sc.exe
      PID:1752
- - C:\Windows\Dotfuscated\Google\Chrome\Bound.exe
    "C:\Windows\Dotfuscated\Google\Chrome\Bound.exe"
    3⤵
    - Executes dropped EXE
    PID:5016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3876
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4792
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4716
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3816
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4244
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:9900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp269E.tmp.bat""
      4⤵
      PID:9952
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\MicrosoftEdgeCore.vbs"
    3⤵
    - Checks computer location settings
    PID:3816
  - - C:\Windows\System32\be-ID\svchost.exe
      "C:\Windows\System32\be-ID\svchost.exe" C:\Windows\System32\tlib.dll,EntryPoint
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:620
    - - C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        5⤵
        Executes dropped EXE
        
        PID:3732
      - C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\SYSTEM32\route.exe
        
        route delete 183.105.66.48
        7⤵
        
        PID:10044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdelete.bat""
    3⤵
    PID:364
  - - C:\Windows\system32\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:1332
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\microboy.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        5⤵
        
        PID:232
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Windows\microboy.vbs" /elevated
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore{53F2EB3B-2C85-BOBO-BD9C-GG4F0859F018}" /F
        6⤵
        
        PID:4004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'chrome.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc stop "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\system32\sc.exe
        
        sc stop "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:1676
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc delete "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\system32\sc.exe
        
        sc delete "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:2668
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\system32\sc.exe
        
        sc create "Microsoft Edge Update ServIce" binPath= "C:\Windows\MicrosoftWindow.bat" start= auto
        5⤵
        Launches sc.exe
        
        PID:4296
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc start "Microsoft Edge Update ServIce"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\system32\sc.exe
        
        sc start "Microsoft Edge Update ServIce"
        5⤵
        Launches sc.exe
        
        PID:1752
  - - C:\Windows\Dotfuscated\Google\Chrome\Bound.exe
      "C:\Windows\Dotfuscated\Google\Chrome\Bound.exe"
      4⤵
      Executes dropped EXE
      PID:4040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5632
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Windows\Dotfuscated\Google\Chrome\chrome.exe' enable=yes profile=private,public"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTFDE(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow program=C:\Windows\Dotfuscated\Google\Chrome\chrome.exe enable=yes profile=private,public
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp47E1.tmp.bat""
        5⤵
        
        PID:2200
      - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5312
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\MicrosoftEdgeCore.vbs"
      4⤵
      Checks computer location settings
      PID:5124
    - - C:\Windows\System32\be-ID\svchost.exe
        
        "C:\Windows\System32\be-ID\svchost.exe" C:\Windows\System32\tlib.dll,EntryPoint
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5176
      - C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        
        PID:5280
        
        C:\Windows\Dotfuscated\Google\Chrome\chrome.exe
        
        "C:\Windows\Dotfuscated\Google\Chrome\chrome.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020
        
        C:\Windows\SYSTEM32\route.exe
        
        route delete 183.105.66.48
        8⤵
        
        PID:320

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\MicrosoftWindow.bat
1⤵
PID:1236
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Windows\System32\safeChrome.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4896
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Windows\System32\safeChrome.vbs" /elevated
    3⤵
    - Modifies data under HKEY_USERS
    PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1676
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Windows\System32\MicrosoftMACHINE.vbs"
  2⤵
  - Modifies data under HKEY_USERS
  PID:10036
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Windows\System32\MicrosoftMACHINE.vbs" /elevated
    3⤵
    - Modifies data under HKEY_USERS
    PID:10136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
77cf227c992d1b5e7ca65bb19f6aa9e1

SHA1
e3b09d65db1a26a19d345150e6482501ab94ca27

SHA256
502dccaa523a2d5d1b5d9d1878f2a8c2dac7d7d00a6e95a8460e7f436aaaf18c

SHA512
4c1e97f3db14d30dcda534dc788449fc70018fc0fc0c05cd18e192567bf865242bedff7c1622b0b4f940477af777fc5df68329ec2b39da8610d5466ffc562e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2f234d51ad3a327ac678b109e88af80

