xworm | e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamSetup.exe
Size

7.6MB
MD5

e9e90acb743b53007dc1b7908cadec37
SHA1

c396df39ae540bd589802d17bbc5382740f4d861
SHA256

e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b
SHA512

dfc447434af9f7051587a20cc523236ffd2bcbea638173912f3bf898f90007315c446390ef7ac83b3b1dcfdb4b6cca76a8c7ba4c2ef15b1b60f06bfd77492123
SSDEEP

196608:1l7x31wnc72nlUrZADXfphNBbXtVWrLXQr9lba:R31wnc6mAbfpVfWgDa

Score

10^/10

xworm persistence pyinstaller rat trojan upx

Malware Config

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231c8-6.dat	family_xworm
behavioral2/files/0x00060000000231c8-11.dat	family_xworm
behavioral2/files/0x00060000000231c8-12.dat	family_xworm
behavioral2/memory/3752-13-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm
behavioral2/files/0x00060000000231c8-234.dat	family_xworm
behavioral2/files/0x00060000000231c8-239.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	SteamSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	Component Package Support Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk	Component Package Support Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk	Component Package Support Server.exe

Executes dropped EXE 5 IoCs

pid	Process
3752	Component Package Support Server.exe
4264	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
3100	Component Package Support Server.exe
4124	Component Package Support Server.exe

