asyncrat | 19d23e202165d3cddf2f85b0e9e435564939a39d29c0234add29fd50f4161671

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exodus.exe
Size

8.1MB
MD5

59d942cbc8b50860ec417338dbefd059
SHA1

246ee7c696df1ecb6f6f060e47ab5db784002a29
SHA256

19d23e202165d3cddf2f85b0e9e435564939a39d29c0234add29fd50f4161671
SHA512

1347aee2f355c35cbd2f8369024abd16342c5907b78c813ba89050daa0c5cc173b5c00822a6fa8679f09cd327fb32d4596f6a6104a6c3e1fa2d60ed590298faa
SSDEEP

196608:JLPt5MgmB240p+ZhjHdPqulrSC5lIihg0xRNRA0HwSCT+Ome:JTK0DYznp7BP8IfNON

Score

10^/10

asyncrat gurcu stormkitty xred default backdoor discovery execution persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot8138666723:AAFz0QLVYQ-iXcMbW6Mk_5LYnrAUlyZgTGw/sendMessage?chat_id=-4693422950

https://api.telegram.org/bot8138666723:AAFz0QLVYQ-iXcMbW6Mk_5LYnrAUlyZgTGw/editMessageText?chat_id=-4693422950

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022b2a-338.dat	family_stormkitty
behavioral2/files/0x0004000000022b32-353.dat	family_stormkitty
behavioral2/memory/3644-481-0x0000000000460000-0x0000000000492000-memory.dmp	family_stormkitty
behavioral2/memory/3592-479-0x0000000000400000-0x00000000004EE000-memory.dmp	family_stormkitty
behavioral2/memory/4712-526-0x0000000000400000-0x00000000004EE000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0004000000022b32-353.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1884	powershell.exe
348	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Dll-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	._cache_Dll-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Svch-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Dll-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Svch-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	._cache_Dll-protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	._cache_Exodus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe

Executes dropped EXE 21 IoCs

pid	Process
2428	._cache_Exodus.exe
3300	Synaptics.exe
2984	._cache_Synaptics.exe
1696	Exodus.exe
4560	XBinderOutput.exe
2544	Exodus.exe
1168	XBinderOutput.exe
3032	Dll-protected.exe
1320	Svch-protected.exe
1464	._cache_Dll-protected.exe
1096	Dll-protected.exe
4520	Svch-protected.exe
3592	Server.exe
1072	Built.exe
2240	Built.exe
2040	._cache_Dll-protected.exe
3644	._cache_Server.exe
4712	Server.exe
2544	._cache_Server.exe
3212	Built.exe
4564	Built.exe