SHA1
cba78cf94a43df3a807bbe209a2e0f478434476b

SHA256
ab75db4c2e4fb68536d5be743e9ca1b4dd7c2681a7e0af4563d8622534cc6786

SHA512
b5ca50737d450cc171b27f087eeb1000380d7b5dcae88a8e59121c6d14403fc4ea6f4dc97be9d2217035159781b0646ae31a0b1c687ca19885b881e542b7b8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\90E75E00

Filesize
22KB

MD5
eb5f6b66b9dff234c3d75c3b2ab19925

SHA1
c6630e3dc9c14c77ef0370e337b9f79b2ac8b828

SHA256
6ba960d8bdfac70a89cbf85bbfe5708ef8f39860cd6d47f562b7772c6335c957

SHA512
427a71e643c9a72d89fe6a3142d0b65d09bacd9130e667394bd888ef777af032592b479f6d3b13091edf4803baebe4c2237d9f4f4bb1ca9143ec556e72cb1fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\_bz2.pyd

Filesize
82KB

MD5
ae8f1119691435dab497acf4f74e48a9

SHA1
3d66b25add927a8aab7acb5f10ce80f29db17428

SHA256
ac01e1aa3248a7e956b0999e62a426396bd703aaaae389166934928552c36ba8

SHA512
ece66874a204c1014b71482f0c34b64094f6a3a4385d9cc0e805d247b29d3d9dfe30f292879705e35a40214c9717b983cc8cb5b1af7d3000325042bb3cf17f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\_ctypes.pyd

Filesize
121KB

MD5
b8a2aa0b18b076f3138d4b6af625b1a8

SHA1
965f046846293af33401c7c0d56dd1423698f08a

SHA256
ddd2e07bd447e46bf8682953e08a52ef3dec2a16b73016a210ac88196964623c

SHA512
0b75f59db170ab74ccb5d82187171000b5a607524449576ecfc8c708e3dfc501ddec5bcb82153f20e928d6c46a7109ebf59fc32d904fe1307a280ce6f1c6bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\_lzma.pyd

Filesize
246KB

MD5
496778a3b05ad610daad34b752a5fcdf

SHA1
21ad508f2faab85f2304a8e0fdb687611459c653

SHA256
be5a20ea62c97abeaf1cb0c2522f4737d71701f7e1220d92470c0eeb8a99d427

SHA512
3bb10d09a61e84b4b2d19644899021cb8e91418693a11cdc0ca0aa1b861631e11101e9a9feb4ff6883f223294296f6c3634b12206b3ee6a37b37cb761078d122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\_socket.pyd

Filesize
77KB

MD5
fca96fe528ff7c8a688da45a1667576f

SHA1
3346925f3c5ec51ef9ffbc57b9630663942bdbc4

SHA256
6fb731502320840ea36d2c8194c8de2371d275eb2c2fdffa1a5e62f5bcfc84ea

SHA512
cd3e1ea2590052bd8b0db8f230cddbcf248886acd18f17508fadd64701633646967395aa22c5891ace08b5149ac6dd0543f042ece3a5a6bb2315c4bcaca4d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\base_library.zip

Filesize
1004KB

MD5
7c74c6bf64348a68ae2b381d310793b3

SHA1
49b904ce6851c500dd7dea40bde1072c177215e4

SHA256
dac218ce45aa7fac17619a11a2ef8315d675810b6756dab57c3ce4cc296b7ae5

SHA512
f6d0776b86410d35d64610360f0935ef9605325304294ba669c5d175595f88296c8d2f2085c3e14e3cba4e398ff837b0e8c484fd128b1881faac09df633c9f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\cv2\__init__.py