Loads dropped DLL 18 IoCs

pid	Process
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe
2008	Device Association Framework Provider Host.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231e6-59.dat	upx
behavioral2/files/0x00060000000231e6-60.dat	upx
behavioral2/memory/2008-63-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp	upx
behavioral2/files/0x00060000000231e8-65.dat	upx
behavioral2/memory/2008-68-0x00007FFA70160000-0x00007FFA70170000-memory.dmp	upx
behavioral2/files/0x00060000000231e4-70.dat	upx
behavioral2/memory/2008-73-0x00007FFA70140000-0x00007FFA7014F000-memory.dmp	upx
behavioral2/memory/2008-75-0x00007FFA6B930000-0x00007FFA6B954000-memory.dmp	upx
behavioral2/memory/2008-76-0x00007FFA6B900000-0x00007FFA6B92C000-memory.dmp	upx
behavioral2/files/0x00060000000231de-74.dat	upx
behavioral2/files/0x00060000000231e4-71.dat	upx
behavioral2/files/0x00060000000231da-77.dat	upx
behavioral2/files/0x00060000000231da-78.dat	upx
behavioral2/memory/2008-79-0x00007FFA6B8E0000-0x00007FFA6B8F8000-memory.dmp	upx
behavioral2/files/0x00060000000231db-69.dat	upx
behavioral2/files/0x00060000000231de-72.dat	upx
behavioral2/files/0x00060000000231db-67.dat	upx
behavioral2/files/0x00060000000231e8-66.dat	upx
behavioral2/files/0x00060000000231e1-80.dat	upx
behavioral2/files/0x00060000000231e1-81.dat	upx
behavioral2/memory/2008-83-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp	upx
behavioral2/files/0x000a0000000230f9-82.dat	upx
behavioral2/files/0x000a0000000230f9-84.dat	upx
behavioral2/memory/2008-85-0x00007FFA57590000-0x00007FFA5770A000-memory.dmp	upx
behavioral2/files/0x00060000000231e0-87.dat	upx
behavioral2/files/0x00060000000231e0-86.dat	upx
behavioral2/memory/2008-89-0x00007FFA56850000-0x00007FFA56869000-memory.dmp	upx
behavioral2/files/0x00020000000227c5-88.dat	upx
behavioral2/files/0x00020000000227c5-90.dat	upx
behavioral2/memory/2008-93-0x00007FFA6AD10000-0x00007FFA6AD1D000-memory.dmp	upx
behavioral2/files/0x00060000000231e2-91.dat	upx
behavioral2/files/0x00060000000231e3-95.dat	upx
behavioral2/files/0x00060000000231e2-94.dat	upx
behavioral2/files/0x00060000000231e5-96.dat	upx
behavioral2/files/0x00060000000231e5-98.dat	upx
behavioral2/memory/2008-97-0x00007FFA56820000-0x00007FFA5684E000-memory.dmp	upx
behavioral2/memory/2008-99-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp	upx
behavioral2/files/0x00060000000231e3-102.dat	upx
behavioral2/files/0x00060000000231e3-101.dat	upx
behavioral2/memory/2008-100-0x00007FFA56760000-0x00007FFA56818000-memory.dmp	upx
behavioral2/memory/2008-103-0x00007FFA561F0000-0x00007FFA56569000-memory.dmp	upx
behavioral2/files/0x00060000000231dd-105.dat	upx
behavioral2/files/0x00060000000231dd-106.dat	upx
behavioral2/memory/2008-107-0x00007FFA561D0000-0x00007FFA561E5000-memory.dmp	upx
behavioral2/files/0x00060000000231df-109.dat	upx
behavioral2/memory/2008-110-0x00007FFA69B30000-0x00007FFA69B3D000-memory.dmp	upx
behavioral2/files/0x00060000000231d5-111.dat	upx
behavioral2/files/0x00060000000231d5-112.dat	upx
behavioral2/memory/2008-113-0x00007FFA55F70000-0x00007FFA561C2000-memory.dmp	upx
behavioral2/files/0x00060000000231df-108.dat	upx
behavioral2/memory/2008-114-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp	upx
behavioral2/memory/2008-117-0x00007FFA57590000-0x00007FFA5770A000-memory.dmp	upx
behavioral2/memory/2008-129-0x00007FFA56850000-0x00007FFA56869000-memory.dmp	upx
behavioral2/memory/2052-130-0x0000029C3A710000-0x0000029C3A720000-memory.dmp	upx
behavioral2/memory/2008-131-0x00007FFA56820000-0x00007FFA5684E000-memory.dmp	upx
behavioral2/memory/2008-132-0x00007FFA56760000-0x00007FFA56818000-memory.dmp	upx
behavioral2/memory/2008-134-0x00007FFA561F0000-0x00007FFA56569000-memory.dmp	upx
behavioral2/memory/2008-159-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp	upx
behavioral2/memory/2008-160-0x00007FFA70160000-0x00007FFA70170000-memory.dmp	upx
behavioral2/memory/2008-161-0x00007FFA6B930000-0x00007FFA6B954000-memory.dmp	upx
behavioral2/memory/2008-165-0x00007FFA70140000-0x00007FFA7014F000-memory.dmp	upx
behavioral2/memory/2008-167-0x00007FFA6B900000-0x00007FFA6B92C000-memory.dmp	upx
behavioral2/memory/2008-169-0x00007FFA6B8E0000-0x00007FFA6B8F8000-memory.dmp	upx
