asyncrat | 7fc8daf832131aa01ee5add4cfd2cde34fe755046297ff91ac455abd8b145189

Analysis

max time kernel
59s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comcast.exe
Size

559KB
MD5

0f0e8dc6228e0872cce9bd634d7f3060
SHA1

08216ff5c764989aa524d267fe57dd219d9a74e0
SHA256

5319207eda6eec62c0d70cee548a2d0eab10ebb3f8e6bb8f721f8f83ec3f9ad4
SHA512

c5eae41ab6af2a4be24aea9a9045852f06cfc07adfc76a2b7eeee530deb0d45eb2e81e886443575fb0a1d389c571642103c47a3c483fec73aedcdc45c7d75180
SSDEEP

6144:k9wxDubaBBOBIIj6HLLYLCYJqvc1D6W5gDp/bzaXVHebdBwcDubaBBOBIIj6HLLo:kba/WKuVHAdB2ba4mky+o64k

Score

10^/10

asyncrat neshta stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7869034897:AAEJf4BzwvPYQzG1jeZLBHwiHFhXCFlDu1I/sendMessage?chat_id=1457932129

https://api.telegram.org/bot8183912070:AAGxwq-YWsMb4FtMiN-pnoAFnMm_DdvDrN8/sendMessage?chat_id=7221408397

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Neshta payload 29 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-12.dat	family_neshta
behavioral1/files/0x00060000000193ac-16.dat	family_neshta
behavioral1/files/0x0001000000010312-41.dat	family_neshta
behavioral1/memory/2040-40-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0009000000010663-39.dat	family_neshta
behavioral1/files/0x0029000000010667-38.dat	family_neshta
behavioral1/files/0x000100000000f7d2-43.dat	family_neshta
behavioral1/files/0x000100000000f775-46.dat	family_neshta
behavioral1/files/0x0001000000010c12-65.dat	family_neshta
behavioral1/files/0x00010000000118ea-74.dat	family_neshta
behavioral1/files/0x00010000000118e3-73.dat	family_neshta
behavioral1/files/0x0001000000011876-72.dat	family_neshta
behavioral1/files/0x0001000000010f30-71.dat	family_neshta
behavioral1/files/0x00010000000117fc-70.dat	family_neshta
behavioral1/files/0x000300000001219d-84.dat	family_neshta
behavioral1/files/0x000300000001215c-86.dat	family_neshta
behavioral1/files/0x000200000001180f-91.dat	family_neshta
behavioral1/files/0x00050000000055e4-124.dat	family_neshta
behavioral1/files/0x000b00000000598c-138.dat	family_neshta
behavioral1/files/0x000300000000e6f5-137.dat	family_neshta
behavioral1/files/0x0003000000005ab7-136.dat	family_neshta
behavioral1/files/0x000d0000000056d7-134.dat	family_neshta
behavioral1/files/0x0004000000005725-133.dat	family_neshta
behavioral1/memory/2404-283-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1200-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2404-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1200-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1944-320-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1508-310-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/files/0x00060000000193a4-2.dat	family_stormkitty
behavioral1/files/0x00060000000195e6-24.dat	family_stormkitty
behavioral1/files/0x000500000001961d-31.dat	family_stormkitty
behavioral1/memory/2828-37-0x00000000010E0000-0x0000000001120000-memory.dmp	family_stormkitty
behavioral1/memory/2228-36-0x0000000000E10000-0x0000000000E50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00060000000195e6-24.dat	family_asyncrat
behavioral1/files/0x000500000001961d-31.dat	family_asyncrat

Executes dropped EXE 7 IoCs

pid	Process
2096	Comcast.exe
1200	svchost.com
2228	LOADER.EXE
2040	svchost.com
2828	SYSTEM.EXE
1508	svchost.com
1944	svchost.com