Loads dropped DLL 37 IoCs

pid	Process
1096	Dll-protected.exe
1096	Dll-protected.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
4712	Server.exe
4712	Server.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
2240	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe
4564	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Exodus.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Server.exe
File created	C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	._cache_Server.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	icanhazip.com
44	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2308	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023bd9-435.dat	upx
behavioral2/memory/2240-439-0x00007FFBA91B0000-0x00007FFBA9616000-memory.dmp	upx
behavioral2/files/0x0003000000022b58-441.dat	upx
behavioral2/files/0x000c000000023bd6-444.dat	upx
behavioral2/memory/2240-466-0x00007FFBAD130000-0x00007FFBAD15C000-memory.dmp	upx
behavioral2/files/0x0012000000023af7-465.dat	upx
behavioral2/memory/2240-464-0x00007FFBAD080000-0x00007FFBAD098000-memory.dmp	upx
behavioral2/memory/2240-463-0x00007FFBC04C0000-0x00007FFBC04CF000-memory.dmp	upx
behavioral2/memory/2240-462-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp	upx
behavioral2/files/0x0003000000022b57-461.dat	upx
behavioral2/files/0x000c000000023bcd-460.dat	upx
behavioral2/files/0x000c000000023bcc-459.dat	upx
behavioral2/files/0x000e000000023bc0-458.dat	upx
behavioral2/files/0x0010000000023b7a-457.dat	upx
behavioral2/files/0x0005000000022b72-455.dat	upx
behavioral2/files/0x0005000000022b69-454.dat	upx
behavioral2/files/0x0009000000023cfa-452.dat	upx
behavioral2/files/0x000b000000023bff-451.dat	upx
behavioral2/files/0x000b000000023be2-449.dat	upx
behavioral2/files/0x000c000000023bd8-446.dat	upx
behavioral2/files/0x000b000000023bd4-445.dat	upx
behavioral2/memory/2240-499-0x00007FFBB6FE0000-0x00007FFBB6FFF000-memory.dmp	upx
behavioral2/memory/2240-518-0x00007FFBAA450000-0x00007FFBAA5CA000-memory.dmp	upx
behavioral2/memory/2240-519-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp	upx
behavioral2/memory/2240-520-0x00007FFBC0390000-0x00007FFBC039D000-memory.dmp	upx
behavioral2/memory/2240-521-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp	upx
behavioral2/memory/2240-524-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp	upx
behavioral2/memory/2240-523-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp	upx
behavioral2/memory/2240-522-0x00007FFBA91B0000-0x00007FFBA9616000-memory.dmp	upx
behavioral2/memory/2240-525-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp	upx
behavioral2/memory/2240-531-0x00007FFBC0110000-0x00007FFBC011D000-memory.dmp	upx
behavioral2/memory/2240-532-0x00007FFBB6FE0000-0x00007FFBB6FFF000-memory.dmp	upx
behavioral2/memory/2240-533-0x00007FFBA9750000-0x00007FFBA9868000-memory.dmp	upx
behavioral2/memory/2240-530-0x00007FFBAD010000-0x00007FFBAD025000-memory.dmp	upx
behavioral2/memory/2240-556-0x00007FFBAA450000-0x00007FFBAA5CA000-memory.dmp	upx
behavioral2/memory/4564-557-0x00007FFBB0DF0000-0x00007FFBB1256000-memory.dmp	upx
behavioral2/memory/4564-559-0x00007FFBC0400000-0x00007FFBC0424000-memory.dmp	upx
behavioral2/memory/2240-561-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp	upx
behavioral2/memory/4564-562-0x00007FFBBFCE0000-0x00007FFBBFCF8000-memory.dmp	upx
behavioral2/memory/4564-560-0x00007FFBC03F0000-0x00007FFBC03FF000-memory.dmp	upx
behavioral2/memory/2240-558-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp	upx
behavioral2/memory/4564-564-0x00007FFBBFCB0000-0x00007FFBBFCDC000-memory.dmp	upx
behavioral2/memory/2240-563-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp	upx
behavioral2/memory/4564-571-0x00007FFBA9FE0000-0x00007FFBAA15A000-memory.dmp	upx
behavioral2/memory/4564-570-0x00007FFBBFA90000-0x00007FFBBFAAF000-memory.dmp	upx
behavioral2/memory/2240-569-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp	upx
behavioral2/memory/4564-574-0x00007FFBC03E0000-0x00007FFBC03ED000-memory.dmp	upx
behavioral2/memory/4564-573-0x00007FFBBFC70000-0x00007FFBBFC89000-memory.dmp	upx
behavioral2/memory/4564-578-0x00007FFBB0DF0000-0x00007FFBB1256000-memory.dmp	upx
behavioral2/memory/4564-577-0x00007FFBAF1C0000-0x00007FFBAF278000-memory.dmp	upx
behavioral2/memory/4564-580-0x00007FFBA2FD0000-0x00007FFBA3349000-memory.dmp	upx
behavioral2/memory/4564-579-0x00007FFBC0400000-0x00007FFBC0424000-memory.dmp	upx
behavioral2/memory/4564-576-0x00007FFBBFC40000-0x00007FFBBFC6E000-memory.dmp	upx
behavioral2/memory/4564-595-0x00007FFBAF1C0000-0x00007FFBAF278000-memory.dmp	upx
behavioral2/memory/4564-599-0x00007FFBC03F0000-0x00007FFBC03FF000-memory.dmp	upx
behavioral2/memory/4564-603-0x00007FFBBFA90000-0x00007FFBBFAAF000-memory.dmp	upx
behavioral2/memory/2240-633-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp	upx
behavioral2/memory/2240-632-0x00007FFBA9750000-0x00007FFBA9868000-memory.dmp	upx
behavioral2/memory/2240-631-0x00007FFBC0110000-0x00007FFBC011D000-memory.dmp	upx
behavioral2/memory/2240-630-0x00007FFBAD010000-0x00007FFBAD025000-memory.dmp	upx
behavioral2/memory/2240-629-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp	upx
behavioral2/memory/2240-628-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp	upx
behavioral2/memory/2240-627-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp	upx
behavioral2/memory/2240-626-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dll-protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exodus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dll-protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4548	cmd.exe
3616	netsh.exe
3212	cmd.exe
2228	netsh.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	._cache_Server.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Exodus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Dll-protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Dll-protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Server.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1764	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1884	powershell.exe
1884	powershell.exe
348	powershell.exe
348	powershell.exe
348	powershell.exe
1884	powershell.exe
3644	._cache_Server.exe
3644	._cache_Server.exe