behavioral2/memory/2008-170-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Component Package Support Server = "C:\\Users\\Admin\\AppData\\Roaming\\Component Package Support Server.exe"	Component Package Support Server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00060000000231ca-19.dat	pyinstaller
behavioral2/files/0x00060000000231ca-26.dat	pyinstaller
behavioral2/files/0x00060000000231ca-27.dat	pyinstaller
behavioral2/files/0x00060000000231ca-58.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1004	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3820	tasklist.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3752	Component Package Support Server.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2052	powershell.exe
2052	powershell.exe
2512	powershell.exe
2512	powershell.exe
2512	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
2648	powershell.exe
2648	powershell.exe
3244	powershell.exe
3244	powershell.exe
3752	Component Package Support Server.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	3752	Component Package Support Server.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	3820	tasklist.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	3752	Component Package Support Server.exe
Token: SeDebugPrivilege	3100	Component Package Support Server.exe
Token: SeDebugPrivilege	4124	Component Package Support Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3752	Component Package Support Server.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3752	4208	SteamSetup.exe	85
PID 4208 wrote to memory of 3752	4208	SteamSetup.exe	85
PID 4208 wrote to memory of 4264	4208	SteamSetup.exe	87
PID 4208 wrote to memory of 4264	4208	SteamSetup.exe	87
PID 4264 wrote to memory of 2008	4264	Device Association Framework Provider Host.exe	89
PID 4264 wrote to memory of 2008	4264	Device Association Framework Provider Host.exe	89
PID 3752 wrote to memory of 2052	3752	Component Package Support Server.exe	91
PID 3752 wrote to memory of 2052	3752	Component Package Support Server.exe	91
PID 2008 wrote to memory of 4916	2008	Device Association Framework Provider Host.exe	93
PID 2008 wrote to memory of 4916	2008	Device Association Framework Provider Host.exe	93
PID 4916 wrote to memory of 4596	4916	cmd.exe	96
PID 4916 wrote to memory of 4596	4916	cmd.exe	96
PID 4596 wrote to memory of 2092	4596	net.exe	116
PID 4596 wrote to memory of 2092	4596	net.exe	116
PID 2008 wrote to memory of 2936	2008	Device Association Framework Provider Host.exe	100
PID 2008 wrote to memory of 2936	2008	Device Association Framework Provider Host.exe	100
PID 2008 wrote to memory of 1860	2008	Device Association Framework Provider Host.exe	99
PID 2008 wrote to memory of 1860	2008	Device Association Framework Provider Host.exe	99
PID 2008 wrote to memory of 3296	2008	Device Association Framework Provider Host.exe	101
PID 2008 wrote to memory of 3296	2008	Device Association Framework Provider Host.exe	101
PID 2008 wrote to memory of 3420	2008	Device Association Framework Provider Host.exe	104
PID 2008 wrote to memory of 3420	2008	Device Association Framework Provider Host.exe	104
PID 3296 wrote to memory of 3448	3296	cmd.exe	106
PID 3296 wrote to memory of 3448	3296	cmd.exe	106
PID 2936 wrote to memory of 2512	2936	cmd.exe	107
PID 2936 wrote to memory of 2512	2936	cmd.exe	107
PID 3420 wrote to memory of 3820	3420	cmd.exe	108
PID 3420 wrote to memory of 3820	3420	cmd.exe	108
PID 1860 wrote to memory of 1268	1860	cmd.exe	109
PID 1860 wrote to memory of 1268	1860	cmd.exe	109
PID 3752 wrote to memory of 2648	3752	Component Package Support Server.exe	112
PID 3752 wrote to memory of 2648	3752	Component Package Support Server.exe	112
PID 3752 wrote to memory of 3244	3752	Component Package Support Server.exe	113
PID 3752 wrote to memory of 3244	3752	Component Package Support Server.exe	113
PID 3752 wrote to memory of 1004	3752	Component Package Support Server.exe	117
PID 3752 wrote to memory of 1004	3752	Component Package Support Server.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe
  "C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Component Package Support Server" /tr "C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1004
- C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe
  "C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe
    "C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "net session"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2092