Loads dropped DLL 7 IoCs

pid	Process
2404	Comcast.exe
2404	Comcast.exe
1200	svchost.com
2040	svchost.com
2404	Comcast.exe
1200	svchost.com
2404	Comcast.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Comcast.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	LOADER.EXE
File created	C:\Users\Admin\AppData\Local\1a1daa87c02ac20826cf2cfdd136e255\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SYSTEM.EXE
File created	C:\Users\Admin\AppData\Local\1a1daa87c02ac20826cf2cfdd136e255\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SYSTEM.EXE
File opened for modification	C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	LOADER.EXE
File created	C:\Users\Admin\AppData\Local\1a1daa87c02ac20826cf2cfdd136e255\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SYSTEM.EXE
File opened for modification	C:\Users\Admin\AppData\Local\1a1daa87c02ac20826cf2cfdd136e255\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SYSTEM.EXE
File created	C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	LOADER.EXE
File created	C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	LOADER.EXE
File created	C:\Users\Admin\AppData\Local\1a1daa87c02ac20826cf2cfdd136e255\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SYSTEM.EXE
File created	C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	LOADER.EXE

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com
5	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	Comcast.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	Comcast.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Comcast.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Comcast.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	Comcast.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comcast.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comcast.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2848	cmd.exe
1652	netsh.exe
2664	cmd.exe
1516	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SYSTEM.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	LOADER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	LOADER.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Comcast.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE
2828	SYSTEM.EXE
2228	LOADER.EXE
2228	LOADER.EXE
2828	SYSTEM.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	SYSTEM.EXE
Token: SeDebugPrivilege	2228	LOADER.EXE
Token: SeDebugPrivilege	2828	SYSTEM.EXE
Token: SeDebugPrivilege	2228	LOADER.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2096	2404	Comcast.exe	30
PID 2404 wrote to memory of 2096	2404	Comcast.exe	30
PID 2404 wrote to memory of 2096	2404	Comcast.exe	30
PID 2404 wrote to memory of 2096	2404	Comcast.exe	30
PID 2096 wrote to memory of 1200	2096	Comcast.exe	31
PID 2096 wrote to memory of 1200	2096	Comcast.exe	31
PID 2096 wrote to memory of 1200	2096	Comcast.exe	31
PID 2096 wrote to memory of 1200	2096	Comcast.exe	31
PID 2096 wrote to memory of 2040	2096	Comcast.exe	32
PID 2096 wrote to memory of 2040	2096	Comcast.exe	32
PID 2096 wrote to memory of 2040	2096	Comcast.exe	32
PID 2096 wrote to memory of 2040	2096	Comcast.exe	32
PID 1200 wrote to memory of 2228	1200	svchost.com	33
PID 1200 wrote to memory of 2228	1200	svchost.com	33
PID 1200 wrote to memory of 2228	1200	svchost.com	33
PID 1200 wrote to memory of 2228	1200	svchost.com	33