Filesize
6KB

MD5
6f043aff1edd20d3c9d6398f936fbf58

SHA1
7149d2d20e1eb8c10c5d2bdb8eda23551fc82650

SHA256
957a91bfd98ffb07a10cd789b7c5c46806568476b61e34c7ad56a00092b981a5

SHA512
7358dba479899dbc3afb955903820d2a7a54b9c398bf5d4565c8dc044241821edd621d7416862af396db4216373b1e8aac00eb78046fcc3cc2396aa02cd6947b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\libopenblas64__v0.3.21-gcc_10_3_0.dll

Filesize
34.2MB

MD5
ed9afdd57ff77131204761b9bc72a031

SHA1
1960339fe83acc040373befa2991fc2f9708ba54

SHA256
14c543c418e719d8d193ff890c1afeacfedf5749583bcd079812183e7d904aab

SHA512
18c6cc96c110e450bdba031c9674e78b891a97cb5456870d77762351339a815eb1c486bc7d96aba53e19f11da609dbf42b4d7d18c36b71fb273eeba6f2bfe1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\numpy\core\_multiarray_tests.cp38-win_amd64.pyd

Filesize
65KB

MD5
f95a20e6503d32892544586091a2f138

SHA1
ad0407e5dcc388ae879b78a8998f9db751f303e8

SHA256
be1ddb44e9f05cc0aedd1caa408ce4dc28ea6f6fe507cc8f35df00aba4d57cc5

SHA512
cffaaea68bf0fec8d4b891e6063e3f69cc8e816cac5cbdb90ea379232fee887105a145bc9501629950cdfdc33460aafcb3615b73e37e2c5e406b77e173d36b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\numpy\core\_multiarray_umath.cp38-win_amd64.pyd

Filesize
2.6MB

MD5
993394e040715cdaed861584ef82c9e6

SHA1
399c3df7f15af91b05e675a1f5012da78c70a8b8

SHA256
b1efdf792a3d2cc30e7dcc3bdd911cbcfd52d47031c7c6de8dace521311c93fe

SHA512
e3db3d439b270a0c465f3200e9104a7e158a184aae2777af0b83ec9bc766bef8510b1e400094426aaecc6da93f1e84b84b9e1f8572449f6cb2a80c5f4fa6b232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\python3.dll

Filesize
57KB

MD5
11a8500bc31356fae07dd604d6662efb

SHA1
4b260e5105131cdcae9313d1833cce0004c02858

SHA256
521f17a2caab35730bfdccb954704a6ffc035d4f7ea24208c76f6a45f30fd0b6

SHA512
15f967bdf3c64c7435bfa48fe4a8c3157b4568c08f396bc20fde7cb802aa0a633afaa987b1ebdf7851c6aa405e65f28d754bca8e06ff0a3b54f6da9a6d81d7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\python38.dll

Filesize
4.0MB

MD5
147281c6864c61225284fc29dd189f37

SHA1
f9affa883855c85f339ac697e4f2942dd06a3a2e

SHA256
c5d4495bb879cc52a5076e1f366f330aa006d1e7e34c6b640a98378746244099

SHA512
ec5d36cda7689f6f9889ff0fdf2d946704c930a030d7254b901db78c4591a3f4fde0fe75a841ae91c2f0881edaf75b36d04e81e3d8605b81df4bc9195a09d056

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\pytransform\_pytransform.dll

Filesize
1.1MB

MD5
17026fe2b608cce716513badf18ac4e1

SHA1
32b3400eac1375012c4c4a559e6e9b74bf3a080c

SHA256
efac6b03b0b4a17a6e4e1f5edf85af8cdf87923f4fdea24692275a0049bda62f

SHA512
1107260f19baebf09548cb13a6369b6d4be0b255d0530df572ac038cee467b832d785d3e249198c945eacf2c953ce7828590e543fe4ad90796683fc746a4a179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\select.pyd