C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe
"C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe
"C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Component Package Support Server.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\PIL\_imaging.cp310-win_amd64.pyd

Filesize
732KB

MD5
7304c68180326bf95d6cb10c120576eb

SHA1
e763d1000433655db65b18af11f07ef48877dc6e

SHA256
1adb71ef5700a9e182210c1e46b3ebb3e691a2a7338473ee644d4bf7b67329aa

SHA512
684c18029cf7595da58ddbd4a866bf08fb28ddf9707de9c80d84a5eac4c169a85ad6fe576ccc444e205dd4352d61a4ce3613cee47d29d75962db4711fd6b03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\PIL\_imaging.cp310-win_amd64.pyd

Filesize
732KB

MD5
7304c68180326bf95d6cb10c120576eb

SHA1
e763d1000433655db65b18af11f07ef48877dc6e

SHA256
1adb71ef5700a9e182210c1e46b3ebb3e691a2a7338473ee644d4bf7b67329aa

SHA512
684c18029cf7595da58ddbd4a866bf08fb28ddf9707de9c80d84a5eac4c169a85ad6fe576ccc444e205dd4352d61a4ce3613cee47d29d75962db4711fd6b03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_bz2.pyd

Filesize
47KB

MD5
660b720f9ea9b2147950907b668bddb3

SHA1
7787536d537c37fbf34212e762bcadfd68518325

SHA256
e48ea048863dfad2f49516aa18f4849c4884dade662f186481b7079f05175a41

SHA512
6512f3488f1acab7bcc24f4619c8b9020b5daf9d773d25a879451530b346cde6de02ac760aa911411141f4974c42987975f3e2e3c19d8b40648e0d3a27d01d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_bz2.pyd

Filesize
47KB

MD5
660b720f9ea9b2147950907b668bddb3

SHA1
7787536d537c37fbf34212e762bcadfd68518325

SHA256
e48ea048863dfad2f49516aa18f4849c4884dade662f186481b7079f05175a41

SHA512
6512f3488f1acab7bcc24f4619c8b9020b5daf9d773d25a879451530b346cde6de02ac760aa911411141f4974c42987975f3e2e3c19d8b40648e0d3a27d01d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_ctypes.pyd