3644	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe
2544	._cache_Server.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	._cache_Server.exe
Token: SeDebugPrivilege	2544	._cache_Server.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeSecurityPrivilege	2428	WMIC.exe
Token: SeTakeOwnershipPrivilege	2428	WMIC.exe
Token: SeLoadDriverPrivilege	2428	WMIC.exe
Token: SeSystemProfilePrivilege	2428	WMIC.exe
Token: SeSystemtimePrivilege	2428	WMIC.exe
Token: SeProfSingleProcessPrivilege	2428	WMIC.exe
Token: SeIncBasePriorityPrivilege	2428	WMIC.exe
Token: SeCreatePagefilePrivilege	2428	WMIC.exe
Token: SeBackupPrivilege	2428	WMIC.exe
Token: SeRestorePrivilege	2428	WMIC.exe
Token: SeShutdownPrivilege	2428	WMIC.exe
Token: SeDebugPrivilege	2428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2428	WMIC.exe
Token: SeRemoteShutdownPrivilege	2428	WMIC.exe
Token: SeUndockPrivilege	2428	WMIC.exe
Token: SeManageVolumePrivilege	2428	WMIC.exe
Token: 33	2428	WMIC.exe
Token: 34	2428	WMIC.exe
Token: 35	2428	WMIC.exe
Token: 36	2428	WMIC.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeSecurityPrivilege	2428	WMIC.exe
Token: SeTakeOwnershipPrivilege	2428	WMIC.exe
Token: SeLoadDriverPrivilege	2428	WMIC.exe
Token: SeSystemProfilePrivilege	2428	WMIC.exe
Token: SeSystemtimePrivilege	2428	WMIC.exe
Token: SeProfSingleProcessPrivilege	2428	WMIC.exe
Token: SeIncBasePriorityPrivilege	2428	WMIC.exe
Token: SeCreatePagefilePrivilege	2428	WMIC.exe
Token: SeBackupPrivilege	2428	WMIC.exe
Token: SeRestorePrivilege	2428	WMIC.exe
Token: SeShutdownPrivilege	2428	WMIC.exe
Token: SeDebugPrivilege	2428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2428	WMIC.exe
Token: SeRemoteShutdownPrivilege	2428	WMIC.exe
Token: SeUndockPrivilege	2428	WMIC.exe
Token: SeManageVolumePrivilege	2428	WMIC.exe
Token: 33	2428	WMIC.exe
Token: 34	2428	WMIC.exe
Token: 35	2428	WMIC.exe
Token: 36	2428	WMIC.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE
1764	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 2428	3600	Exodus.exe	89
PID 3600 wrote to memory of 2428	3600	Exodus.exe	89
PID 3600 wrote to memory of 3300	3600	Exodus.exe	90
PID 3600 wrote to memory of 3300	3600	Exodus.exe	90
PID 3600 wrote to memory of 3300	3600	Exodus.exe	90
PID 3300 wrote to memory of 2984	3300	Synaptics.exe	91
PID 3300 wrote to memory of 2984	3300	Synaptics.exe	91
PID 2428 wrote to memory of 1696	2428	._cache_Exodus.exe	94
PID 2428 wrote to memory of 1696	2428	._cache_Exodus.exe	94
PID 2428 wrote to memory of 4560	2428	._cache_Exodus.exe	96
PID 2428 wrote to memory of 4560	2428	._cache_Exodus.exe	96
PID 2984 wrote to memory of 2544	2984	._cache_Synaptics.exe	119
PID 2984 wrote to memory of 2544	2984	._cache_Synaptics.exe	119
PID 2984 wrote to memory of 1168	2984	._cache_Synaptics.exe	101
PID 2984 wrote to memory of 1168	2984	._cache_Synaptics.exe	101
PID 4560 wrote to memory of 3032	4560	XBinderOutput.exe	102
PID 4560 wrote to memory of 3032	4560	XBinderOutput.exe	102
PID 4560 wrote to memory of 3032	4560	XBinderOutput.exe	102
PID 4560 wrote to memory of 1320	4560	XBinderOutput.exe	103
PID 4560 wrote to memory of 1320	4560	XBinderOutput.exe	103
PID 3032 wrote to memory of 1464	3032	Dll-protected.exe	107
PID 3032 wrote to memory of 1464	3032	Dll-protected.exe	107
PID 1168 wrote to memory of 1096	1168	XBinderOutput.exe	108
PID 1168 wrote to memory of 1096	1168	XBinderOutput.exe	108
PID 1168 wrote to memory of 1096	1168	XBinderOutput.exe	108
PID 1168 wrote to memory of 4520	1168	XBinderOutput.exe	109
PID 1168 wrote to memory of 4520	1168	XBinderOutput.exe	109
PID 1320 wrote to memory of 3592	1320	Svch-protected.exe	110
PID 1320 wrote to memory of 3592	1320	Svch-protected.exe	110
PID 1320 wrote to memory of 3592	1320	Svch-protected.exe	110
PID 1464 wrote to memory of 1072	1464	._cache_Dll-protected.exe	112
PID 1464 wrote to memory of 1072	1464	._cache_Dll-protected.exe	112
PID 1072 wrote to memory of 2240	1072	Built.exe	114
PID 1072 wrote to memory of 2240	1072	Built.exe	114
PID 1096 wrote to memory of 2040	1096	Dll-protected.exe	116
PID 1096 wrote to memory of 2040	1096	Dll-protected.exe	116
PID 3592 wrote to memory of 3644	3592	Server.exe	117
PID 3592 wrote to memory of 3644	3592	Server.exe	117
PID 3592 wrote to memory of 3644	3592	Server.exe	117
PID 4520 wrote to memory of 4712	4520	Svch-protected.exe	118
PID 4520 wrote to memory of 4712	4520	Svch-protected.exe	118
PID 4520 wrote to memory of 4712	4520	Svch-protected.exe	118
PID 4712 wrote to memory of 2544	4712	Server.exe	119
PID 4712 wrote to memory of 2544	4712	Server.exe	119
PID 4712 wrote to memory of 2544	4712	Server.exe	119
PID 2240 wrote to memory of 1644	2240	Built.exe	120
PID 2240 wrote to memory of 1644	2240	Built.exe	120
PID 2240 wrote to memory of 2424	2240	Built.exe	121
PID 2240 wrote to memory of 2424	2240	Built.exe	121
PID 2240 wrote to memory of 3180	2240	Built.exe	124
PID 2240 wrote to memory of 3180	2240	Built.exe	124
PID 2240 wrote to memory of 668	2240	Built.exe	126
PID 2240 wrote to memory of 668	2240	Built.exe	126
PID 2040 wrote to memory of 3212	2040	._cache_Dll-protected.exe	128
PID 2040 wrote to memory of 3212	2040	._cache_Dll-protected.exe	128
PID 3212 wrote to memory of 4564	3212	Built.exe	129
PID 3212 wrote to memory of 4564	3212	Built.exe	129
PID 668 wrote to memory of 2428	668	cmd.exe	131
PID 668 wrote to memory of 2428	668	cmd.exe	131
PID 3180 wrote to memory of 2308	3180	cmd.exe	132
PID 3180 wrote to memory of 2308	3180	cmd.exe	132
PID 2424 wrote to memory of 1884	2424	cmd.exe	133
PID 2424 wrote to memory of 1884	2424	cmd.exe	133
PID 1644 wrote to memory of 348	1644	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\Exodus.exe
"C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\._cache_Exodus.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Exodus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe
      "C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe
      "C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3504
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\Exodus.exe
      "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
      4⤵
      Executes dropped EXE
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
      "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.1MB