Filesize
26KB

MD5
3bff7c4ca394c523c25de029461ce32a

SHA1
15e2e1bff65fdf400ef54358079bb25a29faedaa

SHA256
306b8d12b77a8d6b6d06c6120331584af14f8deb97d5aed799a4779413052bc1

SHA512
2ce6d85dd23882b8a0ed00e0d2f4cc70f1c2871172e5f4e39d3bcf68ad0f69a528b227f14e02fc28467bc232619cbbf4feead778818a926716604e86285e69a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37322\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbcioxwf.tuw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\foAoIgtg.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdelete.bat

Filesize
296B

MD5
d413ee3393933deb1e0728fb5ca81318

SHA1
72a49e280c5ea1b362c92be0ff60d7fe98bfd1d9

SHA256
32213b5687c0d1cb09b4135a37c7043ea741c8b9b8459a1b82b53c708212bec6

SHA512
6d3a5dc2336356b2df5f23e374c1996c2d4908f4f124dc67a24c2dbc695ebf5abe5e5b2763f2518c14251a66bdb06ab6ab82d43b557bb8e6d7fa60e7a590af23

Download Submit
C:\Windows\Dotfuscated\Google\Chrome\Bound.exe

Filesize
120KB

MD5
1a84e8b19c5594acc1f1a643a3f79ab2

SHA1
afa563efe41d4be521b6cbbbcb9d816ab7ae7b6f

SHA256
c39198797d4d00ab327456214dfc2346faf7988bc363ffee07d22a82dbb73995

SHA512
ef863fce3ac55936ab284c555f63b2a354ee753186869987d4077c341c04f8fc292567028d447174ce48cb36d365c8ea9cd0eb186623610a6679ab38995d769c

Download Submit
C:\Windows\MicrosoftWindow.bat

Filesize
144B

MD5
ef4431f1f11097009995b3203f1a8c4e

SHA1
8940d2aa0e23b8977eb9ebe17d3e8f74baf249f0

SHA256
03f658d4aa9e333f96e9a8ec119c027396ad5933b8d2945b283d68d34fba1faa

SHA512
9f66ce022a4e41cc03167b4ce36b9450008af99b726684b0ed44d31e7e6677028124ad6f257bb92b6cb1a130e180663383ea66c74cacbc8a8010724314d5353f

Download Submit
C:\Windows\System32\MicrosoftEdgeCore.vbs

Filesize
1KB

MD5
75d8f74fe37df49b866abd5a9f323999

SHA1
a010e31a4a570ac2deb2ab76223668c8c19267e8

SHA256
50b59a7c5d5d6faf76da51ab8e33dec0864600662f1672ed58f569c7fd6e96e7

SHA512
dd47f1382d33f13fda337f81e21179562fd11906e00eed23b090cdeea82e13e99fdb8dcd19d464b9dbe622ed4b9b8ac1270207a21b4b369d152f8fec9f78fdd3

Download Submit
C:\Windows\System32\be-ID\svchost.exe

Filesize
64KB

MD5
fc4d23ee35a8ea3f6dc0636bf5b8cb29

SHA1
ea6f004d81b09aea8a4ffd14fde4add62e4a549c

SHA256
e9e592d3da945a42ac78f6c22435ddda13f354f0a5ee61153dd2ccc7680a6775

SHA512
558c2efbc0bde4b90369d58825bd547f88042d2afcae07c22d9d6ea1c0777b16cc92bf3301640d37ea6ec671ad192fe1ed8cb9a2adba8a0aed20048d87373502

Download Submit
C:\Windows\System32\safeChrome.vbs

Filesize
1KB

MD5
6d10ddcf0d7c64ea6673823d26f20fa0

SHA1
6d1079a25c756f5580eecbd28f0c91f813b435db

SHA256
c100849a38133e76457efb6795d7560bddb1b268e215b74a4c7d4a8462d71f56

SHA512
66b3c880da621e90bd5c92c2e2ccee583b09a4d48f265ce1b45a0f32bbea21f279a860eb387a2058c3f2e4c263b8cb36d0ea4b77d241985cc011a88a9eb0c691