Filesize
58KB

MD5
6264fbf113dc0944e28e978515c6fb5a

SHA1
dfa96a8fef6a62da78077a796ca4a6a88b4d58e6

SHA256
5d0f7be141b8c262630e6bf1bb28a1aed249d999269c4a69921fb8d0074745fa

SHA512
8bc5d21b137680335c240f86464a3d5630b81a272ba3669f5a1c5e9426fa2b1c71f557848ef7d6e7b423e37c8037a14b69e388f09c980f4001ba0fcc0320e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_ctypes.pyd

Filesize
58KB

MD5
6264fbf113dc0944e28e978515c6fb5a

SHA1
dfa96a8fef6a62da78077a796ca4a6a88b4d58e6

SHA256
5d0f7be141b8c262630e6bf1bb28a1aed249d999269c4a69921fb8d0074745fa

SHA512
8bc5d21b137680335c240f86464a3d5630b81a272ba3669f5a1c5e9426fa2b1c71f557848ef7d6e7b423e37c8037a14b69e388f09c980f4001ba0fcc0320e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_hashlib.pyd

Filesize
35KB

MD5
5cd9dd4168f69b0ff563a07867ac43c5

SHA1
3d64b3545edae1f3a2793e5fbe16f8608817a441

SHA256
70fe90dbddec27f62ffd79f16ec7cade3c2e4f5df0314b1eebd3b97d47cd0aee

SHA512
68a189084eab6d8f6f71230b1623bdf94a69ed53bd27072a1698d5ccd2f42b2b42d70d561997596ff62f07ff1656aec437cc6153892ca149b919505b5e6c7a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_hashlib.pyd

Filesize
35KB

MD5
5cd9dd4168f69b0ff563a07867ac43c5

SHA1
3d64b3545edae1f3a2793e5fbe16f8608817a441

SHA256
70fe90dbddec27f62ffd79f16ec7cade3c2e4f5df0314b1eebd3b97d47cd0aee

SHA512
68a189084eab6d8f6f71230b1623bdf94a69ed53bd27072a1698d5ccd2f42b2b42d70d561997596ff62f07ff1656aec437cc6153892ca149b919505b5e6c7a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_lzma.pyd

Filesize
85KB

MD5
3d4ab85496d3f61725b29dfa5d703808

SHA1
8ed99cd413ea318bab7c6817401113159ed1e2cd

SHA256
0fef85d84e9879fef79905974d8d0cdd6d31761291bf3fa11af11a8522b8c75c

SHA512
d166d209a665e084424ea7fd59eba5280174e3d9aaca1f5002b16c1d658a40e2f1045dcba30028656b772f6dd30d7cb94f4dcb2d1f70198f2b2273988e1921b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_lzma.pyd

Filesize
85KB

MD5
3d4ab85496d3f61725b29dfa5d703808

SHA1
8ed99cd413ea318bab7c6817401113159ed1e2cd

SHA256
0fef85d84e9879fef79905974d8d0cdd6d31761291bf3fa11af11a8522b8c75c

SHA512
d166d209a665e084424ea7fd59eba5280174e3d9aaca1f5002b16c1d658a40e2f1045dcba30028656b772f6dd30d7cb94f4dcb2d1f70198f2b2273988e1921b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_queue.pyd

Filesize
25KB

MD5
81d6067dce120e985b6c4d872ac3c76c

SHA1
7e06dc78dd39f6499d453e3401be7ed2f6593408

SHA256
3d4dd6f362bb9d5c7a683c19b91ce6d1852047f18fb9edef7140f2dd3656becf

SHA512
f1d6d02941b95c06c4a1b69bbff7c6aff1b8b4915875b6b2ca765cc82bdfdc24ae520dfb545d48fd83fe275c1933d68754089e45a3948b74503374eb37a8f7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_queue.pyd

Filesize
25KB

MD5
81d6067dce120e985b6c4d872ac3c76c

SHA1
7e06dc78dd39f6499d453e3401be7ed2f6593408

SHA256
3d4dd6f362bb9d5c7a683c19b91ce6d1852047f18fb9edef7140f2dd3656becf

SHA512
f1d6d02941b95c06c4a1b69bbff7c6aff1b8b4915875b6b2ca765cc82bdfdc24ae520dfb545d48fd83fe275c1933d68754089e45a3948b74503374eb37a8f7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_socket.pyd