MD5
59d942cbc8b50860ec417338dbefd059

SHA1
246ee7c696df1ecb6f6f060e47ab5db784002a29

SHA256
19d23e202165d3cddf2f85b0e9e435564939a39d29c0234add29fd50f4161671

SHA512
1347aee2f355c35cbd2f8369024abd16342c5907b78c813ba89050daa0c5cc173b5c00822a6fa8679f09cd327fb32d4596f6a6104a6c3e1fa2d60ed590298faa

Download Submit
C:\Users\Admin\AppData\Local\2c768585ae143f2ef237a7d30ba9994f\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XBinderOutput.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Dll-protected.exe

Filesize
5.9MB

MD5
d33c3743ec4d1333ef0d114202354cc6

SHA1
cd5aca8acd1a396da8080ee31925b3d9698fb508

SHA256
dac24e0549fdadb26c47e1e4138bed79fcc8865e257f0ae149a3422db4a9f2ce

SHA512
04f7c3a15379669444f1e3636e8a4e092cf428e67de10b1766468b241f8fa5fb24cd1bbd129ec5eab1449eb2304eff96e355291a9685fe5d437529acf5c0d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Exodus.exe

Filesize
7.3MB

MD5
6b6facceec5839fb2892574f3d712dff

SHA1
18d0970ba1e1b56dfdd397184a2fce71591bf67e

SHA256
ce614d2a55ae0d259510273cdc62ef4e0f29bcc3046850065196a7dc577ccbd5

SHA512
aec08fcb6be796f908512de2fa053e96e5988a976eece73bfae502f8308aee3b91645d8746e7094aedaaf6d2077f6c3eb9f3245b02ed5279767e425fe239845d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

Filesize
175KB

MD5
8d934cc01dcc17160d25acd2282210a9

SHA1
f97a7b02edab514526495af6f8246abf68a4dd62

SHA256
db62f46202f39d7ef4599dadf8cf8255bd164bbbe69176208586e94899e71fd8

SHA512
c234579629623344e3b47c9804b73759d9de3691c0049b9da7da2fc3d0728e8d8f6a06ea4d5cc3afe44a1230d29f4a948a77787707a25e825bddfacb330cb4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.0MB

MD5
b15a700a538a3b109a84d1dc650911e8

SHA1
45df3fa8b1d4ad49b5cd6e47a094c1c90419feef

SHA256
5e6b2a8aa7112b7d588c95e0e3e217e770cdbbc7f52573b58c074739db37b3ff

SHA512
f1c612fefd601f13ecbe0810cfba5131e935df1fe54bfd456d945f45ac76c0393a0693322d06dda36a45b60a186ab8ca5533befb41d55e716bbcd30b7a6460fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEF75E00