Download Submit
C:\Windows\System32\tlib.dll

Filesize
103KB

MD5
ec5266dbfc2df559988246e4c2b54151

SHA1
5f4864f378b6ffcdbcce739f33c0b33ff79d2f35

SHA256
9eca0aa437ae9c2079f11801acf9f7a2ae84c491b1c35933e7490c4e1f4e4c52

SHA512
7bfffa7b7c88f6f1849dde188f15f248140fa7e3bef91be959bf21ec0cbdf68b24491412bb0afd84cbe63dfbd308b8317e53ed2fa68501656211d32f7fddc683

Download Submit
C:\Windows\microboy.vbs

Filesize
1KB

MD5
7d04c5353c0128ccf7e064e06a9e5604

SHA1
33d206239c9faa19b0557d172b61fc4fb0a00189

SHA256
6cc5e97ebd8e332dd749e9937d97c716aa0f7cc5e667884b8606bf4e2acabb04

SHA512
3bd32ba6794d83ac39ac7dd3819a4ceb499427f3df3fa50da7949b45818a4a38bfeb846c30e14c7727d1f8898bbb76618a357c0581f6a0af63565eb5dd09853e

Download Submit
memory/1944-256-0x000001AB52970000-0x000001AB52992000-memory.dmp

Filesize
136KB

Download
memory/2064-253-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2064-220-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/2280-192-0x00007FF982A70000-0x00007FF982A80000-memory.dmp

Filesize
64KB

Download
memory/2280-191-0x00007FF982A70000-0x00007FF982A80000-memory.dmp

Filesize
64KB

Download
memory/2280-196-0x00007FF980930000-0x00007FF980940000-memory.dmp

Filesize
64KB

Download
memory/2280-193-0x00007FF982A70000-0x00007FF982A80000-memory.dmp

Filesize
64KB

Download
memory/2280-194-0x00007FF982A70000-0x00007FF982A80000-memory.dmp

Filesize
64KB

Download
memory/2280-195-0x00007FF982A70000-0x00007FF982A80000-memory.dmp

Filesize
64KB

Download
memory/2280-197-0x00007FF980930000-0x00007FF980940000-memory.dmp

Filesize
64KB

Download
memory/2976-132-0x000001F0C22C0000-0x000001F0C22C6000-memory.dmp

Filesize
24KB

Download
memory/2976-125-0x000001F0BE170000-0x000001F0C1F32000-memory.dmp

Filesize
61.8MB

Download
memory/2976-243-0x000001F0C2350000-0x000001F0C2356000-memory.dmp

Filesize
24KB

Download
memory/2976-242-0x000001F0E4B70000-0x000001F0E88FC000-memory.dmp

Filesize
61.5MB

Download
memory/4220-582-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-578-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-553-0x000001F46C860000-0x000001F46C861000-memory.dmp

Filesize
4KB

Download
memory/4220-554-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-604-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-602-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-600-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-598-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-596-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-594-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-592-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-590-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-588-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-586-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-584-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-556-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-580-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-606-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-576-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-574-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-572-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-570-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-568-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-566-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-564-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-562-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-560-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4220-558-0x000001F46C870000-0x000001F46C871000-memory.dmp

Filesize
4KB

Download
memory/4724-129-0x0000000000400000-0x000000000427C000-memory.dmp

Filesize
62.5MB

Download
memory/4724-0-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/5016-358-0x000001463C4E0000-0x000001463C4E6000-memory.dmp

Filesize
24KB

Download
memory/5016-352-0x000001463C4D0000-0x000001463C4E8000-memory.dmp

Filesize
96KB

Download
memory/5016-337-0x000001463C4C0000-0x000001463C4C6000-memory.dmp

Filesize
24KB

Download
memory/5016-336-0x000001463C0F0000-0x000001463C116000-memory.dmp

Filesize
152KB

Download