Filesize
42KB

MD5
33f0dfe2f225d5761a24614193513f8d

SHA1
350c13412868dd92113f432d59f26a5cd12e3783

SHA256
3fed876ff957ad002e5e59dc78647c359ae30992516e93034c7deec9c1d5dfde

SHA512
40ca1d9fdd430d4f13fc72d10323cb4fddd2084e02c9a3dbfe7c56e70c9c1c55e0e3dc096bd2019b0ecc43af24dde92dbcab755220447b206dd37bbfeb59aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_socket.pyd

Filesize
42KB

MD5
33f0dfe2f225d5761a24614193513f8d

SHA1
350c13412868dd92113f432d59f26a5cd12e3783

SHA256
3fed876ff957ad002e5e59dc78647c359ae30992516e93034c7deec9c1d5dfde

SHA512
40ca1d9fdd430d4f13fc72d10323cb4fddd2084e02c9a3dbfe7c56e70c9c1c55e0e3dc096bd2019b0ecc43af24dde92dbcab755220447b206dd37bbfeb59aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_sqlite3.pyd

Filesize
50KB

MD5
c9cadcd90c60869e5699d723e359d56c

SHA1
977bfe5a716f5bc4eb51aefce54dc94d97278cd0

SHA256
67f1000c249d4647c7aa6544e0800bc680ccad127aa5bcca1a23d516d6951fdd

SHA512
61b85c0c2c41312ae6511a943d09ee9353b97fb6cbde822da06ade2df19e4d8408c0e5f5055d58308dea95869be192ab5496e99b2bc0180345e976896145c306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_sqlite3.pyd

Filesize
50KB

MD5
c9cadcd90c60869e5699d723e359d56c

SHA1
977bfe5a716f5bc4eb51aefce54dc94d97278cd0

SHA256
67f1000c249d4647c7aa6544e0800bc680ccad127aa5bcca1a23d516d6951fdd

SHA512
61b85c0c2c41312ae6511a943d09ee9353b97fb6cbde822da06ade2df19e4d8408c0e5f5055d58308dea95869be192ab5496e99b2bc0180345e976896145c306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_ssl.pyd

Filesize
62KB

MD5
89ccc9f56c53222af808f5f06dcc80be

SHA1
a5cc7d96dc7d14f8cf1025e4f4cd2397a652b354

SHA256
5ca77a0c7ffb62ad4453b71d64d4a8e061b33d07955782c802a3169caa639286

SHA512
cf7042fc296bc7c92f453532ab675752d0c6f319aace1b882c3c630ff65534ede0e486627cd291b309350fdb7e21be72e9aea9804f1eaa542e26f5dcd3f12883

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\_ssl.pyd

Filesize
62KB

MD5
89ccc9f56c53222af808f5f06dcc80be

SHA1
a5cc7d96dc7d14f8cf1025e4f4cd2397a652b354

SHA256
5ca77a0c7ffb62ad4453b71d64d4a8e061b33d07955782c802a3169caa639286

SHA512
cf7042fc296bc7c92f453532ab675752d0c6f319aace1b882c3c630ff65534ede0e486627cd291b309350fdb7e21be72e9aea9804f1eaa542e26f5dcd3f12883

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\base_library.zip

Filesize
1.0MB

MD5
100e16351670f070d871a7ab68de32d3

SHA1
6e8e15c99c0941c614da4382c3c87c0047bd0717

SHA256
e0968929c7bd086856f959fe4044eff9f40b21f3947da7bc2d58e5004ddb703a

SHA512
8d583c64c7230cdb7f2e55519282a8f5af55b33b2a975e1b182a256c6db529d99992fe6e09042ef8f4f7300ed2239cbb7a27af78630716e9e4a56d8a19360898

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4edb3f0d95b2717a094aa0156cf5fe18

SHA1
46b7395c57e228411c3a29cfd5267a62581b214f

SHA256
bc4359c134cc7bca1de4c8365cbcec6236d75c1b572ef97c4b59e2387144e83a

SHA512
66b159d5ac54b604c452273ea76cc2cb1e2e0dfb71f18768010d6d86643ea3cf7d4cfbf5a2e5c3ff67d5773cf9ea7467e001b5e85aa9c92f0efa77abe0aa1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libffi-7.dll