Filesize
24KB

MD5
238d8a44e49d9de985e80c9f8483e0f5

SHA1
f82ed193533793ddf8e05bc41c438e55ae5a6f98

SHA256
e0172034dca6bef2437259d454653afb3e15ac9ad5cd558f2ab6f538c9984d9a

SHA512
3c42d997904b084a450e72b20505028eb862199c47f36998e8fab10c99c9fa7d97187d82b37f3f9bfd568b3638e609fa35c97f0ee86ab3895d9efe290393a323

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dll-protected.exe

Filesize
6.7MB

MD5
c6f21aae2f45d9d89869392a640943e4

SHA1
8d5709838660159233d4d126e7b59608cb90c3a7

SHA256
f6f2dd59d66d219d592da7acb8a8e5b7f1d9a8aea52dbf6965f94a3f0afd1ad9

SHA512
d916002b1b11ad69d707102800c8ff237beafe2103c608afd5155cdd9bca02e137ea6c665ddfa351e51aea3b8a14572d1c37fd640feb2505c32850f70380d1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
928KB

MD5
20a67f98defc188c0015b511e749e546

SHA1
b7650940e5705991f03d3ff4a785569eb1908ce0

SHA256
5df321a00776fa2fb8b215278ef76c2aed6b9e2fedf2ea7508c80c2e869a3fbb

SHA512
66d944c4202f60f8318d54d3e81f9da8eb1c7e0fbcb425f78582ee4f987b8b45c340c3061a77822d8b36dd65c464567f1d3ec61e7d9b23f38872bb2c335d0dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Svch-protected.exe

Filesize
520KB

MD5
db1182f0ffcf788b8221fe986a21e042

SHA1
b7652ca21d7605b0a0bfbeb037bf68c3cc3ba2c8

SHA256
f6839da3485b5822fc53b09f7526af57d5710eca8b3f1b5bf698b674518d996e

SHA512
d91ed3b64438b82af4798317ab5428be749577acdb1b12dcc27012df69ad5e33df67c9d89e074a2574dae4b17ccaf579c627d08533abd785815ad94bc6cc491d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

Filesize
6.8MB

MD5
d65c3bc9d278d07c0d0d54cb0c792117

SHA1
eb6526b6a8cbd8d350b5d1ec45332e8cd5e4ad14

SHA256
51cb79663b3cd3a54cfaa9b8a1a27788d4cc23e6a9c5a81f9de33c8c429c35a4

SHA512
8cbbc7d59fb1dfbe6f8a0f7c6defb0f3f55853ae9ebfa0f7973b26403cee208a8228fd97d1aed575f35c099fb1294b3ff30aa400b42c9069549198785eab32f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_bz2.pyd

Filesize
47KB

MD5
fba120a94a072459011133da3a989db2

SHA1
6568b3e9e993c7e993a699505339bbebb5db6fb0

SHA256
055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3

SHA512
221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_ctypes.pyd

Filesize
58KB

MD5
31859b9a99a29127c4236968b87dbcbb

SHA1
29b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5

SHA256
644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713

SHA512
fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_decimal.pyd

Filesize
106KB

MD5
7cdc590ac9b4ffa52c8223823b648e5c

SHA1
c8d9233acbff981d96c27f188fcde0e98cdcb27c

SHA256
f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c

SHA512
919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_hashlib.pyd

Filesize
35KB

MD5
659a5efa39a45c204ada71e1660a7226

SHA1
1a347593fca4f914cfc4231dc5f163ae6f6e9ce0

SHA256
b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078

SHA512
386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_lzma.pyd

Filesize
85KB

MD5
864b22495372fa4d8b18e1c535962ae2

SHA1
8cfaee73b7690b9731303199e3ed187b1c046a85

SHA256
fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f

SHA512
9f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_queue.pyd

Filesize
25KB

MD5
bebc7743e8af7a812908fcb4cdd39168

SHA1
00e9056e76c3f9b2a9baba683eaa52ecfa367edb

SHA256
cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc

SHA512
c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_socket.pyd

Filesize
42KB

MD5
49f87aec74fea76792972022f6715c4d

SHA1
ed1402bb0c80b36956ec9baf750b96c7593911bd

SHA256
5d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0

SHA512
de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_sqlite3.pyd

Filesize
50KB

MD5
70a7050387359a0fab75b042256b371f

SHA1
5ffc6dfbaddb6829b1bfd478effb4917d42dff85

SHA256
e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d

SHA512
154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\_ssl.pyd

Filesize
62KB

MD5
9a7ab96204e505c760921b98e259a572

SHA1
39226c222d3c439a03eac8f72b527a7704124a87

SHA256
cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644

SHA512
0f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\base_library.zip

Filesize
859KB

MD5
915f347a4cda1af4341582dc1454fbd6

SHA1
a1fdbb92b80a47eecaf5addf786e984237811e9e

SHA256
4ae4e3b08fa794a3eff1bc5ab12b920452c76ff83b1df5cd0c581e10505458a3

SHA512
18bfcf2cb3cec336b0c5b103af8811e024043dabd072708ad1d2f7f94bcdf504366935f99c55de72a2f50eb284cd95841b28c07b6c1f26a702e0e2e1b3594d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\select.pyd