PID 2040 wrote to memory of 2828	2040	svchost.com	34
PID 2040 wrote to memory of 2828	2040	svchost.com	34
PID 2040 wrote to memory of 2828	2040	svchost.com	34
PID 2040 wrote to memory of 2828	2040	svchost.com	34
PID 2228 wrote to memory of 2848	2228	LOADER.EXE	36
PID 2228 wrote to memory of 2848	2228	LOADER.EXE	36
PID 2228 wrote to memory of 2848	2228	LOADER.EXE	36
PID 2228 wrote to memory of 2848	2228	LOADER.EXE	36
PID 2848 wrote to memory of 2592	2848	cmd.exe	38
PID 2848 wrote to memory of 2592	2848	cmd.exe	38
PID 2848 wrote to memory of 2592	2848	cmd.exe	38
PID 2848 wrote to memory of 2592	2848	cmd.exe	38
PID 2848 wrote to memory of 1652	2848	cmd.exe	39
PID 2848 wrote to memory of 1652	2848	cmd.exe	39
PID 2848 wrote to memory of 1652	2848	cmd.exe	39
PID 2848 wrote to memory of 1652	2848	cmd.exe	39
PID 2848 wrote to memory of 2504	2848	cmd.exe	40
PID 2848 wrote to memory of 2504	2848	cmd.exe	40
PID 2848 wrote to memory of 2504	2848	cmd.exe	40
PID 2848 wrote to memory of 2504	2848	cmd.exe	40
PID 2828 wrote to memory of 2664	2828	SYSTEM.EXE	41
PID 2828 wrote to memory of 2664	2828	SYSTEM.EXE	41
PID 2828 wrote to memory of 2664	2828	SYSTEM.EXE	41
PID 2828 wrote to memory of 2664	2828	SYSTEM.EXE	41
PID 2664 wrote to memory of 1964	2664	cmd.exe	43
PID 2664 wrote to memory of 1964	2664	cmd.exe	43
PID 2664 wrote to memory of 1964	2664	cmd.exe	43
PID 2664 wrote to memory of 1964	2664	cmd.exe	43
PID 2664 wrote to memory of 1516	2664	cmd.exe	44
PID 2664 wrote to memory of 1516	2664	cmd.exe	44
PID 2664 wrote to memory of 1516	2664	cmd.exe	44
PID 2664 wrote to memory of 1516	2664	cmd.exe	44
PID 2664 wrote to memory of 1980	2664	cmd.exe	45
PID 2664 wrote to memory of 1980	2664	cmd.exe	45
PID 2664 wrote to memory of 1980	2664	cmd.exe	45
PID 2664 wrote to memory of 1980	2664	cmd.exe	45
PID 2828 wrote to memory of 1144	2828	SYSTEM.EXE	46
PID 2828 wrote to memory of 1144	2828	SYSTEM.EXE	46
PID 2828 wrote to memory of 1144	2828	SYSTEM.EXE	46
PID 2828 wrote to memory of 1144	2828	SYSTEM.EXE	46
PID 2228 wrote to memory of 1828	2228	LOADER.EXE	47
PID 2228 wrote to memory of 1828	2228	LOADER.EXE	47
PID 2228 wrote to memory of 1828	2228	LOADER.EXE	47
PID 2228 wrote to memory of 1828	2228	LOADER.EXE	47
PID 1144 wrote to memory of 2196	1144	cmd.exe	50
PID 1144 wrote to memory of 2196	1144	cmd.exe	50
PID 1144 wrote to memory of 2196	1144	cmd.exe	50
PID 1144 wrote to memory of 2196	1144	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\Comcast.exe
"C:\Users\Admin\AppData\Local\Temp\Comcast.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\3582-490\Comcast.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Comcast.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
      C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1652
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:812
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1944
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /sc ONLOGON /RL HIGHEST /tn Chrome Update /tr C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
      C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1508
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /create /f /sc ONLOGON /RL HIGHEST /tn Chrome Update /tr C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
28f7305b74e1d71409fec722d940d17a