Filesize
23KB

MD5
ce7d4f152de90a24b0069e3c95fa2b58

SHA1
98e921d9dd396b86ae785d9f8d66f1dc612111c2

SHA256
85ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7

SHA512
7b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libffi-7.dll

Filesize
23KB

MD5
ce7d4f152de90a24b0069e3c95fa2b58

SHA1
98e921d9dd396b86ae785d9f8d66f1dc612111c2

SHA256
85ac46f9d1fd15ab12f961e51ba281bff8c0141fa122bfa21a66e13dd4f943e7

SHA512
7b0a1bd9fb5666fe5388cabcef11e2e4038bbdb62bdca46f6e618555c90eb2e466cb5becd7773f1136ee929f10f74c35357b65b038f51967de5c2b62f7045b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libssl-1_1.dll

Filesize
204KB

MD5
fe32b4e972e3cb418a397461ae3a646c

SHA1
bc28e4538f920d7601455a5171e43eb2820be41a

SHA256
65f20fca13e614bbcedf1445fe521b5f9a3fbc2895e0b28dde73d5d33406a38b

SHA512
36e35f440e7e6a7737d7c55266639709580167c38661fad6017b94deb339d67bec469edd6d29b61d1a3d56138685df76b73713c75b192df690d8108e5caa0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\libssl-1_1.dll

Filesize
204KB

MD5
fe32b4e972e3cb418a397461ae3a646c

SHA1
bc28e4538f920d7601455a5171e43eb2820be41a

SHA256
65f20fca13e614bbcedf1445fe521b5f9a3fbc2895e0b28dde73d5d33406a38b

SHA512
36e35f440e7e6a7737d7c55266639709580167c38661fad6017b94deb339d67bec469edd6d29b61d1a3d56138685df76b73713c75b192df690d8108e5caa0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\select.pyd

Filesize
25KB

MD5
2a2d0cb066ca5596da717819d3cad5ab

SHA1
982de2ade1f8bba9023f6f37578f2440eb0cb7e4

SHA256
8ac8488edb0ca6952a9f800b1430f03f26a53213b9bd04739e9a9c0160dcf598

SHA512
67c778c4f1e752ab02aa03f0fcf043a2367701b80a67f4a8e43f968eb48933e145dd3bae31bd2ddd1f1737d6a35e7a269d061871e8fc79b676bc8bb838dbd90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\select.pyd

Filesize
25KB

MD5
2a2d0cb066ca5596da717819d3cad5ab

SHA1
982de2ade1f8bba9023f6f37578f2440eb0cb7e4

SHA256
8ac8488edb0ca6952a9f800b1430f03f26a53213b9bd04739e9a9c0160dcf598

SHA512
67c778c4f1e752ab02aa03f0fcf043a2367701b80a67f4a8e43f968eb48933e145dd3bae31bd2ddd1f1737d6a35e7a269d061871e8fc79b676bc8bb838dbd90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\sqlite3.dll

Filesize
622KB

MD5
fe31dc56b349f01c58791bb56729c716

SHA1
4634bb966b3ff08a10c5f79dc5a79e9ba7b54ecf

SHA256
69bda2dc2f9cc767171ab1003e3b44cf0ac0b2bd7bb54d52a5c31e2140a3d3b5

SHA512
41598becf7e3f0106092fe72b45cf05fae3585e3511535dd1d8139d37a62d0c4119dd1b0c60d8b130975ce870c9e6c20b38c7fc491cf8c1d3204e8bd58f2320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\sqlite3.dll

Filesize
622KB

MD5
fe31dc56b349f01c58791bb56729c716

SHA1
4634bb966b3ff08a10c5f79dc5a79e9ba7b54ecf

SHA256
69bda2dc2f9cc767171ab1003e3b44cf0ac0b2bd7bb54d52a5c31e2140a3d3b5

SHA512
41598becf7e3f0106092fe72b45cf05fae3585e3511535dd1d8139d37a62d0c4119dd1b0c60d8b130975ce870c9e6c20b38c7fc491cf8c1d3204e8bd58f2320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\tinyaes.cp310-win_amd64.pyd

Filesize
18KB

MD5
b206d8c6b5ede0cdc7f7e4c23d43c132

SHA1
51d80b85f5deffcdb13aebfa4dc724be590ff10e

SHA256
cb11c8dc10461d3ff7341471507d83f9c2c2abc51d93678c08787e7f80e32eb2

SHA512
c0da9ec022b3cdadd713a05aefffc66f7ec5af847149fce309bc04b8fb37919e2ab1b658eb05e3fd1dbe2f7f18baf5329f421d03b3be984a7dee439e21b2e5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42642\tinyaes.cp310-win_amd64.pyd