Filesize
25KB

MD5
b6de7c98e66bde6ecffbf0a1397a6b90

SHA1
63823ef106e8fd9ea69af01d8fe474230596c882

SHA256
84b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c

SHA512
1fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\skoch.aes

Filesize
180KB

MD5
db9570f362885d39e027ad285051f6bc

SHA1
046e4d0b40548d30d857da71588a6041892ac756

SHA256
1898191ad179076d0d74d1bb650ce8ec30c4245f9a554877fa3ce004000cbde8

SHA512
0ce982411c1ad21f61bbea14c66a3684e1d2a7289b2d36e44a5af85b835ddf6ac8acb9597cada6793fe8e686eb13b491a553976065da10b67f1944ad19f5a2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\sqlite3.dll

Filesize
622KB

MD5
0c4996047b6efda770b03f8f231e39b8

SHA1
dffcabcd4e950cc8ee94c313f1a59e3021a0ad48

SHA256
983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed

SHA512
112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10722\unicodedata.pyd

Filesize
289KB

MD5
c697dc94bdf07a57d84c7c3aa96a2991

SHA1
641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab

SHA256
58605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e

SHA512
4f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32122\skoch.aes

Filesize
180KB

MD5
9d6f069b6ad5dc788743bc9204f33a85

SHA1
66177aabe410329e92e8caa95e11f7e60df2df19

SHA256
433eb64d84c714b24713ddd85820176158ae51b84f963827d6d04ee52415fde3

SHA512
957956bc719125c35cad3be0d0ffac6215aaa800e289d9c045e03c578da4923cabedce29788837f48ddf17f75babe567e2315f34e280287d6ac2f6bd4f03d666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfovn35d.xaj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvLNUaMN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
2e4634a3399df09260f15492d4917ee6

SHA1
3dd013ac6bdd3545b1b2e5473b002b338669bf1a

SHA256
d6b7c22ab8490a7abea8f1313eb04598f81e60942cda9e464e29e859799c4b20

SHA512
44f1b38eeec785dae3d7b665c3d9a3b4ac9690051f146eeb4debcac1bfcc0bf4dea82de2a2ddafde368b20dbc22df6e353b3419f94a481822bbcaebb6faa1feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp.dat

Filesize
114KB

MD5
db78fd083bc8918ce8a2cc5cb79944db

SHA1
8887055003ce9177d6eab0f7a427f093e1746118

SHA256
c9bc9eba37de0346ed5661939e150bed121d880d563098857ca846bb854fb1ef

SHA512
cf8f216f2a851fb208f2f534efbcb64c60a4009683bdb10887426412ebe39fd7908ec8ac039d7fca5ac35f4d85a7698da5ac02b5350022096a47582a62c72666

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8D.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF90.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\f8c1f3ceb66875ca8bcb5821fa762041\Admin@UUHJKMQK_en-US\System\Process.txt

Filesize
4KB

MD5
ce7b22069008ee7a067490bbba60a1f2

SHA1
f8440b8b288cec729e0ee7a0994f2d6f09c8e9f8

SHA256
e0c0655d0c26c87ac4807f1cb245c96f3c36fe3670b83d2352e2f771606b1e5c

SHA512
2a290b3f0ea586c5f94d8da3b47607a9d283996e50e4acd652b7913da532304f4e399843ded569a3fd9c7fa496dd7a1f361c3ec0b99fa967a04ea96fa68b4d58