SHA1
4c64e1ceb723f90da09e1a11e677d01fc8118677

SHA256
706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

SHA512
117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
12a5d7cade13ae01baddf73609f8fbe9

SHA1
34e425f4a21db8d7902a78107d29aec1bde41e06

SHA256
94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

SHA512
a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
539KB

MD5
60f6a975a53a542fd1f6e617f3906d86

SHA1
2be1ae6fffb3045fd67ed028fe6b22e235a3d089

SHA256
be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733

SHA512
360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
cebae9dc98bf637c274ce0b52bb38afe

SHA1
727c3ba705d4c225e424f6c666e962e0256d0be1

SHA256
0d900859e3e866a1ac8b7f7e767817eb89abac9f76512642fcd0406f135f2b7a

SHA512
0039f051fba34e039a1f6179bb8aa65fa9f7250a9ba2f16b5bfe0b1d53d4cc88ca376e1d8b1435fdb458ffd9a2025326e9e6ce13969013e3d43a27948a105eb4

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\6f3fc3b0cbb4347e2ed512b55507fd71\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE

Filesize
233KB

MD5
2ec124f1a1d284c71332a1541c308ae0

SHA1
f23a33182205ccf2800d90ceeee4b72c340b4280

SHA256
56dd386561669429d2f2e68160ab518a006373711382cdad694c9718ec449d07

SHA512
6f3c415318ea58d847ee69b9d4079965ac51ad982ae4e7b99de8cad6d6c0fe2ce4b8cf955714201b2e58b94f612bebf4269035744e00ac9ae2db3fd66e86e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
35b6001877e838f67efae4cfc185ec61

SHA1
e284cf065d8fe9de6307d9c5c0305e8101ba7dd5

SHA256
3713eb7e64c60aa293773611519b14e63b8d1f90355b262516697e8bf6b8b80b

SHA512
55b5f734048c622ea4547232d459fa4f3e33a122a437da55f9fa5b946f6d4cfe4dd2beb7f5826af2b968cac4dc7e24b5d7d22bc33b10efe90d5da7d547416edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
9ec379974f718d64d14397df495f44e5

SHA1
6f352614049d3404f5f037b63bef5b4a2b01afcd

SHA256
53130781932f5e987aad491fae46cee12c69575b80be4136247f492010e4d0e3

SHA512
48a4be9c93fb68c9ed4c573a20784326c38b18ac10ed2a14b615fc080c5f6f69e22763020ffe544e5567fba46be2e1f05b1e12d35879676e82ee81a9434f2c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB387.tmp.dat

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB389.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\d675968828d199471b02d5ec431fc171\Admin@JSMURNPT_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2684c9074d7a93a045bf23f539d5c73c

SHA1
14b6dfb4bd8d7e97c6421167e238fe90ffe833f6

SHA256
67bc1941e88ccc5372ae526182822db2a2ec7807505e666484ee8d31d7774ccf

SHA512
36f6c3672a542a7fa6604c35f696dc2716d97b0f3daa8960191c47509b3025da4355f30d7e3a70d82ebffac32b1525e87d91dd129a051b070e58cc9039fd6260

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
e8dead1e63c403905cc880112c351bbc

SHA1
afc7c45899f81a41ac04b55999080b8ff3077c05

SHA256
190983788f481d08809af4a49ae1d817ce24681b7442be5006bc4dc62529eb7d

SHA512
745381ed85cc53978daf80d6bff73fb7dc09a4acf41fc1a89b87e0c9d230a4fe5ae43f207c1edca440450048c8c2a3fe308a7a5f9266f8ab7de6a968dd8fb184

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
79765fbdcf92b3b4e0f30e70407daf9f

SHA1
1286cbd1d2f19a13d048af38badc35ae5265f125

SHA256
bfcb3579340d6ee21e721c2f66f904e9943c8a72e3594d2055cf80a98839f4fa

SHA512
946b5a80a7fbf5ac018aa73eb4ea71166886064fefd7422334c3fda79a3c4dc09149f2e73cae6b0c5b4f261d487d1019f1350e4d4384850c990b376b0bb08f92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Comcast.exe

Filesize
518KB

MD5
732a98f70f3b364160efc0ded95b7d9e

SHA1
d940da0843376023090f1fa20b28392c617f87a7

SHA256
dd30ef9626fba3e10d23a9ba0e53346daacd4312d3669cf7c4e7cef9aed9358e

SHA512
888eb1562e3193ebd5cf017917de2078b51dc18a87fc70c755c65b2b606621f5a0dd08c65f7f3fa148959272e53386978be9af772da440a2523463ceff923025

Download Submit
\Users\Admin\AppData\Local\Temp\LOADER.EXE

Filesize
232KB

MD5
4f90804bbdda4d39eaf4482ede8369bf

SHA1
dc436e8686bb41ec0cae357b57a1f3272aae06b3

SHA256
ac13b498b553a0a1a5f1abbd8dbd1c7ee4bbbc74e488ebdca3693edd5e3ce67e

SHA512
ac85b6407076d2b610216046544521a99b5f67a4d3b4c7d83b1a0996bc62776bdccc7d986e7b85bd0c4beec363fc4a734727c998be70997d740e111f6aef59b0

Download Submit
memory/1200-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1200-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-310-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1944-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-36-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2404-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2828-37-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download