Filesize
18KB

MD5
b206d8c6b5ede0cdc7f7e4c23d43c132

SHA1
51d80b85f5deffcdb13aebfa4dc724be590ff10e

SHA256
cb11c8dc10461d3ff7341471507d83f9c2c2abc51d93678c08787e7f80e32eb2

SHA512
c0da9ec022b3cdadd713a05aefffc66f7ec5af847149fce309bc04b8fb37919e2ab1b658eb05e3fd1dbe2f7f18baf5329f421d03b3be984a7dee439e21b2e5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21crjpex.sya.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe

Filesize
87KB

MD5
a1e0941d04238798f48f5b56fd1ae667

SHA1
02c173d45fbd19e801fc7a42aa8b5f90f5bb79be

SHA256
c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2

SHA512
1907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe

Filesize
7.3MB

MD5
3f1493a321ca8e05eeb53aa2f6a4e7b4

SHA1
a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad

SHA256
73a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c

SHA512
252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd

Download Submit
memory/1268-199-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-150-0x000002BDCA450000-0x000002BDCA460000-memory.dmp

Filesize
64KB

Download
memory/1268-147-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-181-0x000002BDCA450000-0x000002BDCA460000-memory.dmp

Filesize
64KB

Download
memory/1268-149-0x000002BDCA450000-0x000002BDCA460000-memory.dmp

Filesize
64KB

Download
memory/1268-168-0x000002BDCA450000-0x000002BDCA460000-memory.dmp

Filesize
64KB

Download
memory/2008-171-0x00007FFA57590000-0x00007FFA5770A000-memory.dmp

Filesize
1.5MB

Download
memory/2008-167-0x00007FFA6B900000-0x00007FFA6B92C000-memory.dmp

Filesize
176KB

Download
memory/2008-103-0x00007FFA561F0000-0x00007FFA56569000-memory.dmp

Filesize
3.5MB

Download
memory/2008-107-0x00007FFA561D0000-0x00007FFA561E5000-memory.dmp

Filesize
84KB

Download
memory/2008-104-0x000001767BAA0000-0x000001767BE19000-memory.dmp

Filesize
3.5MB

Download
memory/2008-100-0x00007FFA56760000-0x00007FFA56818000-memory.dmp

Filesize
736KB

Download
memory/2008-110-0x00007FFA69B30000-0x00007FFA69B3D000-memory.dmp

Filesize
52KB

Download
memory/2008-99-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp

Filesize
4.4MB

Download
memory/2008-97-0x00007FFA56820000-0x00007FFA5684E000-memory.dmp

Filesize
184KB

Download
memory/2008-113-0x00007FFA55F70000-0x00007FFA561C2000-memory.dmp

Filesize
2.3MB

Download
memory/2008-93-0x00007FFA6AD10000-0x00007FFA6AD1D000-memory.dmp

Filesize
52KB

Download
memory/2008-114-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp

Filesize
124KB

Download
memory/2008-68-0x00007FFA70160000-0x00007FFA70170000-memory.dmp

Filesize
64KB

Download
memory/2008-117-0x00007FFA57590000-0x00007FFA5770A000-memory.dmp

Filesize
1.5MB

Download
memory/2008-73-0x00007FFA70140000-0x00007FFA7014F000-memory.dmp

Filesize
60KB

Download
memory/2008-75-0x00007FFA6B930000-0x00007FFA6B954000-memory.dmp

Filesize
144KB

Download
memory/2008-76-0x00007FFA6B900000-0x00007FFA6B92C000-memory.dmp

Filesize
176KB

Download
memory/2008-79-0x00007FFA6B8E0000-0x00007FFA6B8F8000-memory.dmp

Filesize
96KB

Download
memory/2008-129-0x00007FFA56850000-0x00007FFA56869000-memory.dmp

Filesize
100KB

Download
memory/2008-180-0x00007FFA55F70000-0x00007FFA561C2000-memory.dmp

Filesize
2.3MB

Download
memory/2008-131-0x00007FFA56820000-0x00007FFA5684E000-memory.dmp

Filesize
184KB

Download
memory/2008-132-0x00007FFA56760000-0x00007FFA56818000-memory.dmp

Filesize
736KB

Download
memory/2008-178-0x00007FFA69B30000-0x00007FFA69B3D000-memory.dmp

Filesize
52KB

Download
memory/2008-134-0x00007FFA561F0000-0x00007FFA56569000-memory.dmp

Filesize
3.5MB

Download
memory/2008-177-0x00007FFA561D0000-0x00007FFA561E5000-memory.dmp

Filesize
84KB

Download
memory/2008-137-0x000001767BAA0000-0x000001767BE19000-memory.dmp

Filesize
3.5MB

Download
memory/2008-174-0x00007FFA56820000-0x00007FFA5684E000-memory.dmp

Filesize
184KB

Download
memory/2008-89-0x00007FFA56850000-0x00007FFA56869000-memory.dmp

Filesize
100KB

Download
memory/2008-85-0x00007FFA57590000-0x00007FFA5770A000-memory.dmp

Filesize
1.5MB

Download
memory/2008-176-0x00007FFA561F0000-0x00007FFA56569000-memory.dmp

Filesize
3.5MB

Download
memory/2008-83-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp

Filesize
124KB

Download
memory/2008-175-0x00007FFA56760000-0x00007FFA56818000-memory.dmp

Filesize
736KB

Download
memory/2008-173-0x00007FFA6AD10000-0x00007FFA6AD1D000-memory.dmp

Filesize
52KB

Download
memory/2008-159-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp

Filesize
4.4MB

Download
memory/2008-160-0x00007FFA70160000-0x00007FFA70170000-memory.dmp

Filesize
64KB

Download
memory/2008-161-0x00007FFA6B930000-0x00007FFA6B954000-memory.dmp

Filesize
144KB

Download
memory/2008-165-0x00007FFA70140000-0x00007FFA7014F000-memory.dmp

Filesize
60KB

Download
memory/2008-63-0x00007FFA57FD0000-0x00007FFA58436000-memory.dmp

Filesize
4.4MB

Download
memory/2008-172-0x00007FFA56850000-0x00007FFA56869000-memory.dmp

Filesize
100KB

Download
memory/2008-169-0x00007FFA6B8E0000-0x00007FFA6B8F8000-memory.dmp

Filesize
96KB

Download
memory/2008-170-0x00007FFA6B690000-0x00007FFA6B6AF000-memory.dmp

Filesize
124KB

Download
memory/2008-166-0x00007FFA55F70000-0x00007FFA561C2000-memory.dmp

Filesize
2.3MB

Download
memory/2052-183-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2052-116-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2052-152-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-118-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2052-148-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2052-115-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-200-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-124-0x0000029C3A6B0000-0x0000029C3A6D2000-memory.dmp

Filesize
136KB

Download
memory/2052-182-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2052-130-0x0000029C3A710000-0x0000029C3A720000-memory.dmp

Filesize
64KB

Download
memory/2512-179-0x00000233A1C70000-0x00000233A1C80000-memory.dmp

Filesize
64KB

Download
memory/2512-136-0x00000233A1C70000-0x00000233A1C80000-memory.dmp

Filesize
64KB

Download
memory/2512-151-0x00000233A1C70000-0x00000233A1C80000-memory.dmp

Filesize
64KB

Download
memory/2512-201-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-135-0x00000233A1C70000-0x00000233A1C80000-memory.dmp

Filesize
64KB

Download
memory/2512-133-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2648-203-0x000002029DA30000-0x000002029DA40000-memory.dmp

Filesize
64KB

Download
memory/2648-216-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/2648-214-0x000002029DA30000-0x000002029DA40000-memory.dmp

Filesize
64KB

Download
memory/2648-202-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-217-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-218-0x0000027221900000-0x0000027221910000-memory.dmp

Filesize
64KB

Download
memory/3244-229-0x0000027221900000-0x0000027221910000-memory.dmp

Filesize
64KB

Download
memory/3244-230-0x0000027221900000-0x0000027221910000-memory.dmp

Filesize
64KB

Download
memory/3752-92-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/3752-14-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-13-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/3752-57-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/3752-41-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4208-0-0x0000000000730000-0x0000000000ED4000-memory.dmp

Filesize
7.6MB

Download
memory/4208-38-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4208-3-0x00007FFA5BCF0000-0x00007FFA5C7B1000-memory.dmp

Filesize
10.8MB

Download