Download Submit
memory/1096-480-0x0000000000400000-0x0000000000AB5000-memory.dmp

Filesize
6.7MB

Download
memory/1320-250-0x0000000000290000-0x000000000031C000-memory.dmp

Filesize
560KB

Download
memory/1464-318-0x0000000000AB0000-0x00000000010AC000-memory.dmp

Filesize
6.0MB

Download
memory/1764-299-0x00007FFB8ECB0000-0x00007FFB8ECC0000-memory.dmp

Filesize
64KB

Download
memory/1764-297-0x00007FFB8ECB0000-0x00007FFB8ECC0000-memory.dmp

Filesize
64KB

Download
memory/1764-298-0x00007FFB8ECB0000-0x00007FFB8ECC0000-memory.dmp

Filesize
64KB

Download
memory/1764-296-0x00007FFB8ECB0000-0x00007FFB8ECC0000-memory.dmp

Filesize
64KB

Download
memory/1764-295-0x00007FFB8ECB0000-0x00007FFB8ECC0000-memory.dmp

Filesize
64KB

Download
memory/1764-307-0x00007FFB8C510000-0x00007FFB8C520000-memory.dmp

Filesize
64KB

Download
memory/1764-319-0x00007FFB8C510000-0x00007FFB8C520000-memory.dmp

Filesize
64KB

Download
memory/1884-653-0x0000020C62030000-0x0000020C62052000-memory.dmp

Filesize
136KB

Download
memory/2240-533-0x00007FFBA9750000-0x00007FFBA9868000-memory.dmp

Filesize
1.1MB

Download
memory/2240-633-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp

Filesize
184KB

Download
memory/2240-624-0x00007FFBB6FE0000-0x00007FFBB6FFF000-memory.dmp

Filesize
124KB

Download
memory/2240-499-0x00007FFBB6FE0000-0x00007FFBB6FFF000-memory.dmp

Filesize
124KB

Download
memory/2240-518-0x00007FFBAA450000-0x00007FFBAA5CA000-memory.dmp

Filesize
1.5MB

Download
memory/2240-519-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp

Filesize
100KB

Download
memory/2240-520-0x00007FFBC0390000-0x00007FFBC039D000-memory.dmp

Filesize
52KB

Download
memory/2240-521-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp

Filesize
184KB

Download
memory/2240-524-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp

Filesize
736KB

Download
memory/2240-523-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp

Filesize
144KB

Download
memory/2240-522-0x00007FFBA91B0000-0x00007FFBA9616000-memory.dmp

Filesize
4.4MB

Download
memory/2240-525-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp

Filesize
3.5MB

Download
memory/2240-625-0x00007FFBAA450000-0x00007FFBAA5CA000-memory.dmp

Filesize
1.5MB

Download
memory/2240-527-0x000001F394BB0000-0x000001F394F29000-memory.dmp

Filesize
3.5MB

Download
memory/2240-531-0x00007FFBC0110000-0x00007FFBC011D000-memory.dmp

Filesize
52KB

Download
memory/2240-532-0x00007FFBB6FE0000-0x00007FFBB6FFF000-memory.dmp

Filesize
124KB

Download
memory/2240-626-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp

Filesize
100KB

Download
memory/2240-530-0x00007FFBAD010000-0x00007FFBAD025000-memory.dmp

Filesize
84KB

Download
memory/2240-556-0x00007FFBAA450000-0x00007FFBAA5CA000-memory.dmp

Filesize
1.5MB

Download
memory/2240-627-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp

Filesize
144KB

Download
memory/2240-628-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp

Filesize
736KB

Download
memory/2240-561-0x00007FFBAD030000-0x00007FFBAD05E000-memory.dmp

Filesize
184KB

Download
memory/2240-462-0x00007FFBB1B40000-0x00007FFBB1B64000-memory.dmp

Filesize
144KB

Download
memory/2240-629-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp

Filesize
3.5MB

Download
memory/2240-558-0x00007FFBAD060000-0x00007FFBAD079000-memory.dmp

Filesize
100KB

Download
memory/2240-630-0x00007FFBAD010000-0x00007FFBAD025000-memory.dmp

Filesize
84KB

Download
memory/2240-563-0x00007FFBAA390000-0x00007FFBAA448000-memory.dmp

Filesize
736KB

Download
memory/2240-463-0x00007FFBC04C0000-0x00007FFBC04CF000-memory.dmp

Filesize
60KB

Download
memory/2240-631-0x00007FFBC0110000-0x00007FFBC011D000-memory.dmp

Filesize
52KB

Download
memory/2240-632-0x00007FFBA9750000-0x00007FFBA9868000-memory.dmp

Filesize
1.1MB

Download
memory/2240-569-0x00007FFBA3350000-0x00007FFBA36C9000-memory.dmp

Filesize
3.5MB

Download
memory/2240-572-0x000001F394BB0000-0x000001F394F29000-memory.dmp

Filesize
3.5MB

Download
memory/2240-466-0x00007FFBAD130000-0x00007FFBAD15C000-memory.dmp

Filesize
176KB

Download
memory/2240-464-0x00007FFBAD080000-0x00007FFBAD098000-memory.dmp

Filesize
96KB

Download
memory/2240-623-0x00007FFBAD130000-0x00007FFBAD15C000-memory.dmp

Filesize
176KB

Download
memory/2240-439-0x00007FFBA91B0000-0x00007FFBA9616000-memory.dmp

Filesize
4.4MB

Download
memory/2240-622-0x00007FFBAD080000-0x00007FFBAD098000-memory.dmp

Filesize
96KB

Download
memory/2240-621-0x00007FFBC04C0000-0x00007FFBC04CF000-memory.dmp

Filesize
60KB

Download
memory/2240-575-0x00007FFBA9750000-0x00007FFBA9868000-memory.dmp

Filesize
1.1MB

Download
memory/2240-619-0x00007FFBA91B0000-0x00007FFBA9616000-memory.dmp

Filesize
4.4MB

Download
memory/2240-620-0x00007FFBC0390000-0x00007FFBC039D000-memory.dmp

Filesize
52KB

Download
memory/2428-65-0x00007FFBB0793000-0x00007FFBB0795000-memory.dmp

Filesize
8KB

Download
memory/2428-119-0x0000000000220000-0x0000000000982000-memory.dmp

Filesize
7.4MB

Download
memory/3032-317-0x0000000000400000-0x0000000000AB5000-memory.dmp

Filesize
6.7MB

Download
memory/3300-483-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3300-944-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3300-917-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3300-803-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3592-479-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3600-0-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3600-130-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3644-869-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/3644-760-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/3644-797-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/3644-643-0x00000000027D0000-0x0000000002836000-memory.dmp

Filesize
408KB

Download
memory/3644-481-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download
memory/4560-213-0x00000000000B0000-0x000000000078A000-memory.dmp

Filesize
6.9MB

Download
memory/4564-562-0x00007FFBBFCE0000-0x00007FFBBFCF8000-memory.dmp

Filesize
96KB

Download
memory/4564-603-0x00007FFBBFA90000-0x00007FFBBFAAF000-memory.dmp

Filesize
124KB

Download
memory/4564-599-0x00007FFBC03F0000-0x00007FFBC03FF000-memory.dmp

Filesize
60KB

Download
memory/4564-595-0x00007FFBAF1C0000-0x00007FFBAF278000-memory.dmp

Filesize
736KB

Download
memory/4564-576-0x00007FFBBFC40000-0x00007FFBBFC6E000-memory.dmp

Filesize
184KB

Download
memory/4564-602-0x00007FFBBFCE0000-0x00007FFBBFCF8000-memory.dmp

Filesize
96KB

Download
memory/4564-601-0x00007FFBC0400000-0x00007FFBC0424000-memory.dmp

Filesize
144KB

Download
memory/4564-600-0x00007FFBB0DF0000-0x00007FFBB1256000-memory.dmp

Filesize
4.4MB

Download
memory/4564-596-0x00007FFBA2FD0000-0x00007FFBA3349000-memory.dmp

Filesize
3.5MB

Download
memory/4564-591-0x00007FFBA9FE0000-0x00007FFBAA15A000-memory.dmp

Filesize
1.5MB

Download
memory/4564-594-0x00007FFBBFC40000-0x00007FFBBFC6E000-memory.dmp

Filesize
184KB

Download
memory/4564-592-0x00007FFBBFC70000-0x00007FFBBFC89000-memory.dmp

Filesize
100KB

Download
memory/4564-584-0x00007FFBBFCB0000-0x00007FFBBFCDC000-memory.dmp

Filesize
176KB

Download
memory/4564-583-0x00007FFBBFBC0000-0x00007FFBBFBCD000-memory.dmp

Filesize
52KB

Download
memory/4564-593-0x00007FFBC03E0000-0x00007FFBC03ED000-memory.dmp

Filesize
52KB

Download
memory/4564-582-0x00007FFBBFA70000-0x00007FFBBFA85000-memory.dmp

Filesize
84KB

Download
memory/4564-579-0x00007FFBC0400000-0x00007FFBC0424000-memory.dmp

Filesize
144KB

Download
memory/4564-581-0x000001C80D180000-0x000001C80D4F9000-memory.dmp

Filesize
3.5MB

Download
memory/4564-580-0x00007FFBA2FD0000-0x00007FFBA3349000-memory.dmp

Filesize
3.5MB

Download
memory/4564-577-0x00007FFBAF1C0000-0x00007FFBAF278000-memory.dmp

Filesize
736KB

Download
memory/4564-578-0x00007FFBB0DF0000-0x00007FFBB1256000-memory.dmp

Filesize
4.4MB

Download
memory/4564-573-0x00007FFBBFC70000-0x00007FFBBFC89000-memory.dmp

Filesize
100KB

Download
memory/4564-574-0x00007FFBC03E0000-0x00007FFBC03ED000-memory.dmp

Filesize
52KB

Download
memory/4564-570-0x00007FFBBFA90000-0x00007FFBBFAAF000-memory.dmp

Filesize
124KB

Download
memory/4564-571-0x00007FFBA9FE0000-0x00007FFBAA15A000-memory.dmp

Filesize
1.5MB

Download
memory/4564-564-0x00007FFBBFCB0000-0x00007FFBBFCDC000-memory.dmp

Filesize
176KB

Download
memory/4564-560-0x00007FFBC03F0000-0x00007FFBC03FF000-memory.dmp

Filesize
60KB

Download
memory/4564-559-0x00007FFBC0400000-0x00007FFBC0424000-memory.dmp

Filesize
144KB

Download
memory/4564-557-0x00007FFBB0DF0000-0x00007FFBB1256000-memory.dmp

Filesize
4.4MB

Download
memory/4712-526-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download